The February 21, 2025 Bybit hack represents the largest crypto security breach in history, with approximately $1.4 billion (401,347 ETH) stolen. Investigations conducted with Google Cloud's Mandiant revealed that North Korean hacking group Lazarus was responsible, having compromised a Safe developer's laptop to gain access to AWS infrastructure and manipulate the user interface.
Following the attack, the Safe team swiftly implemented comprehensive security measures, including complete infrastructure reinitialization, restricted external access, enhanced malicious transaction detection systems, and expanded real-time monitoring. They also announced plans to introduce additional verification tools such as 'Safe Utils' and develop an IPFS-hosted interface version.
Despite the magnitude of the hack, Safe's TVL and fund flows have remained relatively stable without significant user exodus. However, the Safe{Wallet} interface, which served as the primary attack vector, experienced a substantial decrease in usage due to temporary service suspensions. As of now, Safe{Wallet} has fully restored connections and services across all networks.
Safe's dominant position as a multisig wallet solution, commitment to open-source principles, and diversified interface strategy provided robust protection even during this crisis. The incident offers valuable lessons that should help the entire industry develop stronger security frameworks moving forward.
Source: Digital Assets Brief: Bybit Hack Underlines Importance Of Cyber Resilience
On February 21, 2025, the Bybit exchange experienced what would become the largest hacking incident in cryptocurrency history. The North Korean hacker group Lazarus managed to steal 400,000 ETH—approximately $1.4 billion—representing a staggering 75% of Bybit's total ETH holdings.
While previous major crypto hacks typically targeted vulnerabilities in cross-chain bridges or smart contracts, a new trend has emerged since 2024: attacks focusing on individual vulnerabilities, particularly targeting wallet developers. The Lazarus Group has frequently employed this individual-targeting pattern, and the Bybit hack was no exception. Rather than exploiting blockchain or smart contract vulnerabilities, this attack combined sophisticated social engineering with infrastructure manipulation to devastating effect.
1.1 Timeline of the Bybit Hack
February 4, 2025: The 'TraderTraitor' hacking group, believed to be North Korea's Lazarus Group, successfully infiltrates a laptop belonging to a key Safe{Wallet} developer
February 5-17, 2025: Over a 12-day period, the hackers conduct reconnaissance of the AWS environment, meticulously developing their attack strategy and planning how to launder the stolen funds
February 17, 2025: The attackers inject malicious JavaScript code into Safe{Wallet}'s AWS repository
February 19, 2025: The compromised Safe{Wallet} website containing the malicious code is captured and archived by an internet archive service (Wayback Machine)
February 21, 2025, 14:13: A transaction of 401,347 ETH (approximately $1.4 billion) is executed from Bybit's multisig wallet to the hackers' address
February 21, 2025, 14:15: Within minutes of completing the theft, the hackers remove all traces of the malicious code from the Safe{Wallet} website
1.2 The Safe{Wallet} Hack Specifically Targeted Bybit
The Bybit hack stands out for its unprecedented sophistication and subtlety compared to previous Web3 security breaches, sending shockwaves throughout the cryptocurrency industry and raising serious concerns for all entities managing substantial digital assets. According to a post-incident analysis report recently published by the Safe team, the attack unfolded through several meticulously planned stages:
1) Initial Compromise - Targeting a Safe{Wallet} Developer
Hackers induced a key Safe{Wallet} developer into installing what appeared to be a stock investment simulation program that contained hidden malicious code
Once the developer downloaded and executed the program, it established a covert access channel to the developer's laptop
2) Cloud Infrastructure Penetration
Using the compromised developer's machine, attackers gained access credentials to Safe{Wallet}'s AWS cloud infrastructure
The hackers circumvented multi-factor authentication (MFA) by intercepting session tokens during the developer's active working hours, minimizing their digital footprint
3) Safe{Wallet} Interface Manipulation
After gaining AWS access, the attackers modified the Safe{Wallet} web interface code, injecting malicious scripts that specifically targeted Bybit exchange wallets
This targeted approach meant the malicious code only activated when interacting with specific Bybit wallets, leaving regular users unaffected and making detection extremely difficult
4) Transaction Deception
When Bybit operators saw transaction signing screens in Safe{Wallet}, they appeared to show legitimate transfers (from cold wallets to hot wallets), while completely different transactions were actually being executed
The hackers modified Safe transaction parameters, changing simple transfers to delegateCall operations, effectively granting themselves control over the funds
5) Blind Signing
The attackers exploited the limitations of hardware wallets which display transaction hashes rather than detailed transaction parameters, making it intractable for signers to verify the actual transaction details
As confirmed by Bybit CEO Ben Zhou, the transaction on their hardware wallet only showed "a lot of code" rather than a clear destination address. Without being able to verify exactly what they were approving, they proceeded to sign what appeared to be a routine transaction
6) Asset Theft and Evidence Elimination
Once stolen, the funds were immediately distributed across more than 50 different wallets to complicate tracking and prevent asset freezing, followed by further redistribution for money laundering
Immediately after completing the theft, the attackers removed all malicious code from the Safe{Wallet} website to eliminate evidence and conceal their methods
This attack is particularly significant because it didn't exploit any vulnerabilities in Safe's underlying smart contracts or core systems. Instead, it targeted the human and infrastructure layers by compromising a developer with cloud access credentials. Furthermore, the hackers clearly well aware of Bybit's operational patterns and routine transfer procedures, enabling them to craft an attack that would appear legitimate to the exchange operators.
While the sophistication of this attack made it extremely difficult to detect, considering the significance and the volume related to this incident, certain industry security practices could have potentially mitigated its impact:
Using separate verification tools to independently confirm transaction details before signing
Distributing funds across multiple wallets rather than concentrating risk in a single wallet
Having signers utilize different interfaces to prevent a single compromised interface from affecting all approvers
The incident highlights a crucial security lesson: blockchain security alone is insufficient. Organizations must implement comprehensive security frameworks that encompass development environments, cloud infrastructure, user interfaces, and human factors training to truly protect digital assets.
2.1 Safe Team's Response to the Security Breach
In the wake of the largest cryptocurrency hack in history, public attention naturally turned to Safe's response strategy. It's important to note that this incident did not fundamentally compromise the structural integrity of the Safe protocol or wallet itself—the breach occurred through developer equipment infiltration and infrastructure access rather than exploiting vulnerabilities in Safe's core protocol or smart contracts. Nevertheless, Safe treated this incident with the utmost seriousness and dedicated all resources to rebuilding trust through transparent and swift actions.
Source: X(@koeppelmann)
Immediately following the breach, the Safe team suspended all networks and services connected to the Safe{Wallet} interface and launched a comprehensive investigation. Working in collaboration with Mandiant, Google Cloud's security specialist firm, they meticulously traced the attack vectors and publicly disclosed their findings on March 7th. Safe{Wallet} implemented several critical security enhancements in response:
Complete Infrastructure Reset: Comprehensive replacement of all authentication credentials, cluster reinitialization, rotation of encryption keys and secrets, deployment of new developer hardware, and complete rebuilding and redeployment of container images
External Access Controls: Implementation of temporary restrictions on external access to transaction services, limiting operations to internal communications only, with strengthened firewall rules for external service connections
Advanced Threat Detection: Partnership with Blockaid to upgrade malicious transaction detection systems, with additional risk indicators specifically flagging master control upgrades to Safe accounts
Comprehensive Monitoring Overhaul: Enhanced logging and real-time threat detection across all system layers to improve security visibility and dramatically reduce incident response times
Pending Transaction Removal: Complete removal of all pending transactions from databases to eliminate potential security vulnerabilities
Interface Security Enhancements: Introduction of "Safe Utils," a new verification tool allowing independent transaction hash verification, with plans to develop an IPFS-hosted version of the Safe{Wallet} frontend for additional security
The team also implemented numerous additional low-level security measures but strategically chose not to disclose specific details to avoid providing potential attackers with insights into their internal infrastructure.
Source: Methods to Access Your Safe Account Onchain
Safe's longstanding commitment to open-source principles and their strategy of developing diverse access interfaces proved invaluable during this crisis. Even while the compromised Safe{Wallet} interface underwent recovery, users maintained uninterrupted access to their assets through various alternative interfaces. This accessibility significantly prevented potential exodus and mitigated user concerns. As outlined in their security improvements roadmap, Safe will supplement their directly managed interfaces with officially supported IPFS-hosted version.
Following the temporary service suspension, Safe{Wallet} prioritized security while methodically restoring network connections, successfully achieving full restoration across all networks within just two weeks of the attack. Throughout the investigation and recovery process, the Safe team maintained consistent communication through regular status updates while implementing multi-layered risk mitigation strategies designed to preserve user confidence in their platform.
2.2 User Reactions Following the Bybit Hack
Source: Safe across chains (Dune Analytics)
Safe's Total Value Locked (TVL) has declined approximately 25%, falling from $72 billion pre-hack to around $55 billion currently—effectively returning to mid-2024 levels. However, this reduction should be viewed in context of the broader crypto market downturn, with Ethereum prices dropping approximately 28% since March compared to the previous month and overall onchain activity diminishing. Rather than indicating a significant user exodus, these figures likely reflect natural market contraction.
Source: Safe TVP (Dune Analytics)
Examining Safe wallet deposit and withdrawal patterns reveals a relatively substantial net outflow during February 2025, coinciding with the hack. The month recorded $27.6 billion in total deposits against $35.2 billion in withdrawals, resulting in approximately $7.5 billion net outflow from Safe wallets—representing about 10% of Safe's pre-hack TVL. However, this temporary spike in outflows appears to have normalized by March, following the Safe team's proactive response, enhanced security implementations, and Bybit's recovery efforts for the stolen funds. As of this writing, post-March net outflows have stabilized at approximately $1.1 billion, which aligns with typical historical patterns.
Source: Safe TVP (Dune Analytics)
The most dramatic change has been observed in Safe{Wallet} interface usage—the primary attack vector in the hack. Previously accounting for between 40% to 70% of all Safe transactions, Safe{Wallet}'s usage has plummeted to just 3% of March transaction volume at the time of writing. This significant decline can be attributed to both the service limitations during the seven-day recovery period when connections to all chains were being restored and lingering user concerns about interface security.
As detailed in the earlier hack analysis, attackers created a critical disconnect between the transaction information displayed to users and the actual operations executed through the Safe{Wallet} interface. While this particular attack specifically targeted Bybit addresses, the realization that the same methodology could potentially compromise any Safe{Wallet} user significantly amplified security concerns across the user base. Consequently, users appear to be maintaining their trust in Safe's underlying core technology while adopting a substantially more cautious approach toward web-based interface interactions.
3.1 Lessons From the Largest Heist In Crypto
The Bybit hack, while representing the largest cryptocurrency theft in history, has become a watershed moment for security awareness across the entire blockchain industry. This incident delivered a powerful lesson to all industry participants: blockchain technology alone cannot guarantee comprehensive security. Instead, a holistic approach encompassing development environments, infrastructure, user interfaces, and human factors is essential for robust protection.
What makes this incident particularly instructive is that the attack vector wasn't Safe's core protocol but rather developer equipment and AWS infrastructure—clearly demonstrating that blockchain security extends far beyond code audits. Even the most meticulously audited smart contracts remain vulnerable if infrastructure and human elements aren't equally secured. This reality underscores the critical importance for all cryptocurrency entities to implement rigorous security protocols across their entire technology stack.
In a recent analysis of the Bybit hack, Matt Gleason from A16Z outlines several advanced security strategies that organizations managing substantial digital assets should consider:
Decentralize - Rather than relying on a single security system, organizations should distribute responsibilities and verification processes across multiple independent systems and entities. This approach makes comprehensive compromise significantly more difficult, functioning like a multisig wallet but extended across diverse technological and organizational boundaries.
Compartmentalize - By isolating high-value wallets and dividing funds across multiple wallets, organizations can limit potential losses from any single compromise. This prevents catastrophic single-point failures even when attackers successfully breach one security layer.
Static Interfaces - Using verified local copies of interfaces that cannot pull code from external sources provides protection against the exact type of attack that compromised Safe{Wallet}. This could include local deployments, browser extensions, or applications on devices completely separate from business operations.
Minimize - For devices managing substantial assets, removing unnecessary features and applications significantly reduces the attack surface. A device responsible for signing billion-dollar transactions should contain only the bare minimum software required for that specific function.
Decouple - Maintaining complete separation between high-security systems and everyday technology environments prevents cross-contamination. Nation-state attackers excel at bridging between environments with any shared connections, making this isolation increasingly critical for significant holdings.
3.2 Safe’s Future
This security breach undeniably inflicted significant damage to the brand reputation and user trust in Safe{Wallet} and related services—systems that had maintained an unblemished security record since their initial 2017 launch. However, the absence of widespread user exodus or panic withdrawals following such a substantial breach speaks volumes about the robust brand equity and unique market position Safe has cultivated within the cryptocurrency ecosystem.
Safe has effectively established itself as the dominant force in multisig wallet solutions, building exceptional reliability and product sophistication that leaves potential competitors far behind. While alternative multisig wallets exist, none approach Safe's combination of comprehensive functionality, intuitive user experience, and extensive ecosystem compatibility—factors that have helped maintain Safe's strong market position despite this setback.
Source: Smart Accounts Landscape (Dune Analytics)
Ultimately, while this incident presented Safe with an extraordinary challenge, their swift and transparent response demonstrated remarkable crisis management capabilities and the potential to emerge stronger. Their long-standing commitment to open-source principles and decentralized architecture proved invaluable, providing critical resilience during this crisis period.
Looking forward, this incident will likely catalyze enhanced security practices across the entire cryptocurrency industry. The lessons learned—both by Safe and the wider blockchain community—should drive the development of more robust security frameworks, ultimately strengthening industry-wide reliability and stability in the long term.
