Bybit, one of the largest crypto exchanges in the entire planet, had a major security breach on February 21, 2025, losing close to $1.5 billion in ETH (Ether). The situation, as discussed in my previous Bybit Hacker article, shook the crypto world. Since then, Bybit released an audit report on February 26, 2025, that cleared their name, pointing the finger at SAFE, a third-party wallet service they used. This article dives into What the audit found and how SAFE was involved.
A Quick Recap of the Hack
On February 21, 2025, hackers stole about 401,000 ETH from Bybit’s cold wallet, a super-secure offline storage system. The culprits were linked to the Lazarus Group, a North Korean hacking outfit known for big crypto thefts. Unlike what many first thought, the breach didn’t happen because of a flaw in Bybit’s own setup. Instead, it came through SAFE, the platform Bybit relied on to manage its wallet. For more details on the hack itself, check out my earlier piece linked above.
Bybit didn’t waste time after the theft. They brought in experts like Sygnia Labs and Verichains to figure out what went wrong. The audit report, released on February 26, 2025, had a clear message: Bybit’s systems were not hacked. The report, backed by solid evidence, showed that their own security was intact. Instead, the problem started with SAFE’s servers. This is a big deal because it means Bybit wasn’t the weak link—SAFE was.
The report explained that SAFE’s setup let the hackers in, not Bybit’s. It’s like if you lock your house tight but give a friend a key, and then someone steals that key from your friend. Bybit’s “house” was secure; the trouble came from the “friend”—SAFE.
How SAFE Let the Hack Happen
SAFE is a multisig wallet platform, which means it needs multiple people to sign off before money can move. Bybit used it to keep their cold wallet extra safe. SAFE’s system is run by a group called SafeDAO and is known for being tough to crack, thanks to regular checks and a program that pays people to find bugs. But even with all that, it wasn’t enough this time.
The hackers didn’t break SAFE’s main code or the wallet itself. Instead, they got into one of SAFE’s developer’s computers. From there, they slipped bad code—specifically, malicious JavaScript—into SAFE’s Amazon Web Services setup. This bad code tricked Bybit’s staff into approving a fake transaction, sending the ETH straight to the hackers’ pockets. It’s a sneaky move that shows how hackers can target the human side of security, not just the tech.
SAFE didn’t sit still after the breach came to light. They took action fast, rebuilding their entire system from scratch to close any gaps. They also changed all their access codes—what tech folks call “rotating credentials”—to make sure no one could use old keys to get in again. On top of that, they double-checked their main program and contracts to confirm there were no hidden weaknesses. SAFE’s quick moves show they took the hack seriously, especially since they handle wallets for over 200 other crypto projects.
Why This Matters
This whole situation shines a light on a big issue in crypto: third-party services. Bybit’s own security was solid, but they still got hit because they trusted SAFE. It’s a bit like hiring a security guard who turns out to have a shaky past—you might not see the risk until it’s too late. The audit report proves Bybit wasn’t sloppy, but it also shows how much trust exchanges place in outside companies.
The hack being tied to the Lazarus Group adds another layer. This group has a track record of stealing billions in crypto, often to fund North Korea’s projects. That makes this not just a Bybit problem, but a sign of how serious cyber threats are in the crypto space.
Bybit hasn’t just pointed at SAFE and called it a day. They’re working hard to track down the stolen funds. They’ve teamed up with police and companies like Chainalysis, which are experts at following crypto trails on the blockchain. They’re also offering a reward—up to 10% of whatever’s recovered—to anyone who helps get the money back. This shows they’re not giving up, even though the breach wasn’t their fault.
Digging Deeper: The Tech Side
For those who like the nitty-gritty, here’s how the hack played out technically. The bad JavaScript got into SAFE’s system on February 19, 2025, two days before the theft. It messed with the app.safe.global website, which Bybit’s team used to manage the wallet. When they logged in to approve a transaction, the screen showed one thing, but the code behind it did something else—sent the ETH to the hackers. It’s a classic trick called a supply chain attack, where you hit a weaker link (SAFE) to get to the big prize (Bybit’s wallet).
The audit teams found no signs of this bad code in Bybit’s own systems. They checked everything—Bybit’s servers, their security setup, even their regular safety reports from Hacken—and it all came up clean. That’s why the report is so confident that SAFE’s servers were the problem.
The Bybit hack isn’t just about one exchange losing money—it’s a wake-up call about how connected the crypto world is. SAFE manages over $100 billion in assets across many projects, so a slip-up there ripples out wide. The audit report gives Bybit a clean bill of health, but it also puts pressure on everyone to double-check who they work with. In crypto, your security is only as strong as your weakest partner.
Wrapping Up
Bybit’s audit report from February 26, 2025, clears up a lot of confusion about the $1.5 billion ETH theft. It wasn’t their fault—SAFE’s servers let the hackers in. SAFE’s quick fixes and Bybit’s recovery efforts show they’re serious about fixing things. This incident is a big lesson in trust, tech, and teamwork for the whole crypto industry.
Find more articles on the MevX Blog!
