The developer of SafeWallet has published a hack report detailing the cybersecurity breach that resulted in Bybit’s $1.4 billion hack in February.
A forensic investigation by SafeWallet and cybersecurity firm Mandiant revealed that the attackers exploited a Safe developer’s Amazon Web Services (AWS) session tokens, bypassing the firm’s multifactor authentication (MFA) security.
SafeWallet required team members to reauthenticate their AWS session tokens every 12 hours. In response, the hackers attempted to register an MFA device to gain access. After multiple failed attempts, they compromised a developer’s MacOS system, likely through malware, allowing them to hijack AWS session tokens while the developer’s session was active.
Once inside the AWS environment, the attackers prepared and executed their breach. Mandiant confirmed that the hackers were North Korean state actors who spent 19 days planning and carrying out the attack.
SafeWallet clarified that the exploit did not impact Safe’s smart contracts and stated that new security measures have been implemented to prevent future breaches.
FBI Issues Alert as Bybit Hackers Launder Stolen Funds
The U.S. Federal Bureau of Investigation (FBI) issued an alert urging node operators to block transactions from wallet addresses associated with the North Korean hackers. The agency warned that the stolen funds were being laundered and converted into fiat currency.
Within 10 days, the Bybit hackers successfully laundered all 500,000 Ether-related tokens stolen in the attack.
On March 4, Bybit CEO Ben Zhou reported that approximately 77% of the stolen funds—valued at $1.07 billion—remain traceable on-chain, while around $280 million have become untraceable. Despite this, Deddy Lavid, CEO of Cyvers cybersecurity firm, expressed optimism that some of the stolen funds could still be tracked and frozen.
