In a February 26 statement on X, Safe{Wallet} confirmed that the recent attack on Bybit was executed by the Lazarus Group, a North Korean state-sponsored hacking organization.
Significantly, the breach was facilitated through a compromised Safe{Wallet} developer machine, allowing the attackers to propose a malicious transaction affecting an account operated by Bybit.
Per the statement, forensic review by external security researchers determined that there were no vulnerabilities in Safe’s smart contracts or frontend source code.
However, the attackers leveraged social engineering tactics and potentially zero-day exploits to gain unauthorized access.
Safe’s Response and Security Measures
Following the breach, Safe has taken multiple steps to reinforce security. Foremost, the company has fully rebuilt and reconfigured its infrastructure while rotating all credentials to ensure the attack vector has been completely eliminated.
Meanwhile, enhanced security protocols have been integrated into the frontend, adding extra layers of protection against future threats. In addition, the Safe{Wallet} service has been restored on the Ethereum mainnet with a phased rollout to ensure all vulnerabilities are addressed before full deployment.
In the statement, Safe urged users to exercise vigilance when signing transactions and has committed to publishing a full post-mortem of the attack. Additionally, the company announced an industry-wide initiative aimed at increasing transaction verifiability to prevent similar incidents.
Industry Reactions and Unanswered Questions to Safe
Changpeng Zhao (CZ), former CEO of Binance, publicly criticized Safe’s statement, arguing that it left many critical questions unanswered.
“This update from Safe is not that great. It uses vague language to brush over the issues. I have more questions than answers after reading it,” CZ stated in a post on X.
Notedly, he raised concerns about the exact method used to compromise the developer’s machine, asking, “What does ‘compromising a Safe {Wallet} developer machine’ mean? How did they hack this particular machine? Was it social engineering, a virus, etc.?“
CZ also questioned how the compromised machine had access to an account managed by Bybit, and raised concerns about how the attackers bypassed security measures.
Another major point of contention was the significance of Bybit’s $1.4 billion address, with CZ questioning, “Was $1.4 billion the largest address managed using Safe? How come they didn’t target others?”
He also emphasized the need for self-custody and multi-signature wallet providers to learn from this incident, stating, “What lessons can other ‘self-custody, multi-sig’ wallet providers and users learn from this?“
Safe has yet to provide further details but maintains that all security weaknesses related to the attack have been addressed. The company reiterated its commitment to transparency and advancing security within the crypto ecosystem.
