Cryptocurrency exchange Bybit experienced a security breach
resulting in the unauthorized transfer of over $1.4 billion in liquid-staked
Ether (ETH) and MegaETH (mETH). The exchange reported unauthorized access to
one of its Ethereum cold wallets on February 21, 2025.
The incident took place during a multisignature transaction
facilitated through Safe Wallet. A threat actor intercepted the process,
altered the transaction, and gained control of the wallet. The attacker then
transferred the funds to a separate wallet under their control.
Following the discovery, Bybit engaged cybersecurity firm
Sygnia to conduct a forensic investigation. The investigation aimed to
determine the source of the compromise, assess the extent of the attack, and
implement measures to prevent future incidents.
Investigation Findings
The forensic analysis identified that malicious JavaScript
code had been injected into a resource served from Safe Wallet’s AWS S3 bucket.
The modification timestamp and historical web records suggest that the code was
added on February 19, 2025, two days before the unauthorized transaction.
Bybit Hack Forensics ReportAs promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW
— Ben Zhou (@benbybit) February 26, 2025
The injected code was designed to manipulate transaction
data during the signing process. It activated only when the transaction
originated from specific contract addresses, including Bybit’s contract and
another unidentified address. This suggests that the attacker had predefined
targets for the exploit.
Safe Wallet JavaScript Modified Before Attack
Forensic examination of Chrome browser cache files from the
three signers’ systems confirmed the presence of the compromised JavaScript
resource at the time of the transaction. These files indicated that the Safe Wallet
resource was last modified shortly before the attack.
Further analysis revealed that two minutes after the
fraudulent transaction was executed, new versions of the affected JavaScript
files were uploaded to SafeWallet’s AWS S3 bucket, removing the injected code.
This suggests an attempt to conceal the unauthorized modification.
Public web archives captured two snapshots of Safe Wallet’s
JavaScript resources on February 19, 2025. The first snapshot contained the
original, unaltered version, while the second snapshot showed the presence of
the malicious code. This further supports the conclusion that the attack
originated from Safe Wallet’s AWS infrastructure.
No Evidence of Bybit Infrastructure Breach
At this stage, the forensic investigation has not found any
evidence of a compromise within Bybit’s own infrastructure. The unauthorized
access appears to have been facilitated through vulnerabilities in SafeWallet’s
systems. Bybit and Sygnia are continuing their investigation to confirm the
findings and assess any additional risks.
“The preliminary forensic review finds that our system
was not compromised. While this incident underscores the evolving threats in
the crypto space, we are taking proactive steps to reinforce security and
ensure the highest level of protection for our users,” said Ben Zhou,
Co-founder and CEO of Bybit.
This article was written by Tareq Sikder at www.financemagnates.com.
Source link
