A forensic investigation by Sygnia found that malicious JavaScript code was injected into Safe Wallet’s AWS S3 bucket.
Chrome cache analysis confirmed the compromised JavaScript, with the code removed from Safe Wallet’s resources two minutes after the attack.
Ben Zhou, Co-Founder and CEO of Bybit
Cryptocurrency exchange Bybit experienced a security breach
resulting in the unauthorized transfer of over $1.4 billion in liquid-staked
Ether (ETH) and MegaETH (mETH). The exchange reported unauthorized access to
one of its Ethereum cold wallets on February 21, 2025.
The incident took place during a multisignature transaction
facilitated through Safe Wallet. A threat actor intercepted the process,
altered the transaction, and gained control of the wallet. The attacker then
transferred the funds to a separate wallet under their control.
Following the discovery, Bybit engaged cybersecurity firm
Sygnia to conduct a forensic investigation. The investigation aimed to
determine the source of the compromise, assess the extent of the attack, and
implement measures to prevent future incidents.
Investigation Findings
The forensic analysis identified that malicious JavaScript
code had been injected into a resource served from Safe Wallet’s AWS S3 bucket.
The modification timestamp and historical web records suggest that the code was
added on February 19, 2025, two days before the unauthorized transaction.
The injected code was designed to manipulate transaction
data during the signing process. It activated only when the transaction
originated from specific contract addresses, including Bybit’s contract and
another unidentified address. This suggests that the attacker had predefined
targets for the exploit.
Safe Wallet JavaScript Modified Before Attack
Forensic examination of Chrome browser cache files from the
three signers’ systems confirmed the presence of the compromised JavaScript
resource at the time of the transaction. These files indicated that the Safe Wallet
resource was last modified shortly before the attack.
Further analysis revealed that two minutes after the
fraudulent transaction was executed, new versions of the affected JavaScript
files were uploaded to SafeWallet’s AWS S3 bucket, removing the injected code.
This suggests an attempt to conceal the unauthorized modification.
Snippet from a JavaScript resources cache, showing the file’s header, Source: Bybit
Public web archives captured two snapshots of Safe Wallet’s
JavaScript resources on February 19, 2025. The first snapshot contained the
original, unaltered version, while the second snapshot showed the presence of
the malicious code. This further supports the conclusion that the attack
originated from Safe Wallet’s AWS infrastructure.
No Evidence of Bybit Infrastructure Breach
At this stage, the forensic investigation has not found any
evidence of a compromise within Bybit’s own infrastructure. The unauthorized
access appears to have been facilitated through vulnerabilities in SafeWallet’s
systems. Bybit and Sygnia are continuing their investigation to confirm the
findings and assess any additional risks.
“The preliminary forensic review finds that our system
was not compromised. While this incident underscores the evolving threats in
the crypto space, we are taking proactive steps to reinforce security and
ensure the highest level of protection for our users,” said Ben Zhou,
Co-founder and CEO of Bybit.
Cryptocurrency exchange Bybit experienced a security breach
resulting in the unauthorized transfer of over $1.4 billion in liquid-staked
Ether (ETH) and MegaETH (mETH). The exchange reported unauthorized access to
one of its Ethereum cold wallets on February 21, 2025.
The incident took place during a multisignature transaction
facilitated through Safe Wallet. A threat actor intercepted the process,
altered the transaction, and gained control of the wallet. The attacker then
transferred the funds to a separate wallet under their control.
Following the discovery, Bybit engaged cybersecurity firm
Sygnia to conduct a forensic investigation. The investigation aimed to
determine the source of the compromise, assess the extent of the attack, and
implement measures to prevent future incidents.
Investigation Findings
The forensic analysis identified that malicious JavaScript
code had been injected into a resource served from Safe Wallet’s AWS S3 bucket.
The modification timestamp and historical web records suggest that the code was
added on February 19, 2025, two days before the unauthorized transaction.
The injected code was designed to manipulate transaction
data during the signing process. It activated only when the transaction
originated from specific contract addresses, including Bybit’s contract and
another unidentified address. This suggests that the attacker had predefined
targets for the exploit.
Safe Wallet JavaScript Modified Before Attack
Forensic examination of Chrome browser cache files from the
three signers’ systems confirmed the presence of the compromised JavaScript
resource at the time of the transaction. These files indicated that the Safe Wallet
resource was last modified shortly before the attack.
Further analysis revealed that two minutes after the
fraudulent transaction was executed, new versions of the affected JavaScript
files were uploaded to SafeWallet’s AWS S3 bucket, removing the injected code.
This suggests an attempt to conceal the unauthorized modification.
Snippet from a JavaScript resources cache, showing the file’s header, Source: Bybit
Public web archives captured two snapshots of Safe Wallet’s
JavaScript resources on February 19, 2025. The first snapshot contained the
original, unaltered version, while the second snapshot showed the presence of
the malicious code. This further supports the conclusion that the attack
originated from Safe Wallet’s AWS infrastructure.
No Evidence of Bybit Infrastructure Breach
At this stage, the forensic investigation has not found any
evidence of a compromise within Bybit’s own infrastructure. The unauthorized
access appears to have been facilitated through vulnerabilities in SafeWallet’s
systems. Bybit and Sygnia are continuing their investigation to confirm the
findings and assess any additional risks.
“The preliminary forensic review finds that our system
was not compromised. While this incident underscores the evolving threats in
the crypto space, we are taking proactive steps to reinforce security and
ensure the highest level of protection for our users,” said Ben Zhou,
Co-founder and CEO of Bybit.
Tareq is a financial writer with 15 years of experience covering global markets. His work spans technical analysis, forex broker reviews, and market sentiment, with a focus on topics relevant to retail traders. He joined Finance Magnates in 2023.
At Finance Magnates, he serves as News Editor, covering retail forex and CFD brokers, cryptocurrency exchanges, fintech firms, and regulatory developments shaping the trading industry. He holds an Honours degree in Information Technology from Anfell College, London.
Education:
Honours degree Information Technology, Anfell College, London
WhiteBIT secures brokerage license in Georgia to launch regulated crypto derivatives
FP Markets Winner Spotlight 🏆 | Global Broker of the Year 2025 #Trading #Broker #Innovation #Shorts
FP Markets Winner Spotlight 🏆 | Global Broker of the Year 2025 #Trading #Broker #Innovation #Shorts
FP Markets takes the spotlight as Global Broker of the Year 2025 at the Finance Magnates Awards.
Martin Stoilov, Head of Client Experience, shares that trust, innovation, and people played a key role in the company’s success, supported by a strong foundation of integrity and client-centricity.
Following this milestone, FP Markets continues to focus on growth, technology investment, and its core values of transparency and excellence.
👉 Be part of FM Awards 2026: https://awards.financemagnates.com/#nominate
FP Markets takes the spotlight as Global Broker of the Year 2025 at the Finance Magnates Awards.
Martin Stoilov, Head of Client Experience, shares that trust, innovation, and people played a key role in the company’s success, supported by a strong foundation of integrity and client-centricity.
Following this milestone, FP Markets continues to focus on growth, technology investment, and its core values of transparency and excellence.
👉 Be part of FM Awards 2026: https://awards.financemagnates.com/#nominate
In this video, we review @HolaPrimeMarketsOfficial, a multi-asset forex and CFDs broker offering different account types, trading platforms, and flexible trading conditions.
We cover the broker’s overall offering, including account options, trading environment, platforms like MT4 and MT5, and additional services such as managed accounts and fast withdrawals.
Watch the full video to see if Hola Prime Markets fits your trading needs.
📣 Stay up to date with the latest in finance and trading. Follow Finance Magnates for industry news, insights, and global event coverage.
Connect with us:
🔗 LinkedIn: /financemagnates
👍 Facebook: /financemagnates
📸 Instagram: https://www.instagram.com/financemagnates
🐦 X: https://x.com/financemagnates
🎥 TikTok: https://www.tiktok.com/tag/financemagnates
▶️ YouTube: /@financemagnates_official
#HolaPrime #ForexBroker #CFDTrading #FinanceMagnates #Trading #Forex #BrokerReview
In this video, we review @HolaPrimeMarketsOfficial, a multi-asset forex and CFDs broker offering different account types, trading platforms, and flexible trading conditions.
We cover the broker’s overall offering, including account options, trading environment, platforms like MT4 and MT5, and additional services such as managed accounts and fast withdrawals.
Watch the full video to see if Hola Prime Markets fits your trading needs.
📣 Stay up to date with the latest in finance and trading. Follow Finance Magnates for industry news, insights, and global event coverage.
Connect with us:
🔗 LinkedIn: /financemagnates
👍 Facebook: /financemagnates
📸 Instagram: https://www.instagram.com/financemagnates
🐦 X: https://x.com/financemagnates
🎥 TikTok: https://www.tiktok.com/tag/financemagnates
▶️ YouTube: /@financemagnates_official
#HolaPrime #ForexBroker #CFDTrading #FinanceMagnates #Trading #Forex #BrokerReview
Hola Prime Review: What You Need to Know | Full Breakdown by Finance Magnates
Hola Prime Review: What You Need to Know | Full Breakdown by Finance Magnates
In this video, we review @HolaPrime_Global, a proprietary trading firm offering evaluation programs and performance-based payouts in simulated market environments.
We cover how the challenge model works, including account types, profit splits (up to 95%), trading rules, and what it takes to reach a funded account. You’ll also learn about available platforms like MT4, MT5, cTrader, and more, along with insights into payouts, support, and trading conditions.
Watch the full video to see if Hola Prime fits your trading style.
📣 Stay up to date with the latest in finance and trading. Follow Finance Magnates for industry news, insights, and global event coverage.
Connect with us:
🔗 LinkedIn: /financemagnates
👍 Facebook: /financemagnates
📸 Instagram: https://www.instagram.com/financemagnates
🐦 X: https://x.com/financemagnates
🎥 TikTok: https://www.tiktok.com/tag/financemagnates
▶️ YouTube: /@financemagnates_official
#HolaPrime #PropFirm #Trading #FinanceMagnates #Forex #FuturesTrading #TradingReview #PropFirmReview
In this video, we review @HolaPrime_Global, a proprietary trading firm offering evaluation programs and performance-based payouts in simulated market environments.
We cover how the challenge model works, including account types, profit splits (up to 95%), trading rules, and what it takes to reach a funded account. You’ll also learn about available platforms like MT4, MT5, cTrader, and more, along with insights into payouts, support, and trading conditions.
Watch the full video to see if Hola Prime fits your trading style.
📣 Stay up to date with the latest in finance and trading. Follow Finance Magnates for industry news, insights, and global event coverage.
Connect with us:
🔗 LinkedIn: /financemagnates
👍 Facebook: /financemagnates
📸 Instagram: https://www.instagram.com/financemagnates
🐦 X: https://x.com/financemagnates
🎥 TikTok: https://www.tiktok.com/tag/financemagnates
▶️ YouTube: /@financemagnates_official
#HolaPrime #PropFirm #Trading #FinanceMagnates #Forex #FuturesTrading #TradingReview #PropFirmReview
Axi Winner Spotlight 🏆 | Global Most Innovative Broker 2025 #Innovation #Trading #Fintech #Broker
Axi Winner Spotlight 🏆 | Global Most Innovative Broker 2025 #Innovation #Trading #Fintech #Broker
Axi takes the spotlight at the Finance Magnates Awards, winning Global Most Innovative Broker 2025.
Olivia Xenofontos and Ivanna Openko share how the team will feel: proud, motivated, and ready to keep delivering.
They also describe the night as well-organized, focused, and enjoyable for all.
👉 Be part of FM Awards 2026.
Axi takes the spotlight at the Finance Magnates Awards, winning Global Most Innovative Broker 2025.
Olivia Xenofontos and Ivanna Openko share how the team will feel: proud, motivated, and ready to keep delivering.
They also describe the night as well-organized, focused, and enjoyable for all.
👉 Be part of FM Awards 2026.
Recognition that matters.
Built on transparency.
Driven by the industry.
The Finance Magnates Awards 2026.
Nominations are now open.
🔗 https://awards.financemagnates.com/?utm_source=SM&utm_medium=social&utm_campaign=recognition-matters
Recognition that matters.
Built on transparency.
Driven by the industry.
The Finance Magnates Awards 2026.
Nominations are now open.
🔗 https://awards.financemagnates.com/?utm_source=SM&utm_medium=social&utm_campaign=recognition-matters
