The investigation uncovered that malicious JavaScript code was injected into Safe's AWS S3 bucket. This code was specifically designed to activate only when encountering Bybit's contract address.
"The attackers demonstrated significant sophistication in targeting specific assets while remaining undetected," noted FBI investigators assigned to the case. The code manipulated transaction contents during the signing process, redirecting funds during a routine transfer from cold to hot wallets.
Sophisticated attackers targeted assets with precision, manipulating transaction signatures to redirect funds undetected during wallet transfers.
The FBI has confirmed that North Korea's Lazarus Group (also known as TraderTraitor or APT38) was responsible for the attack. The stolen assets were rapidly converted to Bitcoin and dispersed across thousands of addresses on multiple blockchains. The attackers leveraged a sophisticated method to bypass multi-factor authentication by hijacking AWS session tokens.
This attribution aligns with North Korea's previous cryptocurrency thefts, which totaled $1.34 billion in 2024 alone.
In response, Safe implemented a full infrastructure reset with improved monitoring alerts and transaction validations. The malware infection originated from a contaminated Docker project that connected to a malicious domain registered through Namecheap on February 2. The incident has sparked industry-wide debate about security practices.
Security experts emphasize that developers should not have production keys on personal machines and recommend implementing subresource integrity verification to prevent similar attacks in the future.
