A forensic investigation by Sygnia found that malicious JavaScript code was injected into Safe Wallet’s AWS S3 bucket.
Chrome cache analysis confirmed the compromised JavaScript, with the code removed from Safe Wallet’s resources two minutes after the attack.
Ben Zhou, Co-Founder and CEO of Bybit
Cryptocurrency exchange Bybit experienced a security breach
resulting in the unauthorized transfer of over $1.4 billion in liquid-staked
Ether (ETH) and MegaETH (mETH). The exchange reported unauthorized access to
one of its Ethereum cold wallets on February 21, 2025.
The incident took place during a multisignature transaction
facilitated through Safe Wallet. A threat actor intercepted the process,
altered the transaction, and gained control of the wallet. The attacker then
transferred the funds to a separate wallet under their control.
Following the discovery, Bybit engaged cybersecurity firm
Sygnia to conduct a forensic investigation. The investigation aimed to
determine the source of the compromise, assess the extent of the attack, and
implement measures to prevent future incidents.
Investigation Findings
The forensic analysis identified that malicious JavaScript
code had been injected into a resource served from Safe Wallet’s AWS S3 bucket.
The modification timestamp and historical web records suggest that the code was
added on February 19, 2025, two days before the unauthorized transaction.
The injected code was designed to manipulate transaction
data during the signing process. It activated only when the transaction
originated from specific contract addresses, including Bybit’s contract and
another unidentified address. This suggests that the attacker had predefined
targets for the exploit.
Safe Wallet JavaScript Modified Before Attack
Forensic examination of Chrome browser cache files from the
three signers’ systems confirmed the presence of the compromised JavaScript
resource at the time of the transaction. These files indicated that the Safe Wallet
resource was last modified shortly before the attack.
Further analysis revealed that two minutes after the
fraudulent transaction was executed, new versions of the affected JavaScript
files were uploaded to SafeWallet’s AWS S3 bucket, removing the injected code.
This suggests an attempt to conceal the unauthorized modification.
Snippet from a JavaScript resources cache, showing the file’s header, Source: Bybit
Public web archives captured two snapshots of Safe Wallet’s
JavaScript resources on February 19, 2025. The first snapshot contained the
original, unaltered version, while the second snapshot showed the presence of
the malicious code. This further supports the conclusion that the attack
originated from Safe Wallet’s AWS infrastructure.
No Evidence of Bybit Infrastructure Breach
At this stage, the forensic investigation has not found any
evidence of a compromise within Bybit’s own infrastructure. The unauthorized
access appears to have been facilitated through vulnerabilities in SafeWallet’s
systems. Bybit and Sygnia are continuing their investigation to confirm the
findings and assess any additional risks.
“The preliminary forensic review finds that our system
was not compromised. While this incident underscores the evolving threats in
the crypto space, we are taking proactive steps to reinforce security and
ensure the highest level of protection for our users,” said Ben Zhou,
Co-founder and CEO of Bybit.
Cryptocurrency exchange Bybit experienced a security breach
resulting in the unauthorized transfer of over $1.4 billion in liquid-staked
Ether (ETH) and MegaETH (mETH). The exchange reported unauthorized access to
one of its Ethereum cold wallets on February 21, 2025.
The incident took place during a multisignature transaction
facilitated through Safe Wallet. A threat actor intercepted the process,
altered the transaction, and gained control of the wallet. The attacker then
transferred the funds to a separate wallet under their control.
Following the discovery, Bybit engaged cybersecurity firm
Sygnia to conduct a forensic investigation. The investigation aimed to
determine the source of the compromise, assess the extent of the attack, and
implement measures to prevent future incidents.
Investigation Findings
The forensic analysis identified that malicious JavaScript
code had been injected into a resource served from Safe Wallet’s AWS S3 bucket.
The modification timestamp and historical web records suggest that the code was
added on February 19, 2025, two days before the unauthorized transaction.
The injected code was designed to manipulate transaction
data during the signing process. It activated only when the transaction
originated from specific contract addresses, including Bybit’s contract and
another unidentified address. This suggests that the attacker had predefined
targets for the exploit.
Safe Wallet JavaScript Modified Before Attack
Forensic examination of Chrome browser cache files from the
three signers’ systems confirmed the presence of the compromised JavaScript
resource at the time of the transaction. These files indicated that the Safe Wallet
resource was last modified shortly before the attack.
Further analysis revealed that two minutes after the
fraudulent transaction was executed, new versions of the affected JavaScript
files were uploaded to SafeWallet’s AWS S3 bucket, removing the injected code.
This suggests an attempt to conceal the unauthorized modification.
Snippet from a JavaScript resources cache, showing the file’s header, Source: Bybit
Public web archives captured two snapshots of Safe Wallet’s
JavaScript resources on February 19, 2025. The first snapshot contained the
original, unaltered version, while the second snapshot showed the presence of
the malicious code. This further supports the conclusion that the attack
originated from Safe Wallet’s AWS infrastructure.
No Evidence of Bybit Infrastructure Breach
At this stage, the forensic investigation has not found any
evidence of a compromise within Bybit’s own infrastructure. The unauthorized
access appears to have been facilitated through vulnerabilities in SafeWallet’s
systems. Bybit and Sygnia are continuing their investigation to confirm the
findings and assess any additional risks.
“The preliminary forensic review finds that our system
was not compromised. While this incident underscores the evolving threats in
the crypto space, we are taking proactive steps to reinforce security and
ensure the highest level of protection for our users,” said Ben Zhou,
Co-founder and CEO of Bybit.
Unregistered Crypto Mining in Russia May Soon Come With Up to 2 Years of Forced Labor
How does the Finance Magnates newsroom handle sensitive updates that may affect a brand?
How does the Finance Magnates newsroom handle sensitive updates that may affect a brand?
Yam Yehoshua, Editor-in-Chief at Finance Magnates, explains the approach: reaching out before publication, hearing all sides, and making careful, case-by-case decisions with balance and responsibility.
⚖ Balanced reporting
📞 Right of response
📰 Responsible journalism
#FinanceMagnates #FinancialJournalism #ResponsibleReporting #FinanceNews #EditorialStandards
Yam Yehoshua, Editor-in-Chief at Finance Magnates, explains the approach: reaching out before publication, hearing all sides, and making careful, case-by-case decisions with balance and responsibility.
⚖ Balanced reporting
📞 Right of response
📰 Responsible journalism
#FinanceMagnates #FinancialJournalism #ResponsibleReporting #FinanceNews #EditorialStandards
Executive Interview | Kieran Duff | Head of UK Growth & Business Development, Darwinex | FMLS:25
Executive Interview | Kieran Duff | Head of UK Growth & Business Development, Darwinex | FMLS:25
Here is our conversation with Kieran Duff, who brings a rare dual view of the market as both a broker and a trader at Darwinex.
We begin with his take on the Summit and then turn to broker growth. Kieran shares one quick, practical tip brokers can use right now to improve performance. We also cover the rising spotlight on prop trading and whether it is good or bad for the trading industry.
Kieran explains where Darwinex sits on the CFDs-broker-meets-funding spectrum, and how the model differs from the typical setups seen across the market.
We finish with a look at how he uses AI in his daily workflow — both inside the brokerage and in his own trading.
Here is our conversation with Kieran Duff, who brings a rare dual view of the market as both a broker and a trader at Darwinex.
We begin with his take on the Summit and then turn to broker growth. Kieran shares one quick, practical tip brokers can use right now to improve performance. We also cover the rising spotlight on prop trading and whether it is good or bad for the trading industry.
Kieran explains where Darwinex sits on the CFDs-broker-meets-funding spectrum, and how the model differs from the typical setups seen across the market.
We finish with a look at how he uses AI in his daily workflow — both inside the brokerage and in his own trading.
Why does trust matter in financial news? #TrustedNews #FinanceNews #CapitalMarkets
Why does trust matter in financial news? #TrustedNews #FinanceNews #CapitalMarkets
According to Yam Yehoshua, Editor-in-Chief at Finance Magnates, in a world flooded with information, the difference lies in rigorous cross-checking, human scrutiny, and a commitment to publishing only factual, trustworthy reporting.
📰 Verified reporting
🔎 Human-led scrutiny
✅ Facts over noise
According to Yam Yehoshua, Editor-in-Chief at Finance Magnates, in a world flooded with information, the difference lies in rigorous cross-checking, human scrutiny, and a commitment to publishing only factual, trustworthy reporting.
📰 Verified reporting
🔎 Human-led scrutiny
✅ Facts over noise
In this video, we take an in-depth look at @Exness , a global multi-asset broker operating since 2008, known for fast withdrawals, flexible account types, and strong regulatory coverage across multiple regions.
We break down Exness’s regulatory framework, supported trading platforms including MetaTrader 4, MetaTrader 5, Exness Terminal, and the Exness Trade App, as well as available account types such as Standard, Pro, Zero, and Raw Spread.
You’ll also learn about Exness’s leverage options, fees and commissions, swap-free trading, available instruments across forex, commodities, indices, stocks, and cryptocurrencies, and what traders can expect in terms of execution, funding speed, and customer support.
Watch the full review to see whether Exness aligns with your trading goals and strategy.
👉 Explore Exness’s full broker listing on the Finance Magnates Directory:
https://directory.financemagnates.com/multi-asset-brokers/exness/
📣 Stay up to date with the latest in finance and trading. Follow Finance Magnates for industry news, insights, and global event coverage.
Connect with us:
🔗 LinkedIn: /financemagnates
👍 Facebook: /financemagnates
📸 Instagram: https://www.instagram.com/financemagnates
🐦 X: https://x.com/financemagnates
🎥 TikTok: https://www.tiktok.com/tag/financemagnates
▶️ YouTube: /@financemagnates_official
#Exness #ExnessReview #Forex #FinanceMagnates #ForexBroker #BrokerReview #CFDTrading #OnlineTrading #MarketInsights
In this video, we take an in-depth look at @Exness , a global multi-asset broker operating since 2008, known for fast withdrawals, flexible account types, and strong regulatory coverage across multiple regions.
We break down Exness’s regulatory framework, supported trading platforms including MetaTrader 4, MetaTrader 5, Exness Terminal, and the Exness Trade App, as well as available account types such as Standard, Pro, Zero, and Raw Spread.
You’ll also learn about Exness’s leverage options, fees and commissions, swap-free trading, available instruments across forex, commodities, indices, stocks, and cryptocurrencies, and what traders can expect in terms of execution, funding speed, and customer support.
Watch the full review to see whether Exness aligns with your trading goals and strategy.
👉 Explore Exness’s full broker listing on the Finance Magnates Directory:
https://directory.financemagnates.com/multi-asset-brokers/exness/
📣 Stay up to date with the latest in finance and trading. Follow Finance Magnates for industry news, insights, and global event coverage.
Connect with us:
🔗 LinkedIn: /financemagnates
👍 Facebook: /financemagnates
📸 Instagram: https://www.instagram.com/financemagnates
🐦 X: https://x.com/financemagnates
🎥 TikTok: https://www.tiktok.com/tag/financemagnates
▶️ YouTube: /@financemagnates_official
#Exness #ExnessReview #Forex #FinanceMagnates #ForexBroker #BrokerReview #CFDTrading #OnlineTrading #MarketInsights
FINANCE MAGNATES LONDON SUMMIT 2025
FINANCE MAGNATES LONDON SUMMIT 2025
The FMLS:25 highlights video is now live - a look back at the conversations, the energy on the floor, and the moments that shaped this year’s summit.
While that’s still fresh, the next launches across the FM Events portfolio are already taking shape.
FM Singapore takes place on the 12-14 of May, connecting the APAC market with its own distinct audience and priorities. FMAS:26 heads to Cape Town on 26–27 May shortly after, bringing the focus to Africa’s trading and fintech ecosystem.
Different regions. Different audiences. Same commitment to building the right rooms for meaningful conversations.
More details coming very soon. The launches are imminent. - here you go
The FMLS:25 highlights video is now live - a look back at the conversations, the energy on the floor, and the moments that shaped this year’s summit.
While that’s still fresh, the next launches across the FM Events portfolio are already taking shape.
FM Singapore takes place on the 12-14 of May, connecting the APAC market with its own distinct audience and priorities. FMAS:26 heads to Cape Town on 26–27 May shortly after, bringing the focus to Africa’s trading and fintech ecosystem.
Different regions. Different audiences. Same commitment to building the right rooms for meaningful conversations.
More details coming very soon. The launches are imminent. - here you go
