Bybit Hack: Here’s the Latest from Forensic Audit

New information about the $1.46 billion hack on the cryptocurrency exchange Bybit a few days ago has emerged.

According to findings from a forensic audit shared by Bybit, the hack was not the exchange’s fault but the fault of SAFE’s servers.

According to an earlier post from Bybit CEO Ben Zhou, blockchain security firms Sygnia Labs and Verichains conducted the forensic examination.

SAFE Server Compromise

Habeeb, a managing partner with Dragonfly, pointed out that the scammers “hot swapped the Gnosis SAFE UI with JS code that ONLY targeted Bybit’s cold wallet.”

Similarly, SAFE released a statement admitting that a compromised wallet developer machine caused the hack.

This move, which resulted in a disguised malicious transaction proposal, is believed to be the work of the Lazarus Group.

In addition, SAFE claimed that the forensic review conducted by external security researchers did not discover any vulnerabilities in its smart contracts.

The front-end and services’ source code also contained no loopholes. Despite these assurances, many community members are dissatisfied with SAFE’s update.

Binance Founder Changpeng Zhao shared his comments, noting that the explanation on ‘developer machine’ is not sufficient.

Bybit Beats Worst Fallout

When the Singapore-based cryptocurrency exchange suffered a hack on February 21, the bad actors made away with $1.4 billion in Ethereum (ETH).

The attackers allegedly tricked signers of these multi-signature cold wallets into approving a malicious transaction.

On the good side, many institutions in the crypto industry offered liquidity to support ByBit customer withdrawals.

Shortly after the hack, the crypto exchange was able to close the deficit gap.

It achieved this through loans, whale deposits, and direct ETH purchases. The funds totaled 446,870 ETH, worth approximately $1.23 billion.

Not long before, Bybit published an audited Proof of Reserves (POR) report demonstrating 1:1 backing of client assets through Merkle tree verification.

Even though SAFE has been revealed as the channel through which the scammer hit Bybit, the third party said its front end is still operational.

It also stated that additional security measures had been implemented to prevent future occurrences.

Security experts advise users to be cautious and vigilant when signing transactions.

The War on Lazarus Group and Preventive Measures

Meanwhile, the state-sponsored North Korean hacker group Lazarus Group is notorious for perpetrating sophisticated social engineering attacks on developer credentials.

At other times, they aim for zero-day exploits. Unfortunately, Bybit is one of its recent victims.

There are allegations that crypto exchange eXch was involved in laundering the loot.

Precisely, eXch was accused of laundering more than $30 million from wallets linked to North Korea’s Lazarus Group.

However, the platform released an official statement denying its involvement in the incident to this extent.

Instead, it says eXch processed only a small amount of the stolen funds through a single Ethereum address.

Meanwhile, Bybit has launched a $140 million recovery plan to compensate impacted entities.

In addition, it declared war on Lazarus Group, unveiling a major bounty to anyone who can help break their hacking dominance.

The SAFE team has thoroughly investigated and restored SAFE on the Ethereum mainnet with a phased rollout.

To eliminate the bad actors’ attack vectors, the SAFE team has fully rebuilt and reconfigured all infrastructure and rotated all credentials.

The final result of this investigation is still pending, but SAFE plans to publish a post-mortem report once it’s available.