Safe, the multi-signature wallet provider, announced on Thursday that the $1.4 billion Ethereum heist from the Dubai-based centralized exchange Bybit last month was caused by a compromised developer laptop.
Following several independent reports indicating a malicious code injection into Safe’s infrastructure, the firm, alongside security experts at Mandiant, released more details Thursday, saying that the investigation had reached a “critical checkpoint.”
“We present these findings in the spirit of transparency and to highlight key lessons learned, along with calls to action for the broader community to learn from this incident and strengthen defenses,” it posted on X (formerly Twitter). “We wish to stress that despite hundreds of hours of analysis already conducted, there is more work to be done.”
The investigation revealed that a senior Safe developer’s computer was compromised on February 4 when it connected to a harmful Docker project (a lightweight application). From there, the hackers, believed to be part of North Korea’s Lazarus group according to on-chain experts and the FBI, managed to bypass the multi-factor authentication on Safe’s Amazon Web Services account by stealing active AWS session tokens.
Since the exploit, Safe has put in place more rigorous security measures, including a full infrastructure reset, improved UI for verifying transaction hashes, and enhanced malicious transaction detection.
The investigation is still ongoing, and Safe’s final recommendation is that users should be more vigilant in verifying that the transactions they sign and approve produce the intended result.
