Safe{Wallet} Frontend Compromise: How a Single JavaScript Injection Set Up Crypto Largest Heist

The cryptocurrency world woke up on February 19, 2025, to the sobering reality that the infrastructure trusted by billions in digital assets had been silently weaponized. Attackers believed to be affiliated with North Korea’s TraderTraitor group injected malicious JavaScript into Safe{Wallet}’s frontend application, laying the groundwork for what would become the largest cryptocurrency theft in history just two days later. With Bitcoin trading at approximately $96,600 and Ethereum at $2,715, the timing of this supply chain attack was meticulously calculated to maximize the value of the impending haul.

The Exploit Mechanics

The attack began when threat actors compromised a developer’s machine with access to Safe{Wallet}’s Amazon S3 infrastructure. Using the stolen credentials, the attackers uploaded a tampered JavaScript file to the S3 bucket hosting the Safe{Wallet} web application at app.safe.global. Public web archives captured two snapshots of the JavaScript resources on February 19: the first contained the original legitimate code, while the second reflected the malicious injection.

This injected code was designed to alter transaction parameters in real time when Safe{Wallet} users reviewed and signed transactions. Specifically, the malware changed the operation type from 0 to 1, converting a standard CALL operation into a DELEGATECALL. This single parameter flip was the linchpin of the entire exploit. A DELEGATECALL executes code in the context of the calling contract, meaning the attackers could replace the wallet’s implementation logic entirely. Two malicious smart contracts had been deployed in advance to facilitate this swap, giving the attackers full control over the wallet’s funds.

Affected Systems

The primary target was Bybit’s cold wallet infrastructure, which relied on Safe{Wallet}’s multisignature smart contract system. Bybit stored the vast majority of its customer funds—over 401,000 ETH worth approximately $1.5 billion—in a Safe proxy contract. However, the vulnerability was not limited to Bybit. Every organization using Safe{Wallet}’s hosted frontend was potentially exposed during the window when the malicious JavaScript was live. The attack surface extended to any multisig wallet that used the compromised S3-hosted resources for transaction signing.

The attack also revealed a fundamental weakness in how crypto exchanges label their security setups. Bybit described its Safe{Wallet}-based storage as a “cold wallet,” but the system relied on Ledger hardware wallets connected to a web-based signing interface—a setup that is not truly air-gapped. The semantic distinction matters because it shaped the threat model: a truly cold system would have been immune to a frontend JavaScript attack.

The Mitigation Strategy

In the immediate aftermath of the February 21 fund drain, Safe{Wallet} took its frontend offline and conducted a thorough code audit. The team rotated all credentials and implemented additional verification layers for JavaScript distribution. Industry leaders including Ledger, Binance, and Fireblocks published recommendations addressing the systemic weaknesses the attack exposed:

• Eliminate blind signing: Hardware wallets should display full transaction details, including operation type, before requiring user confirmation.
• Adopt hardware-verified transactions: Transaction data should be verified against an independently computed hash on a secure device, not just displayed on a web page.
• Implement multi-level approval workflows: Critical operations like implementation changes should require additional authentication beyond standard multisig confirmations.
• Distribute trust across infrastructure: No single developer machine should have the ability to modify production frontend assets without review and approval.
• Use content integrity checks: Subresource Integrity (SRI) hashes and code signing can detect unauthorized changes to JavaScript files before they reach end users.

Lessons Learned

The Safe{Wallet} compromise demonstrates that the crypto industry’s security model has a critical blind spot: the intersection between on-chain smart contracts and off-chain infrastructure. While enormous effort goes into auditing smart contract code, the frontend delivery pipeline often receives far less scrutiny. A perfectly audited multisig contract offers no protection if the interface presenting transactions to signers has been tampered with.

The attack also underscores the growing sophistication of nation-state threat actors targeting cryptocurrency infrastructure. The TraderTraitor group’s operation involved patient reconnaissance, credential theft, strategic timing, and a multi-stage laundering plan that moved stolen funds across more than 900 wallets, cross-chain bridges, and decentralized exchanges. This level of operational complexity demands a corresponding level of defensive investment from crypto organizations.

User Action Required

If you use a multisig wallet for personal or organizational fund management, take immediate steps to verify your security posture. Confirm that your signing workflow includes hardware-verified transaction details, not just on-screen summaries. Review whether your frontend assets are served with integrity checks, and ensure that any third-party dependencies in your signing chain are regularly audited. The $1.5 billion stolen from Bybit was not the result of a cryptographic failure—it was a supply chain compromise exploiting the human and infrastructure layer. Your defenses must account for both.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals before making security decisions regarding digital assets.