Bybit Forensic Review Reveals Safe Wallet Breach in $1.5B Crypto Hack

Bybit’s forensic review of last week’s $1.5 billion hack confirmed that its systems remained secure, attributing the breach to compromised Safe wallet infrastructure. The investigation found that a Safe developer's credentials were compromised, allowing the notorious Lazarus Group to infiltrate the wallet and trick Bybit staff into authorizing a malicious transaction.

Despite Bybit’s findings, a source told CoinDesk that the hack could have been prevented if Bybit had not “blind signed” the transaction—approving it without fully understanding its contents.

Safe responded, clarifying that its smart contracts and core infrastructure remained unaffected. The attack stemmed from a compromised developer machine, impacting an account linked to Bybit. External security researchers found no vulnerabilities in Safe’s smart contracts or frontend services.

The blame game between Bybit and Safe mirrors last year's dispute between WazirX and Liminal Custody after a $230 million exploit. Meanwhile, blockchain analyst ZachXBT revealed that Lazarus Group is laundering the stolen funds, linking the hackers to previous attacks on Phemex and Poloniex. On-chain data shows 920 wallets now holding the tainted assets.

As the crypto community digests this latest attack, the incident raises concerns over security practices, blind signing risks, and the growing threat posed by state-backed hacking groups.