Bybit hack linked to compromised SafeWallet credentials

A forensic investigation into the $1.4 billion Bybit hack revealed that the attack stemmed from compromised SafeWallet developer credentials, allowing North Korea’s Lazarus Group to gain unauthorized access and execute a malicious transaction.

Bybit confirmed findings from Sygnia and Verichains, which pointed to a malicious JavaScript code injected into SafeWallet’s Amazon Web Services (AWS) infrastructure as the entry point for the breach.

SafeWallet has since rebuilt its infrastructure, rotated credentials, and implemented additional security measures to prevent further exploitation. Bybit’s core infrastructure remained unaffected, according to the reports.

The attack resulted in the theft of more than $1.4 billion worth of staked Ether (stETH), surpassing previous record-breaking hacks, including the Ronin Network attack in 2022 and the Poly Network exploit in 2021.

Following the breach, Bybit acted to replenish user funds, securing its reserves through loans, asset purchases, and large deposits from whales. The exchange borrowed 40,000 ETH from Bitget, which has since been fully repaid.

Meanwhile, the hacker behind the $1.4 billion exploit has moved over 135,000 Ether, worth $335 million, through laundering operations, with investigators tracking ongoing fund transfers.

According to onchain data, the attacker moved 45,900 ETH worth $113 million in the last 24 hours alone. Blockchain analyst EmberCN estimates that at the current rate, the hacker could launder the remaining 363,900 ETH (worth $900 million) in just over a week.

Blockchain security firms, including Arkham Intelligence, linked the North Korea-backed Lazarus Group to the Bybit exploit, which drained liquid-staked ETH (stETH), Mantle Staked ETH (mETH), and other assets from the exchange on Feb. 21.

Bybit CEO Ben Zhou publicly declared “war” on the Lazarus Group, offering a bounty for intercepted funds. Meanwhile, blockchain analytics firm Elliptic flagged over 11,000 wallet addresses tied to the exploit, with more expected to surface as investigations continue.

So far, Bybit has continued processing withdrawals as normal, avoiding any liquidity crises. However, with over half of the $2.3 billion stolen in crypto-related hacks in 2024 coming from this single incident, the attack remains a major black mark for the industry.