Full Report
Bybit had a 1.4 billion theft of crypto assets - 401K ETH - drained from a cold wallet. They use Safe{Wallet} with a 3 out X MultiSig. If all of these people reviewed what they were signing, then what happened? Attackers compromised the Safe{Wallet} UI. So when the Bybit folks were signing off on the transaction and reviewing the details, they were signing off on the wrong thing! The attack was specifically targeting Bybit, looking at the JavaScript. Instead of doing a transfer of any funds, delegateCall was made to a contract controlled by the attacker. At this point, they were able to modify the Safe contract storage to change the proxy slot. By doing this, future calls the attacker made to the contract would go through their proxy to execute a delegateCall, allowing for complete ownership of the assets at the address. Stealing funds is trivial at this point. What would have the executors seen? On the web page, they saw the original transaction. What about the wallet? They would have seen raw bytes with no real meaning in them. Brutal... Overall, a good look into the exploit.
Analysis Summary
# Incident Report: Bybit Cold Wallet Asset Theft via UI Compromise
## Executive Summary
On February 21, 2025, Bybit suffered the largest recorded cryptocurrency theft, losing over $1.4 billion (401K ETH) from a cold wallet secured by a Safe{Wallet} 3-of-X MultiSig. The attack leveraged a compromised developer machine to inject malicious JavaScript into the Safe{Wallet} UI, tricking authorized signers into approving a transaction that redirected execution via `delegateCall` to an attacker-controlled contract, leading to the complete compromise and draining of the wallet.
## Incident Details
- **Discovery Date:** February 21, 2025 (Incident occurred concurrently with discovery)
- **Incident Date:** February 21, 2025
- **Affected Organization:** Bybit
- **Sector:** Cryptocurrency Exchange/Financial Services
- **Geography:** Not specified (Global operation)
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to February 21, 2025 (Exact date unknown)
- **Vector:** Compromised Safe{Wallet} developer machine used to inject malicious code.
- **Details:** Attackers tampered with a JavaScript file hosted by Safe{Wallet} (specifically targeting Bybit signers).
### Execution & Impact
- **Date/Time:** February 21, 2025
- **Vector:** Deception through UI spoofing and subsequent smart contract manipulation.
- **Details:**
1. A Bybit signer initiated what they believed was a routine cold wallet transfer via the Safe{Wallet} UI.
2. The malicious JavaScript detected the Bybit signer's address and modified the transaction data *just before* signing.
3. Signers approved the transaction, seeing the original transaction intent, but the underlying data instructed a `delegateCall` to an attacker-controlled contract using the address `0x96221423681A6d52E184D440a8eFCEbB105C7242`.
4. The `delegateCall` allowed the attacker to modify the Safe contract storage, specifically changing the owner proxy slot, effectively gaining full control over the wallet logic for future calls.
5. Attackers subsequently executed arbitrary transactions using their new control, draining 401,347 ETH.
6. After signing, the malicious script reverted the transaction data in the UI to match the original intent, hiding the modification from the signer.
### Detection & Response
- **Detection:** Immediately following the execution of the drain transaction.
- **Response Actions:** Forensic investigation launched (reported via Bybit channels). Attackers (identified as Lazarus Group) immediately began dispersing funds.
## Attack Methodology
- **Initial Access:** Supply chain attack via compromise of a developer’s machine distributing the Safe{Wallet} front-end JavaScript assets.
- **Persistence:** Not explicitly detailed, but the persistence was within the front-end code itself, waiting for targeted user interaction.
- **Privilege Escalation:** Gained control over the Safe contract's logic by using the authorized signer's approval to execute a `delegateCall` that overwrote critical storage variables (proxy slot).
- **Defense Evasion:** Transactions appeared legitimate to the signers during review because the UI displayed the intended, benign data, while the actually signed data called the malicious `delegateCall`. Signers saw raw, meaningless bytes in their underlying wallet interface.
- **Lateral Movement:** N/A (Direct contract compromise).
- **Impact:** Complete transfer of control over the cold wallet's assets.
## Impact Assessment
- **Financial:** Approximately $1.4 billion USD stolen (401,347 ETH).
- **Data Breach:** No direct customer data breach identified, but significant system integrity compromise.
- **Operational:** Severe operational disruption due to loss of primary cold storage assets.
- **Reputational:** Massive negative impact on market trust due to the scale of the loss.
## Indicators of Compromise
- **Network Indicators:** Infected JavaScript file retrieved from Safe{Wallet} UI chunk (specific URLs defanged): `hxxps://app.safe.global/_next/static/chunks/pages/_app-52c9031bfa03da47.js`
- **Behavioral Indicators:** Execution of transactions containing a non-standard `delegateCall` leading to storage modification on the Safe contract proxy address.
- **Contract Indicator (Malicious Target):** `0x96221423681A6d52E184D440a8eFCEbB105C7242` (The address targeted by the malicious `safeTx.data.to`).
## Response Actions
- **Containment:** Not detailed, but likely involved isolating remaining operational wallets and securing developer environments.
- **Eradication:** Removal of the malicious code deployment from the Safe{Wallet} infrastructure (assuming immediate patching by Safe/Bybit).
- **Recovery:** Focus shifted immediately to tracking the dispersed stolen funds by the identified Lazarus Group.
## Lessons Learned
- **Front-End Risk:** Reliance on front-end UI presentation for security validation, even in high-stakes MultiSig environments, is critically dangerous if the UI itself is compromised.
- **Raw Transaction Visibility:** Human reviewers must be capable of verifying the true, raw transaction data (bytes) being signed, as relying purely on rendered UI elements is insufficient protection against sophisticated payload substitution attacks.
- **Supply Chain Weakness:** A single compromised developer machine provided the vector for a massive breach by allowing malicious code injection into widely distributed production assets.
## Recommendations
- Implement strict **transaction signing hardware requirements** that do not rely on browser/web UI interpretation of transaction data, ideally requiring explicit confirmation of raw transaction hashes/data.
- **Enhance SDLC security** around code deployment for services handling client assets, including stricter code review and ensuring separation between environments.
- **Implement whitelisting policies** within the Safe{Wallet} configuration (if possible for the specific function used) to restrict calls like `delegateCall` unless explicitly approved for trusted contracts only.