FEBRUAR Y 2025

BYBIT
Interim Investigation Report
 Bybit Interim Investigation Report | February 25, 2025

CONTENTS
1 Background........................................................................................................................................................................................ 3
1.1 Key Findings........................................................................................................................................................................... 3
2 Technical Findings .......................................................................................................................................................................... 4
2.1 Chrome Browser Cache.................................................................................................................................................. 4
2.2 Malicious JavaScript Injection ..................................................................................................................................... 4
2.3 Safe{Wallet} AWS S3 Bucket Current State ....................................................................................................... 5
2.4 Safe{Wallet} Internet Archives.................................................................................................................................... 7
3 Conclusion ..........................................................................................................................................................................................8

2
 Bybit Interim Investigation Report | February 25, 2025

1 BACKGROUND
On Friday, February 21, 2025, Bybit detected unauthorized activity involving one of their ETH
cold wallets. The incident occurred when an ETH multisig transaction was facilitated through
Safe{Wallet} from a cold wallet to a warm wallet, during which a threat actor intervened and
manipulated the transaction. The threat actor managed to gain control of the affected cold
wallet and transferred its holdings to a wallet under their control.

Sygnia was engaged by Bybit to conduct a forensic investigation, determine the attack’s root
cause, with the objective to identify the source and scope of compromise and mitigate both
immediate and future risks.

1.1 KEY FINDINGS

Thus far, the forensics investigation highlighted the following findings:

• Forensic investigation of all hosts used to initiate and sign the transaction revealed
malicious JavaScript code injected to a resource served from Safe{Wallet}’s AWS S3
bucket.

• Resource modification time and publicly available web history archives suggest the
injection of the malicious code was performed directly to Safe{Wallet}’s AWS S3 bucket.

• Initial analysis of the injected JavaScript code suggests it’s primary objective is to
manipulate transactions, effectively changing the content of the transaction during the
signing process.

• Additionally, the analysis of the injected JavaScript code identified an activation

condition designed to execute only when the transaction source matches one of two
contract addresses: Bybit’s contract address and a currently unidentified contract
address, likely associated with a test contract controlled by the threat actor.

• Two minutes after the malicious transaction was executed and published, new versions
of the JavaScript resources were uploaded to Safe{Wallet}’s AWS S3 bucket. These
updated versions had the malicious code removed.

• The highlighted initial findings suggest the attack originated from Safe{Wallet}’s AWS
infrastructure.

• Thus far, the forensics investigation did not identify any compromise of Bybit’s
infrastructure.

3
 Bybit Interim Investigation Report | February 25, 2025

2 TECHNICAL FINDINGS
The following findings were identified during the forensic investigation of the hosts used to
initiate and sign the transaction.

2.1 CHROME BROWSER CACHE

Forensic analysis of Chrome browser cache files identified cache files containing JavaScript
resources which were created at the time of the transaction signing on all three signers’ hosts.

Figure 1: Snippet showing the JavaScript resources identified in the Chrome cache files

The content of the cache files highlighted that the resources served from Safe{Wallet}’s AWS
S3 bucket on February 21, 2025, were last modified on February 19, 2025, two days prior to the
malicious transaction.

Figure 2: Snippet from a JavaScript resources cache, showing the file’s header

2.2 MALICIOUS JAVASCRIPT INJECTION

The content of the JavaScript code found in the Chrome browsing artifacts revealed malicious
modifications introduced by the threat actor. Initial analysis of the injected code highlighted the
code is designed to modify the transaction content.

4
 Bybit Interim Investigation Report | February 25, 2025

Further analysis of the injected code identified an activation condition designed to execute only
when the transaction source matched one of two contract addresses: Bybit’s contract address
and an unidentified contract address, likely associated with the threat actor.

Figure 3: Snippet from BeyondCompare showing a comparison between the JavaScript file extract from Chrome
browsing artifacts and the current version of the file.

Figure 4: Snippet from beautified code of the malicious code injected to the JavaScript resource.

2.3 SAFE{WALLET} AWS S3 BUCKET CURRENT STATE

The resources currently served by Safe{Wallet} via their AWS S3 bucket, do not contain the
malicious code identified in the Chrome cache files.
The investigation determined that the JavaScript resources were modified in the AWS S3 bucket on
February 21, 2025, at 14:15:13 and 14:15:32 UTC - approximately two minutes after the malicious
transaction was executed.

5
 Bybit Interim Investigation Report | February 25, 2025

Figure 5: Snippet from URLScan showing the response headers for the first modified JavaScript.

Figure 6: Snippet from URLScan showing the response headers for the second modified JavaScript.

6
 Bybit Interim Investigation Report | February 25, 2025

2.4 SAFE{WALLET} INTERNET ARCHIVES

Further analysis of the Safe{Wallet} resources using public web archives found two snapshots of
Safe{Wallet}’s JavaScript resources taken on February 19, 2025. A review of these snapshots
revealed that the first snapshot contained the original, legitimate Safe {Wallet} code, while the
second snapshot contained the resource with the malicious JavaScript code. This further suggests
that the malicious code which created the malicious transaction originated directly from Safe
{Wallet}’s AWS Infrastructure.

Figure 7: Snippet from web.archive.org showing archive entries for the JavaScript resource.

Figure 8: Snippet from web.archive.org showing malicious code embedded in the JavaScript resource.

7
 Bybit Interim Investigation Report | February 25, 2025

3 CONCLUSION
The forensics investigation of the three signers’ hosts suggests the root cause of the attack is
malicious code originating from Safe{Wallet}’s infrastructure.
No indication of compromise was identified within Bybit’s infrastructure.
The investigation is still ongoing to further confirm the findings.

Sygnia is a leading cyber security consulting and incident response company, known for its background in elite cyber intelligence
units. Sygnia partners with clients to quickly contain and remediate attacks and proactively enhance their cyber resilience. Sygnia
consultants approach each security challenge with the health of your business in mind. Their proven track record, commitment,
and discretion have earned the trust of security teams, senior executives, and management boards at leading organizations
worldwide, including Fortune 100 companies.

Offices in: Tel Aviv | New York | London | Singapore | Mexico City