A forensic investigation by Sygnia found that malicious JavaScript code was injected into Safe Wallet’s AWS S3 bucket.
Chrome cache analysis confirmed the compromised JavaScript, with the code removed from Safe Wallet’s resources two minutes after the attack.
Ben Zhou, Co-Founder and CEO of Bybit
Cryptocurrency exchange Bybit experienced a security breach
resulting in the unauthorized transfer of over $1.4 billion in liquid-staked
Ether (ETH) and MegaETH (mETH). The exchange reported unauthorized access to
one of its Ethereum cold wallets on February 21, 2025.
The incident took place during a multisignature transaction
facilitated through Safe Wallet. A threat actor intercepted the process,
altered the transaction, and gained control of the wallet. The attacker then
transferred the funds to a separate wallet under their control.
Following the discovery, Bybit engaged cybersecurity firm
Sygnia to conduct a forensic investigation. The investigation aimed to
determine the source of the compromise, assess the extent of the attack, and
implement measures to prevent future incidents.
Investigation Findings
The forensic analysis identified that malicious JavaScript
code had been injected into a resource served from Safe Wallet’s AWS S3 bucket.
The modification timestamp and historical web records suggest that the code was
added on February 19, 2025, two days before the unauthorized transaction.
The injected code was designed to manipulate transaction
data during the signing process. It activated only when the transaction
originated from specific contract addresses, including Bybit’s contract and
another unidentified address. This suggests that the attacker had predefined
targets for the exploit.
Safe Wallet JavaScript Modified Before Attack
Forensic examination of Chrome browser cache files from the
three signers’ systems confirmed the presence of the compromised JavaScript
resource at the time of the transaction. These files indicated that the Safe Wallet
resource was last modified shortly before the attack.
Further analysis revealed that two minutes after the
fraudulent transaction was executed, new versions of the affected JavaScript
files were uploaded to SafeWallet’s AWS S3 bucket, removing the injected code.
This suggests an attempt to conceal the unauthorized modification.
Snippet from a JavaScript resources cache, showing the file’s header, Source: Bybit
Public web archives captured two snapshots of Safe Wallet’s
JavaScript resources on February 19, 2025. The first snapshot contained the
original, unaltered version, while the second snapshot showed the presence of
the malicious code. This further supports the conclusion that the attack
originated from Safe Wallet’s AWS infrastructure.
No Evidence of Bybit Infrastructure Breach
At this stage, the forensic investigation has not found any
evidence of a compromise within Bybit’s own infrastructure. The unauthorized
access appears to have been facilitated through vulnerabilities in SafeWallet’s
systems. Bybit and Sygnia are continuing their investigation to confirm the
findings and assess any additional risks.
“The preliminary forensic review finds that our system
was not compromised. While this incident underscores the evolving threats in
the crypto space, we are taking proactive steps to reinforce security and
ensure the highest level of protection for our users,” said Ben Zhou,
Co-founder and CEO of Bybit.
Cryptocurrency exchange Bybit experienced a security breach
resulting in the unauthorized transfer of over $1.4 billion in liquid-staked
Ether (ETH) and MegaETH (mETH). The exchange reported unauthorized access to
one of its Ethereum cold wallets on February 21, 2025.
The incident took place during a multisignature transaction
facilitated through Safe Wallet. A threat actor intercepted the process,
altered the transaction, and gained control of the wallet. The attacker then
transferred the funds to a separate wallet under their control.
Following the discovery, Bybit engaged cybersecurity firm
Sygnia to conduct a forensic investigation. The investigation aimed to
determine the source of the compromise, assess the extent of the attack, and
implement measures to prevent future incidents.
Investigation Findings
The forensic analysis identified that malicious JavaScript
code had been injected into a resource served from Safe Wallet’s AWS S3 bucket.
The modification timestamp and historical web records suggest that the code was
added on February 19, 2025, two days before the unauthorized transaction.
The injected code was designed to manipulate transaction
data during the signing process. It activated only when the transaction
originated from specific contract addresses, including Bybit’s contract and
another unidentified address. This suggests that the attacker had predefined
targets for the exploit.
Safe Wallet JavaScript Modified Before Attack
Forensic examination of Chrome browser cache files from the
three signers’ systems confirmed the presence of the compromised JavaScript
resource at the time of the transaction. These files indicated that the Safe Wallet
resource was last modified shortly before the attack.
Further analysis revealed that two minutes after the
fraudulent transaction was executed, new versions of the affected JavaScript
files were uploaded to SafeWallet’s AWS S3 bucket, removing the injected code.
This suggests an attempt to conceal the unauthorized modification.
Snippet from a JavaScript resources cache, showing the file’s header, Source: Bybit
Public web archives captured two snapshots of Safe Wallet’s
JavaScript resources on February 19, 2025. The first snapshot contained the
original, unaltered version, while the second snapshot showed the presence of
the malicious code. This further supports the conclusion that the attack
originated from Safe Wallet’s AWS infrastructure.
No Evidence of Bybit Infrastructure Breach
At this stage, the forensic investigation has not found any
evidence of a compromise within Bybit’s own infrastructure. The unauthorized
access appears to have been facilitated through vulnerabilities in SafeWallet’s
systems. Bybit and Sygnia are continuing their investigation to confirm the
findings and assess any additional risks.
“The preliminary forensic review finds that our system
was not compromised. While this incident underscores the evolving threats in
the crypto space, we are taking proactive steps to reinforce security and
ensure the highest level of protection for our users,” said Ben Zhou,
Co-founder and CEO of Bybit.
Tareq is a financial writer with 15 years of experience covering global markets. His work spans technical analysis, forex broker reviews, and market sentiment, with a focus on topics relevant to retail traders. He joined Finance Magnates in 2023.
At Finance Magnates, he serves as News Editor, covering retail forex and CFD brokers, cryptocurrency exchanges, fintech firms, and regulatory developments shaping the trading industry. He holds an Honours degree in Information Technology from Anfell College, London.
Education:
Honours degree Information Technology, Anfell College, London
Finance Magnates Awards 2026 – Nominations Now Open
Finance Magnates Awards 2026 – Nominations Now Open
The Finance Magnates Awards 2026 nominations are now open. 🏆
From fintech innovators to leading brokers, this is where the finance industry celebrates its biggest achievements.
Winners will be announced at the Cyprus Gala Dinner on November 6, 2026.
Nominate your brand now.
https://awards.financemagnates.com/?utm_source=linkedin&utm_medium=video&utm_campaign=nominations-open
#FMAwards #FinanceMagnates #FintechAwards #Fintech #FinanceIndustry
The Finance Magnates Awards 2026 nominations are now open. 🏆
From fintech innovators to leading brokers, this is where the finance industry celebrates its biggest achievements.
Winners will be announced at the Cyprus Gala Dinner on November 6, 2026.
Nominate your brand now.
https://awards.financemagnates.com/?utm_source=linkedin&utm_medium=video&utm_campaign=nominations-open
#FMAwards #FinanceMagnates #FintechAwards #Fintech #FinanceIndustry
Finance Magnates Awards 2026 | Nominations Now Open 🏆#Fintech #FMAwards #TradingIndustry
Finance Magnates Awards 2026 | Nominations Now Open 🏆#Fintech #FMAwards #TradingIndustry
Lights on. Cameras ready. 🎬
Finance Magnates Awards 2026 nominations are now open. 🏆
#FMAwards #FinanceMagnates #FintechAwards #Fintech
Lights on. Cameras ready. 🎬
Finance Magnates Awards 2026 nominations are now open. 🏆
#FMAwards #FinanceMagnates #FintechAwards #Fintech
Exness sees trust as the key theme for growth in MENA Trading Growth for 2026
Exness sees trust as the key theme for growth in MENA Trading Growth for 2026
Mohammad Amer, Regional Commercial Director at Exness, sits down to discuss the booming MENA financial trading market. Find out why Dubai is key to the company's growth strategy, how a mobile-first generation is changing expectations, and why trust will be the defining theme for traders in 2026.
In this interview, you'll learn:
* Why Dubai and the MENA region are critical growth markets for fintech and online trading.
* How Exness is addressing the demands of mobile-first, younger traders through engineering, platform stability, and transparent conditions.
* The essential role local talent plays in providing a culturally relevant and compliant user experience.
* Mohammad Amer's outlook on the future of the online trading industry and why stronger controls and systems are necessary.
* Why "trust" isn't just a brand value, but has commercial value—and why he predicts 2026 will be the "Year of Trust."
Key Takeaways:
➡️ The MENA region is rapidly shaping global financial markets.
➡️ New traders expect stability, precise execution, and transparency.
➡️ Local expertise is key to regulatory compliance and user experience.
➡️ Future success belongs to firms capable of meeting rising standards across regulation and platform consistency.
Read the full article at: https://www.financemagnates.com/thought-leadership/exness-sees-trust-as-the-key-theme-for-growth-in-mena-trading-growth-for-2026/
#Exness #MENA #Trading #FinTech #Dubai #OnlineTrading #FinanceMagnates #MohammadAmer #Trust #MobileTrading
Mohammad Amer, Regional Commercial Director at Exness, sits down to discuss the booming MENA financial trading market. Find out why Dubai is key to the company's growth strategy, how a mobile-first generation is changing expectations, and why trust will be the defining theme for traders in 2026.
In this interview, you'll learn:
* Why Dubai and the MENA region are critical growth markets for fintech and online trading.
* How Exness is addressing the demands of mobile-first, younger traders through engineering, platform stability, and transparent conditions.
* The essential role local talent plays in providing a culturally relevant and compliant user experience.
* Mohammad Amer's outlook on the future of the online trading industry and why stronger controls and systems are necessary.
* Why "trust" isn't just a brand value, but has commercial value—and why he predicts 2026 will be the "Year of Trust."
Key Takeaways:
➡️ The MENA region is rapidly shaping global financial markets.
➡️ New traders expect stability, precise execution, and transparency.
➡️ Local expertise is key to regulatory compliance and user experience.
➡️ Future success belongs to firms capable of meeting rising standards across regulation and platform consistency.
Read the full article at: https://www.financemagnates.com/thought-leadership/exness-sees-trust-as-the-key-theme-for-growth-in-mena-trading-growth-for-2026/
#Exness #MENA #Trading #FinTech #Dubai #OnlineTrading #FinanceMagnates #MohammadAmer #Trust #MobileTrading
Paytiko CEO Razi Salih on Why Payment Orchestration is a MUST-HAVE for Brokers in 2026
Paytiko CEO Razi Salih on Why Payment Orchestration is a MUST-HAVE for Brokers in 2026
At iFX Expo Dubai, Finance Magnates spoke with Razi Salih, CEO at Paytiko, about the evolution of the payments ecosystem and why payment orchestration has shifted from an option to a necessity for brokers, prop firms, and exchanges.
Mr. Salih explains how global expansion, the need for deep localisation, and the sheer number of new payment methods, from instant banking to stablecoins, are driving this critical infrastructure shift.
#PaymentOrchestration #Fintech #Brokerage #TradingPayments #RaziSalih #Paytiko #iFXExpoDubai #Stablecoins #AIinFintech
At iFX Expo Dubai, Finance Magnates spoke with Razi Salih, CEO at Paytiko, about the evolution of the payments ecosystem and why payment orchestration has shifted from an option to a necessity for brokers, prop firms, and exchanges.
Mr. Salih explains how global expansion, the need for deep localisation, and the sheer number of new payment methods, from instant banking to stablecoins, are driving this critical infrastructure shift.
#PaymentOrchestration #Fintech #Brokerage #TradingPayments #RaziSalih #Paytiko #iFXExpoDubai #Stablecoins #AIinFintech
Altima CTO Sunil Jadhav: Solving Data Fragmentation & Lag for Brokers & Prop Firms
Altima CTO Sunil Jadhav: Solving Data Fragmentation & Lag for Brokers & Prop Firms
Altima CTO Sunil Jadhav sits down with Finance Magnates to discuss the core technology challenges facing CFD brokers and proprietary trading firms today.
Jadhav explains how the industry's reliance on batch processing and fragmented systems (where CRMs, risk tools, and trading platforms operate with separate 'sources of truth') leads to delayed data and inconsistent operational decisions. He argues that real-time event processing is essential for managing fast-moving trading activity and risk.
Learn how Altima's unified, event-driven architecture, connecting Altima CRM, Altima Prop, IB systems, and risk management through a single backbone, is designed to provide synchronous data and better operational coordination for modern brokerage and prop firm stacks.
Key Topics:
- Broker and Prop Firm Data Challenges
- The problem of delayed data processing (batch processing vs. real-time events)
- Fragmented systems and conflicting data sources
- Altima's unified, event-driven solution architecture
- The concept of a "risk-aware CRM"
- Built-in risk management in Altima Prop
#Altima #financemagnates #iFXDubai #FinTech #BrokerTech #PropFirm #CFDBroker #TradingTechnology #RealTimeData #RiskManagement #CRM #FinancialMarkets #EventDrivenArchitecture
Altima CTO Sunil Jadhav sits down with Finance Magnates to discuss the core technology challenges facing CFD brokers and proprietary trading firms today.
Jadhav explains how the industry's reliance on batch processing and fragmented systems (where CRMs, risk tools, and trading platforms operate with separate 'sources of truth') leads to delayed data and inconsistent operational decisions. He argues that real-time event processing is essential for managing fast-moving trading activity and risk.
Learn how Altima's unified, event-driven architecture, connecting Altima CRM, Altima Prop, IB systems, and risk management through a single backbone, is designed to provide synchronous data and better operational coordination for modern brokerage and prop firm stacks.
Key Topics:
- Broker and Prop Firm Data Challenges
- The problem of delayed data processing (batch processing vs. real-time events)
- Fragmented systems and conflicting data sources
- Altima's unified, event-driven solution architecture
- The concept of a "risk-aware CRM"
- Built-in risk management in Altima Prop
#Altima #financemagnates #iFXDubai #FinTech #BrokerTech #PropFirm #CFDBroker #TradingTechnology #RealTimeData #RiskManagement #CRM #FinancialMarkets #EventDrivenArchitecture
