Safe Wallet Reveals Bybit Hack Details, and Calls for Community Action

Journalist

Tanzeel Akhtar

Journalist

Tanzeel Akhtar

About Author

Tanzeel Akhtar has been covering the cryptocurrency and blockchain sector since 2015. She has written for the Wall Street Journal, Bloomberg, CoinDesk, Bitcoin Magazine and Bitcoin.com.

Author Profile

Share

Copied

Last updated: 

March 5, 2025

Why Trust Cryptonews

Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

Safe Wallet has released new details on its forensic investigation into the recent Bybit hack, conducted in collaboration with Mandiant, a cybersecurity firm now part of Google Cloud.

The latest findings provide a deeper understanding of how the attack unfolded, confirming the involvement of a North Korean-linked hacking group and outlining crucial security lessons.

In its latest announcement, Safe Wallet stated that the investigation has reached a critical milestone, allowing the team to share key insights into the security breach that occurred on February 21.

Evidence strongly suggests that this was a highly sophisticated, state-sponsored attack. The company is releasing these findings in the spirit of transparency, aiming to help other organizations strengthen their defenses against similar threats.

While hundreds of hours of forensic analysis have already been conducted, Safe Wallet emphasized that there is still work to be done.

The attackers took steps to cover their tracks, including removing malware and clearing Bash history to erase crucial evidence. Despite these challenges, Safe Wallet and Mandiant have gathered substantial intelligence on the attack, and the investigation remains ongoing.

Bybit CEO Ben Zhou has provided an update on the $1.4 billion of ETH stolen on February 21: 77% remains traceable—making this week critical for securing the remaining $1 billion.

Attribution to North Korean Hacking Group TraderTraitor

The FBI has attributed the February 21 heist to TraderTraitor, a threat group linked to the Democratic People’s Republic of Korea (DPRK). Mandiant, which tracks TraderTraitor as UNC4899, has confirmed this attribution in its preliminary report.

According to the investigation, the attack involved compromising the laptop of a Safe Wallet developer (referred to as “Developer1”) and hijacking AWS session tokens to bypass multi-factor authentication (MFA) controls. This developer had elevated access privileges, which the attackers exploited to gain further control.

The investigation is still ongoing to determine exactly what actions the attackers took after compromising the developer’s workstation. Understanding how they obtained commit access to Safe Wallet’s servers remains a priority for forensic analysts.

In response to the attack, Safe Wallet said it has implemented security measures across its infrastructure, reinforcing its defenses well beyond pre-incident levels.

Elliptic Tracks Stolen Funds in Real-Time

Alongside Mandiant’s forensic analysis, blockchain analytics firm Elliptic has played a crucial role in tracking the stolen funds. The firm’s real-time screening technology allowed it to monitor the movement of stolen assets across wallets and exchanges immediately after the breach was identified.

This tracking capability allowed Bybit and other industry players to freeze assets before they could be fully laundered.

Elliptic’s co-founder and chief scientist, Tom Robinson, provided further insights into how the stolen funds are being laundered. The stolen crypto is now being funneled through Bitcoin mixers to obscure its origin.

“As we predicted, the crypto stolen from Bybit is now being sent through Bitcoin mixers. Several hundred thousand dollars have already been transferred to platforms like Wasabi Wallet and Cryptomixer,” Robinson explains.

Cryptomixer, a centralized mixing service, pools users’ Bitcoin together before redistributing it, making it difficult to trace the original source of funds. Wasabi Wallet, on the other hand, operates differently, using CoinJoin transactions to mix funds without requiring a centralized custodian.

“This could be a very slow process—these mixers have a limited capacity,” Robinson noted, suggesting that tracking and recovering the stolen funds will be an ongoing challenge.

Call for Stronger Security Measures

The Bybit hack serves as yet another reminder of the growing sophistication of state-sponsored cyber threats targeting the crypto industry.

Safe Wallet is urging the broader crypto community to take proactive measures to strengthen security practices, including enforcing strict access controls, monitoring unusual activity, and implementing robust incident response plans.

As the investigation continues, Safe Wallet said it remains committed to sharing further updates and working alongside security firms, law enforcement agencies, and industry partners to mitigate future threats.