The largest cryptocurrency heist in history was not the result of a smart contract vulnerability or a cryptographic breakthrough. Instead, North Korean hacking unit TraderTraitor, operating under the Lazarus Group umbrella, compromised a single developer laptop at Safe{Wallet} to inject malicious JavaScript into the interface used by Bybit signers — ultimately redirecting a $1.4 billion transaction to attacker-controlled contracts. The forensic analysis published in early March 2025 by Safe, Mandiant, Sygnia, and Verichains revealed a 19-day meticulously planned operation that targeted the human layer rather than the protocol itself.
The Exploit Mechanics
The attack began with social engineering. A Safe{Wallet} developer was tricked into running a malicious Docker project, which gave the attackers persistent access to their development machine. From this foothold, the North Korean operatives escalated their access to compromise Safe’s AWS infrastructure, where they injected malicious JavaScript into the Safe{Wallet} web application.
The injected code was not a blanket attack. It was designed to activate only under specific conditions — when Bybit’s cold wallet signers initiated a transaction. When those conditions were met, the malicious JavaScript swapped the legitimate transaction data with a delegate call to an attacker-controlled smart contract. The signers saw what appeared to be a routine transfer, but their approval actually handed control of $1.4 billion in assets to the attackers.
This targeted approach meant that every other Safe user remained unaffected, making detection significantly harder. The attack was invisible to anyone not specifically targeted, and the sophisticated conditional logic ensured that normal security testing would not trigger the malicious payload.
Affected Systems
The primary victim was Bybit, whose cold wallet multisig was drained of approximately $1.4 billion in Ethereum and related assets. However, the compromise occurred within Safe’s infrastructure — the widely trusted multisig wallet provider used by major exchanges, DAOs, and institutional holders across the crypto ecosystem.
The forensic reports from Sygnia and Verichains, published on February 26, 2025, confirmed that the attack vector was Safe’s infrastructure rather than any vulnerability in Bybit’s own systems. Safe’s subsequent investigation with Mandiant, published around March 6, 2025, traced the entry point to the compromised developer machine and detailed the full attack chain from initial access to transaction manipulation.
At the time of the analysis, Bitcoin was trading around $81,000 and Ethereum near $1,860, providing the market context in which this unprecedented theft occurred.
The Mitigation Strategy
Safe responded by conducting a full infrastructure audit and implementing additional security measures for its development and deployment pipeline. The company coordinated with Mandiant for a comprehensive incident response and worked with law enforcement to trace the stolen funds.
Bybit CEO Ben Zhou publicly disclosed the forensic findings and coordinated an industry-wide response, including efforts to freeze and recover stolen assets across multiple exchanges and blockchain networks. The transparency of both organizations in sharing technical details has provided valuable lessons for the broader ecosystem.
Lessons Learned
The Safe{Wallet} compromise demonstrates that the weakest link in cryptocurrency security is often not the blockchain protocol itself but the human and infrastructure layers surrounding it. A decade of triple-audited smart contracts and mathematically verified protocols proved meaningless when the interface through which users interact with those protocols was compromised at the source.
The incident highlights the critical need for hardware-based transaction verification, where signers can independently confirm transaction details without relying solely on what a web interface displays. Organizations managing large treasuries should implement multi-layer verification including air-gapped signing devices and out-of-band transaction confirmation.
User Action Required
Users of multisig wallets should verify that they are interacting with legitimate, uncompromised interfaces by checking URLs, using bookmarked addresses, and employing hardware security keys for authentication. Organizations should implement strict development security policies including mandatory security training for all developers with access to production infrastructure, regular endpoint monitoring, and isolated build environments. The era of assuming that smart contract audits alone provide sufficient security is definitively over.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making financial decisions.
a malicious Docker project was the entry point. every crypto dev needs to treat every dependency and container image like it could be weaponized. trust nothing
19 days of access and nobody noticed. a single docker container wrecked 1.4 billion. infrastructure monitoring is clearly an afterthought for most of these teams
19 days of persistence and no SIEM alert triggered. any serious infra team would have caught anomalous docker network traffic in hours
rustacean_ the scary part is the JS was conditional. it only fired for Bybit signer sessions. any security scan looking for generic malicious behavior would have missed it entirely
the fact that the malicious JS only triggered for Bybit signers is terrifying. targeted, patient, surgical. this wasnt some spray and pray attack
Katrin E. said it best. targeted JS that only triggers for Bybit signers is next level tradecraft. this was months of reconnaissance not some opportunistic grab
the JS targeting only Bybit cold wallet ops means they studied the signing workflow for weeks before deploying. state-level patience
^ exactly. people focus on smart contract audits but the real attack surface is the CI/CD pipeline and dev laptops. always has been
lazarus group has been running these fake recruiter plays since like 2022. at this point any crypto dev getting contacted on linkedin should assume its compromised
escalating from a dev laptop all the way to AWS infra and nobody flagged it for 19 days. their whole CI/CD pipeline was compromised and the monitoring was asleep