Safe{Wallet}, a leading player in the cryptocurrency industry, has recently released a report detailing a targeted attack on Bybit by the infamous Lazarus Group. The report has raised more questions than answers, inviting criticism from the former CEO of Binance, Changpeng Zhao (CZ).
According to Safe’s forensic report, the Lazarus Group targeted Bybit via a compromised Safe developer machine. The hackers managed to introduce a malicious transaction that allowed them to siphon funds from Bybit’s wallet. However, the report has stated that the Safe smart contracts or the frontend and services’ source code did not exhibit any flaws, according to the forensic audit conducted by external security researchers.
In response to the attack, Safe has carried out an extensive investigation and reintroduced Safe on the Ethereum mainnet in a phased rollout. They have fully reestablished and reconfigured all infrastructure and rotated all credentials to eliminate the attack vector completely. While the Safe frontend continues to operate with increased security measures, users are advised to exercise extreme caution and remain vigilant while signing transactions.
The report, however, has come under fire from CZ, Binance’s founder and former CEO, who criticized it for being insufficiently detailed and using vague language to gloss over the issues. He questioned the exact meaning of “compromising a Safe developer machine” and sought clarification on how the hackers managed to compromise the said machine. He also raised concerns about how the developer machine accessed an exchange account.
Moreover, Bybit has also sought the services of blockchain security firms Sygnia and Verichains to conduct a deep forensics investigation focusing on the three signers’ hosts. The investigation follows the $1.4 billion hack and seeks to understand the extent of the breach.
CZ also questioned whether the $1.4 billion was the most significant amount managed using Safe and why other wallets were not attacked. He sought information on the lessons that other “self-custody, multi-sig” wallet providers and users could learn from this incident.
The Sygnia investigation concluded that the incident was caused by malicious code originating from Safe’s infrastructure. The report confirmed that Bybit’s infrastructure remained unaffected and uncompromised during the attack. Verichains preliminary conclusions suggested that the benign JavaScript file of app.safe.global was replaced with malicious code on February 19th, targeting Bybit’s Ethereum Multisig Cold Wallet.
The Lazarus Group, believed to be behind the attack, has reportedly been using memecoins to launder the stolen funds. Bybit, a UAE-based exchange, lost $1.5 billion in the hack, drawn from one of its cold multisig wallets.
These cybersecurity threats are not limited to Bybit and Safe. Binance has also fallen victim to cybercriminals. A recent incident involved scammers contacting Hong Kong-based crypto entrepreneur Joe Zhou through the typical Binance number, claiming his account was accessed from North Korea. Zhou was able to act quickly and recover most of his funds before the hackers cashed out.
In the light of these incidents, the crypto industry needs to bolster its security measures and users must exercise a higher degree of caution to prevent such breaches in the future.
