![]()
The developer of SafeWallet has released a detailed report on the cybersecurity breach that led to Bybit’s $1.4 billion hack in February.
A joint forensic investigation by SafeWallet and cybersecurity firm Mandiant uncovered that attackers exploited a Safe developer’s Amazon Web Services (AWS) session tokens, effectively bypassing the company’s multifactor authentication (MFA) security measures.
SafeWallet required its team members to reauthenticate AWS session tokens every 12 hours. In response, the hackers attempted to register an MFA device but failed multiple times. They then likely deployed malware to compromise a developer’s MacOS system, allowing them to hijack AWS session tokens during an active session.
Once inside the AWS environment, the attackers meticulously planned and executed the breach. Mandiant identified them as North Korean state actors who spent 19 days strategizing and carrying out the attack.
![]()
Source: Safe
SafeWallet clarified that its smart contracts were not affected by the exploit and assured that new security measures had been introduced to prevent future incidents.
FBI Issues Warning as Bybit Hackers Launder Stolen Funds
The U.S. Federal Bureau of Investigation (FBI) issued an alert urging node operators to block transactions linked to the North Korean hackers, warning that the stolen funds were being laundered and converted into fiat currency.
![]()
Source: FBI
Within 10 days, the hackers successfully laundered all 500,000 Ether-related tokens stolen in the breach.
On March 4, Bybit CEO Ben Zhou reported that approximately 77% of the stolen funds—valued at $1.07 billion—remain traceable on-chain, while around $280 million have become untraceable.
Despite this, Cyvers cybersecurity firm CEO Deddy Lavid remained hopeful that some of the stolen assets could still be tracked and frozen.