- Colin Wu revealed the $1.5B Bybit hack stemmed from Safe’s AWS breach, shifting blame from the exchange to wallet provider Safe.
- North Korea’s Lazarus infiltrated Safe’s frontend via stolen cloud credentials, exposing multisig flaws Vitalik Buterin’s portfolio relies on.
On February 26, 2025, financial journalist Colin Wu revealed an unexpected twist in the $1.5 billion hack previously reported on cryptocurrency platform Bybit, which The Guardian had labeled the largest digital theft in history (February 23, 2025).
Two reports, published by Bybit and Safe, concluded that responsibility lay not with Bybit but with a vulnerability in Safe’s system. Safe provides multisig wallets used by multiple exchanges, including Bybit.
According to Wu, the North Korean hacking group Lazarus infiltrated Safe’s frontend by injecting malicious code. The breach originated from exposed or stolen AWS S3 or CloudFront credentials linked to SafeGlobal, allowing attackers to manipulate the system.
This incident highlights weaknesses in multisig wallets, which figures like Vitalik Buterin have promoted. Buterin reportedly uses Safe to manage 90% of his crypto holdings, as noted in Wu’s thread.
The crypto-financial community has raised concerns over how a Safe developer had unsupervised permissions to modify the frontend, as Polygon’s Mudit Gupta noted in responses. Additionally, while Safe is widely adopted, Bybit was the only exchange affected that night.
First recovery in the ByBit hack.
~$43m (15,000 cmETH) has been clawed back from the hacker.
I saw the recovery possibility soon after the hack and SEAL connected me with Mantle/mETH team who made it happen.
Huge shoutout to SEAL, Mantle, and mETH teams for their quick action.
— Mudit Gupta (@Mudit__Gupta) February 22, 2025
Wu suggested the attack targeted Bybit’s EthereumMultisig cold wallet specifically, raising questions about Bybit’s security protocols and Safe’s defenses against state-backed actors like Lazarus. The group is infamous for high-profile heists, including the $615 million Ronin Network breach in 2022, per Trend Micro.
Financially, Safe faces monumental challenges: With $1.5 billion at stake, its ability to cover losses remains uncertain. Bybit, holding $20 billion in client assets, has pledged full user reimbursements, CEO Ben Zhou stated on X.
晕了,感觉是所有人都没想到的结果:
Bybit 和 Safe 两份调查报告发布了,原来不是 Bybit 的锅,而是 safe 的开发人员被入侵了,朝鲜黑客组织 Lazarus 将恶意代码注入 Safe 的前端。SafeGlobal 的 AWS S3 或 CloudFront 帐户/API 密钥泄露或被盗用。
这 15 亿美金 Safe 怎么赔得起。。。…
— Colin Wu (@WutalkWu) February 26, 2025
The incident has spurred industry-wide scrutiny of multisig wallets and cloud security. Some propose storing frontend code on-chain to prevent tampering, as one user cited ICP’s approach. While Ethereum and other crypto prices showed no immediate volatility post-news, trust in multisig platforms may erode short-term.
