Bybit Was Not Hacked: New Details of Security Incident

Published: February 27, 2025|Last updated: February 27, 2025

Bybit was not hacked directly
The problem was in the multi-sig service Safe
Bybit used Safe to confirm transactions
Bybit's systems were not compromised

Almost a week after the Bybit security incident, details have emerged from two cybersecurity companies, Verichains and Sygnia Labs, which have confirmed the assumption that Bybit was not compromised and the vulnerability was on the side of the multi-sig service Safe.

So Bybit Was Not Hacked?

Recall that Bybit turned out to be a record-breaking $1.4B loss incident but also showed record-breaking speed of rebalancing and unprecedented support from partners and big players in the crypto industry.

Now, the buzz has started to go down and the ZachXBT investigation that began pointing to the role of North Korean hackers, namely Lazarus Group, is ongoing and has received new details.

Two leading cybersecurity firms Verichains and Sygnia Labs conducted independent investigations and concluded that the accusations against the technical security of Bybit's systems were probably hasty.

Although when the details of the incident were shared by Bybit CEO Ben Zhou we immediately assumed that the problem might not be on the exchange's side, but rather the multi-sig Safe service they use for regular transfers of funds from their cold wallets to hot wallets.

To elaborate, their report points to the following sequence:

Proxy wallet management compromise

At 14:13:35 UTC, an attacker initiates a transaction through SafeWallet
Uses delegatecall to a GnosisSafe contract that trusts SafeWallet

Spoofs the logic of the proxy contract

A malicious contract executes consecutive delegatecalls
The storage slot of the proxy implementation (control contract) is changed
The new code gives the attacker full control over the wallet

Funds withdrawal

The attacker signs transactions on behalf of the hot wallet
Funds are transferred to his controlled addresses

Bybit CEO Ben Zhou also shared the findings of Verichains and Sygnia Labs, which asserted not only that the problem was likely on the Safe services side, but that Bybit's infrastructure was not compromised.

However, how exactly the attackers were able to introduce malware into the signing infrastructure, such as through a chain of vendors, updates, or an insider, so the investigation is ongoing.

Conclusion

These are probably not the final details, however, it is very important that they speak in favor of Bybit, one of the largest crypto exchanges in the world responsible for billions of dollars worth of trading.

Be aware and stay tuned for updates on the rapidly evolving regulations and crypto landscape.

Score Up to $30,050 on Bybit – Just for Trading

Start Trading

The information provided in this article is for informational and educational purposes only and does not constitute financial, investment, or trading advice. Any actions you take based on the information provided are solely at your own risk. We are not responsible for any financial losses, damages, or consequences resulting from your use of this content. Always conduct your own research and consult a qualified financial advisor before making any investment decisions. Read more

The content provided in this article is for informational and educational purposes only and does not constitute financial, investment, or trading advice. Any actions you take based on the information provided are solely at your own risk. We are not responsible for any financial losses, damages, or consequences resulting from your use of this content. Always conduct your own research and consult a qualified financial advisor before making any investment decisions. Read more