Bybit 1.4 billion dollars in breach linked to the weakness of a safe portfolio.

The exchange of the BYBIT currency witnessed a security breach, which led to unauthorized transfer of more than $ 1.4 billion of liquid ether (ETH) and Megaeth (Meth). The Exchange reported unauthorized access to one of its cold governorates Ethereum on February 21, 2025.

The accident occurred during a multi -settling treatment that facilitates it through a safe wallet. The representative of the threat objected, changed the transaction, and gained control of the wallet. Then the attacker transferred the money to a separate wallet under their control.

After the discovery, BYBIT SYGNIA participated in Sygnia for a criminal investigation. The investigation aims to determine the source of the settlement, evaluate the extent of the attack, and carry out measures to prevent future accidents.

Investigation results

The forensic analysis has determined that the harmful JavaScript code has been injected into a supplier offered by the AWS S3 bucket from Wallet Safe. The timeline of the modification and historical web records indicate that the code was added on February 19, 2025, two days before the unauthorized treatment.

The code is designed to process transaction data during the signature process. It was only activated when the transaction arose from a specific contract address, including the BYBIT contract and another unidentified address. This indicates that the attacker has pre -exploited goals.

Java Script is a safe portfolio before the attack

The legal examination of the CHROME browsing files confirmed that the three positions of the Javascript resource exhibition at the time of treatment. These files indicated that another safe wallet supplier was modified shortly before the attack.

More analysis revealed that two minutes after the implementation of the fraudulent transaction, new versions of JavaScript files affected by the AWS S3 of Safewallet, which led to the removal of the syringe code. This indicates an attempt to hide the unauthorized amendment.

An excerpt from the cache of JavaScript resources, which shows the head of the file, source: bybit

Public web archives captured two ships of Safe Wallet’s Javascript resources on February 19, 2025. The first shot contains the original version unchanged, while the second shot showed the presence of the harmful symbol. This also supports the conclusion that the attack arose from the AWS Safe Wallet infrastructure.

There is no evidence of infrastructure breach bybit

At this stage, the criminal investigation found no evidence of a compromise inside the BYBIT infrastructure. It seems that unauthorized access has been facilitated by the weaknesses of Safewallet systems. Bybit and Sygnia continue to achieve to confirm the results and evaluate any additional risks.

“A preliminary forensic review finds that our system has not been at risk. While this incident confirms the advanced threats of the encryption space, we are taking proactive steps to enhance security and ensure the highest level of protection for our users.” Founder and CEO of bybit.