Safe Wallet releases update on $1.5b Bybit hack, lists new security enhancements

Safe, the multi-signature wallet platform at the heart of the $1.5 billion Bybit hack on Feb. 21, shared an update of the findings of its investigation into the hack in collaboration with cybersecurity firm Mandiant. It also detailed the lessons learned from the hack and actions needed to strengthen security throughout the crypto community.

The U.S. Federal Bureau of Investigation has laid the blame for the hack on the North Korean advanced persistent threat group TraderTraitor, which it identified in 2022 as the same group as has been referred to as the Lazarus Group and other monickers. Mandiant, which refers to the group as UNC4899, has confirmed the attribution, Safe said in its March 6 X article. The hackers are backed by the North Korean government.

The hack was well orchestrated

The attackers compromised the laptop of a Safe developer who “had higher access in order to perform their duties.” They also hijacked AWS session tokens to bypass multifactor authentication. 

The investigation is still trying to understand the attackers’ actions after compromising the computer. This task is complicated by the fact that the attackers deleted their malware when they were finished and cleared the Bash history. Bash is a command-line interface used by programmers in UNIX-like operating systems.

The developer’s computer was compromised on Feb.4, Safe established, and the attackers accessed Safe’s AWS environment the next day. There was malicious JavaScript code inserted on the Safe website by Feb. 19. On Feb. 21 at 14:13 UTC, the Bybit exploit occurred. The malicious code was removed a minute later, and the Bybit heist transaction took place one minute after that.

The computer was compromised through a Docker project. Docker is used in designing applications. The hackers had used Docker projects before to insert malware. The attack specifically targeted the next transaction a Bybit multisig cold ETH wallet. 

Bybit CEO Ben Zhou had personally approved the fateful transaction, which was meant to move some of its ETH from cold storage into a hot wallet after receiving a falsified link from Safe.

Bybit explained on the day of the hack, “This transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic.”

The attackers bypassed at least five layers of Safe security in their hack. Safe listed several resets and enhancements it has instituted to eliminate identified threats and increase security. Safe smart contract wallets and its source code were unaffected by the hack.

The hack was preventable

Web3 organizations “need significant UX [user experience] improvements that simplify secure transaction management,” Safe concluded. “The act of signing the transaction itself currently is the last line of defense, and it can only be effective if the user can understand what they are signing.”

Safe, whose name is often styled Safe{Wallet}, is a smart contract wallet that stores signatures and performs checks to ensure that all required approvals are met before a transaction is submitted to a blockchain.

Even though Safe was compromised in the hack, experts have faulted Bybit for its shoddy security. Bybit used the free version of Safe’s services, which was described as more appropriate for “crypto hobbyists,” while more sophisticated software was available. 

Bybit had noticed months before that the software was not compatible with other security services. This prevented Zhou from seeing the full details of the transfer.

The hackers had laundered all 499,000 ETH it had stolen by March 4.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now