Greetings!

This was the worst week for the ecosystem in years. During my recent State of DeFi Security talk, I highlighted OPSEC as the key risk we need to focus on as an industry to avoid a billion dollar hack. Unfortunately, that prediction has now become reality.

A malicious upgrade of a cold storage contract, signed by a Safe multisig wallet, led to the theft of almost $1.5B worth of ETH and similar assets from Bybit. As we later learned, the attackers were none other than North Korea. Initially, many blamed Bybit for blindly signing a malicious transaction. However, a deeper investigation revealed that the kill chain started on the DeFi side—with a compromised Safe front-end that tricked Bybit’s cold storage operators into signing away their funds.

Below is a detailed timeline, compiled from Safe’s and Bybit’s post-mortems as well as my own notes:

Stage 1: Safe Compromise

2025-02-02 01:50:18 - Safe: Attacker starts preparing their infra by registering a domain used for the phishing attack. getstockprice[.]com on Namecheap.
2025-02-04 08:55:45 - Safe: Safe Wallet’s developer is compromised with a fake trading software (MC-Based-Stock-Invest-Simulator-main).
2025-02-05 08:36:51 - Safe: Attacker is in Safe’s AWS environment.
2025-02-05 14:06:25 - Safe: Unsuccessful attempt to register attacker’s MFA device.
2025-02-05 - 2025-02-17 - Safe: Reconnaissance in AWS environment.
2025-02-17 03:22:44 - Safe: Attacker C2 activity in AWS environment.

Stage 2: Bybit Prep

2025-02-18 15:39:11 - Bybit: Attacker deployed 0x9622 contract with a transfer function which sneakily performs an upgrade.
2025-02-18 18:00:35 - Bybit: Attacker deployed 0xbdd0 contract with has the actual draining functionality.
2025-02-18 18:31:23 - Bybit: Attackers start testing their 0x9622 contract to perform the upgrade. They will repeat this process another 7 times over the next few days.
2025-02-19 15:29:25 - Safe: Malicious JS inserted into Safe’s frontend targeting Bybit.
2025-02-20 12:32:35 - Bybit: Last testing of the exploit contracts before the hack begins.

Stage 3: The Heist

2025-02-21 05:42:40-14:11:40 - Bybit: Three cold storage signers navigated to Safe’s website and signed a benign looking transaction (transfer 30K ETH). However, they instead signed a transaction that executes 0x9622 which in turn upgrades the cold storage vault to 0xbdd0.
2025-02-21 14:13:35 - Bybit: Attackers broadcast a new transaction to Bybit’s safe which perform the upgrade using the previously signed transaction. The cold storage vault is now ready to be drained.
2025-02-21 14:15:11 - Bybit: Test draining of 90 USDT.
2025-02-21 14:15:13 - Safe: Malicious JS removed from Safe’s frontend.
2025-02-21 14:16:11 - Bybit: heist begins which the entire ETH cold storage vault drained including stETH, cmETH, and mETH tokens.

It is especially useful to view the above timeline in the context of at least two teams targeting both Safe and Bybit in parallel. So let’s review some observations:

• Dwell time in Safe’s environment was about two weeks (02/04 - 02/18) before they decided on which target to compromise.

• It took just a few days to set up both on- and offchain infrastructure to target Bybit (02/18 - 02/21). Contracts were generic and did not expose their target.

• Neither of the signers caught the malicious transfer contract, transaction parameters or other parameters in the 11 hour window before the final signature.

• Bybit had less than 3 minutes to react to the upgrade before funds were drained.

• Attackers were paranoid about testing and retesting the exploit for days before the heist. They performed a test draining transaction to make sure it worked and were careful enough to hide the Safe fontend hack immediately after.

• It’s not clear if Bybit was the target all along. It may have been chosen during the reconnaissance window 02/05 - 02/17. They knew that once the news of the hack started going around other projects may be more careful so they picked the largest Safe wallet. Anyone could have been targeted with the same exploit!

The last point is critical. The hack exploited the trust assumption that many projects, exchanges, individuals put on Safe’s front-end that it wouldn’t present them with a malicious transaction to sign. However, many projects implement controls to simulate transactions, verify signing hashes, etc. that could have caught this. Was it a coincidence that signers managing a $1.5B wallet missed this?

What is clear is that even with the record $1.5B loss we got off lightly. According to Safe’s website their wallet is used by “Vitalik Buterin and leading web3 projects to secure over $100 billion”. It’s a bitter pill to swallow, but at least attackers pulled off just one mega heist instead of killing the whole industry. So the best we can do now is take as many pointers as we can from this very expensive lesson:

• The initial attack vector was the familiar phishing attack. One of Safe’s devs installed a stock simulation app with malware in it. The use of MFA on AWS was not helpful since attackers simply hijacked existing session tokens.
  
  Use dedicated machines for administrative functions separate for dev work, social media, job interviews, and most certainly random stock trading apps.
  
  I know you are being safe, do annual phishing training, have an antivirus installed and work in a Faraday’s cage. Just buy a $200 Chromebook.

• The compromised developer had admin privileges into Safe’s AWS environment which allowed bad actors to directly modify front-end S3 bucket and bypass normal code review/deployment workflows. Malicious front-end script was in the environment for two days prior to exploitation.
  

  This is a tricky attack vector to solve which requires multiple security layers. Deployments should be fully automated without the ability to bypass the code review process. Out of band modifications, suspicious access, or authorization errors should wake people up to investigate.

• The attack exploited a trust assumption by Bybit that Safe’s front-end is not compromised which led them to sign a malicious transaction.
  
  Threat modeling is essential. Put on your paranoid hat and spend some time diagraming your internal and external systems both on- and offchain. What trust assumptions do you make? How bad can things go if one of the systems gets compromised? Who are the threat actors that you should be worried about and what are their tactics?
  
  Luckily our community is awesome so you will find many solutions for the malicious multisig proposal scenario in the Tools section below.

• The Bybit multisig executed a malicious transaction against an unknown malicious contract with a very dangerous delegatecall method. Attackers sneaked in a backdoored transfer call to execute an upgrade, but that required the vault to execute a malicious contract.

  Critical governance and multisig contracts must have not only a sufficiently decentralized and large quorum but additional controls such as execution delays aka timelocks with a guardian role that can at any moment cancel the action if deemed malicious.
  
  Such critical contracts must also be restricted to the types of transactions, contracts they can interact with, and calls they can make with them.

There is a lot more, of course, but if you focus on these four, you will be in much stronger shape against this threat actor, who thrives on mixed on- and off-chain exploits involving social engineering, private keys and signatures.

On a more positive note, we witnessed what many called a masterclass in crisis communication from Bybit and Safe. The community learned about all developments in real time, with no attempts to hide or whitewash the impact. SEAL Team, ZachXBT, and many other security researchers immediately began tracking attacker funds and freezing millions, thanks to their efforts. On a higher level, Bybit quickly worked with its partners to secure loans and prevent an FTX-style bank run.

I will never stop being in awe of not only our mission but also the raw talent and dedication of so many people in this industry. It’s an honor to witness it all.

Let’s dive into the news!

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!

News

• Ethereum client Geth urges validators to update to ‘prevent potential financial loss’.

• Millions worth of stolen funds from Phemex hack are on the move, some to Tornado Cash crypto mixer.

• Anonymous Individual Burns Millions Of Dollars To Spread “Brain Computer” Weapon Message.

• Emergency Powers by Rekt. Explores how Maker forced an out of ban governance proposal to significantly increase risk parameters.

• Apple pulls data protection tool after UK government security row. You may want to shift storage of your seeds, passkeys and other data off iCloud.

• Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger. Please pay attention to tactics since many of us rely on Signal for coordinating crypto transactions.

• Citigroup erroneously credited client account with $81tn in ‘near miss’.

Crime

• SafeMoon CTO changes plea to guilty in $200M crypto fraud case.

Policy

• Iranians Flock to Crypto Amidst Geopolitical Tension; International Sanctions Actions Disrupt Russia’s War Machine.

• SEC Drops OpenSea Investigation Easing Pressure on NFT Market.

• SEC agrees to drop enforcement case against Coinbase.

• SEC launches new unit focused on protecting investors against fraud in crypto and AI.

Phishing

• Don't Take the Side Gig - A Look at Task Scams by zeroShadow.

• Revealing the Impersonation Scam of a Fake SlowMist Employee by SlowMist.

• Reports of a sophisticated phishing attack on X impersonating ‘X Compliance Team’ by Dan Guido (Trail of Bits).

Scams

• Putting Lipstick on a Pig - A deep dive into pig butchering scams in crypto by Michael Pearl (Cyvers).

• Bubblemaps links single entity to Libra and Melania memecoins.

• A deep dive into Eggs ponzi by Daniel Von Fange.

• Libra - Rugged by Rekt.

• A Look at the “Politicized” Cryptocurrency Scams Through LIBRA by SlowMist.

• Crypto trader kills himself on X live to create a meme coin.

• Crypto ATMs: Plagued by Scams and Money Laundering by Nefture Security.

• Soulz NFT: How to make off with $4.2 Million! by RugPullFinder.

Malware

• StaryDobry ruins New Year’s Eve, delivering miner instead of presents by Kaspersky.

• Microsoft spots XCSSET macOS malware variant used for crypto theft.

Media

• LARGEST Crypto Exchange Hack of All Time!! ($1.4B Bybit) by Patrick Collins.

• Reverse Engineering for Security with Enterprenerd, Jonathan Becker (Heimdall), shazow (Whatsabi), cdump (EVMole).

• HackenProof Podcast - 0xriptide: How to Find Million-Dollar Bugs in Web3.

• Uniswap v4: Building advanced invariants - where manual testing falls short by Benjamin Samuels (Trail of Bits).

Research

• Cryptocurrency APT Intelligence: Unveiling Lazarus Group’s Intrusion Techniques by 23pds & Thinking (SlowMist).

• Million Dollar Bugs And Where to Find Them by Kankodu.

• Bitcoin Lightning bug allows remote theft of bitcoin via LND nodes.

• How Fuzzing Could Have Prevented the zkLend Hack​ by Fuzzing Labs.

• Introducing bugs.zksecurity.xyz a knowledge base for ZK bugs by zkSecurity.

• NEAR Smart Contract Auditing: Storage by Toon Van Hove (Sigma Prime).

• Uncovering and Fixing an Inflation Bug in Aleo by Suneal Gong (zkSecurity).

• The Notorious Bug Digest #1 by Frank Lei (OpenZeppelin).

• Modern Stablecoins, How They're Made: Liquity V2 by Sergey Boogerwooger, Konstantin Nekrasov (MixBytes).

• The $1.5B Bybit Hack: The Era of Operational Security Failures Has Arrived by Dan Guido, Benjamin Samuels, Anish Naik (Trail of Bits).

• Backdooring Gnosis Safe Multisig wallets by Jack Curatolo (Open Zeppelin). Oldie but goodie.

• Solana Multisig Security by Robert Chen (OtterSec).

• Improper/missing deadline check vulnerability Explained by Charles Wang.

• A Gentle Introduction to the MPC-in-the-Head Transformation by Giorgio Dell'Immagine (zkSecurity).

• Understanding the Limitations of Deviation Thresholds in Push Oracles by jonjon.

• How Concentrated Liquidity in Uniswap V3 Works by Charles Wang.

• DeFiScope: Detecting Various DeFi Price Manipulations with LLM Reasoning.

• Proof-of-randomness protocol for blockchain consensus: a case of Macau algorithms.

• HighGuard: Cross-Chain Business Logic Monitoring of Smart Contracts.

• Crypto Miner Attack: GPU Remote Code Execution Attacks.

• Ethereum Fraud Detection via Joint Transaction Language Model and Graph Representation Learning.

• Formal verification in Solidity and Move: insights from a comparative analysis.

• Phantom Events: Demystifying the Issues of Log Forgery in Blockchain.

• SmartLLM: Smart Contract Auditing using Custom Generative AI.

• Assessing Vulnerability in Smart Contracts: The Role of Code Complexity Metrics in Security Analysis.

Tools

• Safe Multisig Transaction Hashes by Cyfrin. A fork from the similar tool by pcversaccio but with support for raw calldata and not relying on the Safe API.

• EVMole adds control flow graph reconstruction.

• Simbolik now supports time travel debugging!

• HyperIndex is a modern, multi-chain data indexing framework for efficiently querying real-time and historical data from any EVM blockchain and Fuel.

• Smart Contract Vulnerabilities, Tools, and Benchmarks: an Updated Systematic Literature Review.

• Silverback Stablecoin - A multi-chain stablecoin system, with redemptions and "compliance" functions operated by Silverback. A great tool to understand how Circle’s CCTP operates.

Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.

Premium Content