Safe Wallet Reveals Bybit Hack Details, and Calls for Community Action

Safe Wallet has released new details on its forensic investigation into the recent Bybit hack, conducted in collaboration with Mandiant, a cybersecurity firm now part of Google Cloud.

https://t.co/IthUlY8y3d

— Safe.eth (@safe) March 6, 2025

The latest findings provide a deeper understanding of how the attack unfolded, confirming the involvement of a North Korean-linked hacking group and outlining crucial security lessons.

In its latest announcement, Safe Wallet stated that the investigation has reached a critical milestone, allowing the team to share key insights into the security breach that occurred on February 21.

Evidence strongly suggests that this was a highly sophisticated, state-sponsored attack. The company is releasing these findings in the spirit of transparency, aiming to help other organizations strengthen their defenses against similar threats.

While hundreds of hours of forensic analysis have already been conducted, Safe Wallet emphasized that there is still work to be done.

The attackers took steps to cover their tracks, including removing malware and clearing Bash history to erase crucial evidence. Despite these challenges, Safe Wallet and Mandiant have gathered substantial intelligence on the attack, and the investigation remains ongoing.

Bybit CEO Ben Zhou has provided an update on the $1.4 billion of ETH stolen on February 21: 77% remains traceable—making this week critical for securing the remaining $1 billion.

Attribution to North Korean Hacking Group TraderTraitor

The FBI has attributed the February 21 heist to TraderTraitor, a threat group linked to the Democratic People’s Republic of Korea (DPRK). Mandiant, which tracks TraderTraitor as UNC4899, has confirmed this attribution in its preliminary report.

According to the investigation, the attack involved compromising the laptop of a Safe Wallet developer (referred to as “Developer1”) and hijacking AWS session tokens to bypass multi-factor authentication (MFA) controls. This developer had elevated access privileges, which the attackers exploited to gain further control.

The investigation is still ongoing to determine exactly what actions the attackers took after compromising the developer’s workstation. Understanding how they obtained commit access to Safe Wallet’s servers remains a priority for forensic analysts.

In response to the attack, Safe Wallet said it has implemented security measures across its infrastructure, reinforcing its defenses well beyond pre-incident levels.

Elliptic Tracks Stolen Funds in Real-Time

Alongside Mandiant’s forensic analysis, blockchain analytics firm Elliptic has played a crucial role in tracking the stolen funds. The firm’s real-time screening technology allowed it to monitor the movement of stolen assets across wallets and exchanges immediately after the breach was identified.

This tracking capability allowed Bybit and other industry players to freeze assets before they could be fully laundered.

Elliptic’s co-founder and chief scientist, Tom Robinson, provided further insights into how the stolen funds are being laundered. The stolen crypto is now being funneled through Bitcoin mixers to obscure its origin.

“As we predicted, the crypto stolen from Bybit is now being sent through Bitcoin mixers. Several hundred thousand dollars have already been transferred to platforms like Wasabi Wallet and Cryptomixer,” Robinson explains.

Cryptomixer, a centralized mixing service, pools users’ Bitcoin together before redistributing it, making it difficult to trace the original source of funds. Wasabi Wallet, on the other hand, operates differently, using CoinJoin transactions to mix funds without requiring a centralized custodian.

“This could be a very slow process—these mixers have a limited capacity,” Robinson noted, suggesting that tracking and recovering the stolen funds will be an ongoing challenge.

Call for Stronger Security Measures

The Bybit hack serves as yet another reminder of the growing sophistication of state-sponsored cyber threats targeting the crypto industry.

Safe Wallet is urging the broader crypto community to take proactive measures to strengthen security practices, including enforcing strict access controls, monitoring unusual activity, and implementing robust incident response plans.

As the investigation continues, Safe Wallet said it remains committed to sharing further updates and working alongside security firms, law enforcement agencies, and industry partners to mitigate future threats.