Compromised developer machine is the root cause of the Bybit hack

Safe, the developer of the SafeWallet multisignature product used by Bybit, has released a short post-mortem update explaining the root cause of the recent Bybit hack — a compromised developer machine.

Safe, the developer of the SafeWallet multisignature product used by Bybit, has released a short post-mortem update explaining the root cause of the recent Bybit hack — a compromised developer machine. The announcement prompted a critical response from Binance co-founder Changpeng “CZ” Zhao.

According to Safe, the forensic review of the Bybit hack did not find vulnerabilities in the Safe smart contracts or the code of its front end portal and services responsible for the $1.4 billion cybersecurity incident.

Martin Köppelmann, the co-founder of the Gnosis blockchain network, which developed Safe, noted that the compromised machine was modified to target the Bybit Safe and divert the transactions to a different hardware wallet.

“This update from Safe is not that great. It uses vague language to brush over the issues,” Zhao wrote in a Feb. 26 X post. Zhao also asked for clarification on the compromised developer machines, how the hackers tricked multiple signers into signing the transaction, how a developer machine accessed Bybit's systems, and why the hackers did not target other addresses.

Köppelmann added that he could only speculate about how the hackers pushed the fraudulent transactions past multiple signers and theorized that the threat actors did not target other addresses to prevent discovery and detection.A forensic review conducted by Sygnia and Verichains revealed on Feb. 26 that “the credentials of a Safe developer were compromised [...] which allowed the attacker to gain unauthorized access to the Safe(Wallet) infrastructure and totally deceive signers into approving a malicious transaction.”