A forensic investigation has revealed that a major security breach at cryptocurrency exchange Bybit stemmed from a vulnerability in Safe Wallet, allowing hackers to siphon over $1.4 billion worth of digital assets. The attack was traced to malicious JavaScript code injected into Safe Wallet’s Amazon Web Services (AWS) S3 bucket, according to cybersecurity firm Sygnia, which was enlisted to investigate the incident.
Compromised JavaScript Led to Wallet Takeover
The breach, which Bybit first detected on February 21, 2025, involved unauthorized access to one of its Ethereum cold wallets. The attack occurred during a multisignature transaction facilitated through Safe Wallet. Investigators found that a threat actor intercepted the process, manipulated transaction details, and ultimately took control of the wallet. The stolen funds—comprising liquid-staked Ether (ETH) and MegaETH (mETH)—were then transferred to an external wallet controlled by the hacker.
Investigation Reveals Key Findings
Sygnia’s forensic analysis determined that malicious JavaScript code had been injected into a resource hosted on Safe Wallet’s AWS S3 bucket. Timestamp records indicate that the exploit was added on February 19, 2025—just two days before the unauthorized transfer occurred.
The injected script specifically targeted transactions originating from certain contract addresses, including Bybit’s and another unidentified address. This suggests that the attacker had planned the exploit in advance, selecting predefined targets for the attack.
Manipulated Code Discovered in Browser Cache
Further analysis of browser cache files from Bybit’s three multisignature transaction signers confirmed that the compromised JavaScript was present at the time of the attack. Public web archives captured two snapshots of Safe Wallet’s JavaScript resources on February 19, 2025. The first snapshot contained an unaltered version of the script, while the second snapshot showed the presence of the malicious code.
Interestingly, just two minutes after the fraudulent transaction, new versions of the JavaScript files were uploaded to Safe Wallet’s AWS S3 bucket—removing the injected code. This suggests an attempt to cover up the exploit and erase traces of the unauthorized modification.
No Breach Detected in Bybit’s Infrastructure
At present, the forensic investigation has found no evidence of a direct breach within Bybit’s own systems. The unauthorized access appears to have been entirely facilitated through vulnerabilities in Safe Wallet’s infrastructure.
Bybit CEO Ben Zhou commented on the situation, stating, “The preliminary forensic review finds that our system was not compromised. While this incident underscores the evolving threats in the crypto space, we are taking proactive steps to reinforce security and ensure the highest level of protection for our users.”
Bybit and Sygnia continue to investigate the attack, assessing additional risks and working to implement stronger security measures to prevent future breaches.
