How a Compromised Developer Laptop Began the Largest Crypto Heist in History

On February 5, 2025, a Safe{Wallet} developer logged into their workstation unaware that North Korean hackers had already compromised the machine. Within hours, the TraderTraitor unit — operating under the Lazarus Group umbrella — leveraged stolen credentials to infiltrate Safe’s AWS infrastructure, setting in motion a chain of events that would culminate in the theft of $1.4 billion from Bybit’s cold wallet. The attack did not exploit a smart contract vulnerability or a zero-day in blockchain code. It exploited the human layer — the weakest link in even the most sophisticated security stacks.

The Exploit Mechanics

The attack began with a targeted social engineering campaign against a Safe{Wallet} developer. TraderTraitor operatives crafted a malicious Docker project designed to appear legitimate, tricking the developer into executing it on their local machine. Once activated, the payload established persistent access to the developer’s environment, including credentials used to manage Safe’s AWS cloud infrastructure.

With AWS access secured, the attackers initiated a 19-day reconnaissance and preparation phase. They studied Safe’s deployment pipeline, identified the JavaScript bundles served to wallet users, and carefully injected malicious code into the Safe{Wallet} web interface. The injection was surgical — designed to activate only when Bybit’s cold wallet signers initiated a transaction, leaving all other Safe users completely unaffected and unaware.

When Bybit’s signers executed what appeared to be a routine transfer on February 21, the malicious JavaScript intercepted the transaction in real time. It swapped the legitimate transaction with a delegate call to an attacker-controlled contract, effectively transferring ownership of the cold wallet’s assets — valued at approximately $1.4 billion at the time — to the hackers. Bitcoin traded near $96,615 and Ethereum at $2,787 when the attack was first set in motion.

Affected Systems

The breach exposed critical vulnerabilities across multiple infrastructure layers:

• Developer endpoints: The initial compromise vector — an unprotected developer laptop with access to production AWS credentials
• AWS cloud infrastructure: Used to host and deploy the Safe{Wallet} web application, compromised via stolen credentials
• CI/CD pipeline: The attackers navigated Safe’s deployment workflow to inject malicious JavaScript into production bundles
• Safe{Wallet} web interface: The end-user application that signers relied on to review and approve transactions
• Bybit cold wallet: The ultimate target, holding approximately $1.4 billion in ETH and other tokens

Notably, the Safe smart contracts themselves — audited and deployed on-chain — remained completely unaltered. The attack bypassed the blockchain layer entirely, targeting the Web2 infrastructure that users interacted with before transactions reached the chain.

The Mitigation Strategy

Following forensic investigations by Sygnia and Verichains, Safe implemented immediate containment measures. The compromised AWS environment was isolated, all developer access credentials were rotated, and the Safe{Wallet} web interface was rebuilt from verified clean code. Safe engaged Mandiant for a comprehensive incident response and publicly disclosed the full attack timeline on March 6, 2025.

Bybit CEO Ben Zhou confirmed that two independent forensic reports verified the attack vector originated from Safe’s infrastructure, not from any vulnerability in Bybit’s own systems. The exchange launched a recovery program and worked with blockchain analytics firms to trace the stolen funds across multiple laundering pathways.

Lessons Learned

The Safe{Wallet} breach fundamentally challenges the crypto industry’s security assumptions. For years, the focus has been on smart contract audits, formal verification, and on-chain security. Yet the largest heist in cryptocurrency history was executed entirely through Web2 attack vectors — compromised credentials, cloud infrastructure infiltration, and supply chain manipulation of a trusted web application.

The incident demonstrates that no amount of on-chain security can compensate for weak operational security in the layers between users and the blockchain. Multisig wallets, hardware security modules, and cold storage all provide meaningful protection, but only if the interfaces used to interact with them are equally secure.

User Action Required

If you use or have used Safe{Wallet} or similar multisig interfaces, consider the following steps: verify that you are interacting with the most recently deployed and verified version of the web interface. Implement hardware-based transaction signing where possible, verifying transaction details on the device screen before approval. Use dedicated, hardened machines for managing high-value wallets — never a daily-use developer workstation. Monitor all multisig operations through independent on-chain verification tools that do not rely on the wallet provider’s web interface. Finally, advocate for transparent, independently audited deployment pipelines from your wallet providers — because in crypto, your security is only as strong as the infrastructure you cannot see.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making security decisions.