Bybit-Heist-Case-Study_final.pdf (358 KB)

The Bybit theft used a compromised Safe{Wallet} developer workstation, stolen cloud session tokens, AWS reconnaissance, and malicious JavaScript injected into Safe{Wallet}'s frontend to manipulate a multi-signature transaction while displaying legitimate details to signers. The attacker transferred about 400,000 ETH, worth approximately $1.5 billion, from Bybit's cold wallet on February 21, 2025, then removed the injected payload. Sygnia says the operation aligned with Lazarus Group tradecraft, including developer social engineering, cloud token abuse, supply-chain compromise, targeting of crypto custody infrastructure, and rapid laundering of stolen assets. The case highlights Web3 supply-chain and interface-integrity risk rather than a cryptographic failure.