BlockThreat - Week 8, 2025

Peter Kacherginsky

06 Mar 2025 • 11 min read

Greetings!

This was the worst week for the ecosystem in years. During my recent State of DeFi Security talk, I highlighted OPSEC as the key risk we need to focus on as an industry to avoid a billion dollar hack. Unfortunately, that prediction has now become reality.

A malicious upgrade of a cold storage contract, signed by a Safe multisig wallet, led to the theft of almost $1.5B worth of ETH and similar assets from Bybit. As we later learned, the attackers were none other than North Korea. Initially, many blamed Bybit for blindly signing a malicious transaction. However, a deeper investigation revealed that the kill chain started on the DeFi side—with a compromised Safe front-end that tricked Bybit’s cold storage operators into signing away their funds.

Below is a detailed timeline, compiled from Safe’s and Bybit’s post-mortems as well as my own notes:

Stage 1: Safe Compromise

2025-02-02 01:50:18 - Safe: Attacker starts preparing their infra by registering a domain used for the phishing attack. getstockprice[.]com on Namecheap.
2025-02-04 08:55:45 - Safe: Safe Wallet’s developer is compromised with a fake trading software (MC-Based-Stock-Invest-Simulator-main).
2025-02-05 08:36:51 - Safe: Attacker is in Safe’s AWS environment.
2025-02-05 14:06:25 - Safe: Unsuccessful attempt to register attacker’s MFA device.
2025-02-05 - 2025-02-17 - Safe: Reconnaissance in AWS environment.
2025-02-17 03:22:44 - Safe: Attacker C2 activity in AWS environment.

Stage 2: Bybit Prep

2025-02-18 15:39:11 - Bybit: Attacker deployed 0x9622 contract with a transfer function which sneakily performs an upgrade.
2025-02-18 18:00:35 - Bybit: Attacker deployed 0xbdd0 contract with has the actual draining functionality.
2025-02-18 18:31:23 - Bybit: Attackers start testing their 0x9622 contract to perform the upgrade. They will repeat this process another 7 times over the next few days.
2025-02-19 15:29:25 - Safe: Malicious JS inserted into Safe’s frontend targeting Bybit.
2025-02-20 12:32:35 - Bybit: Last testing of the exploit contracts before the hack begins.

Stage 3: The Heist

2025-02-21 05:42:40-14:11:40 - Bybit: Three cold storage signers navigated to Safe’s website and signed a benign looking transaction (transfer 30K ETH). However, they instead signed a transaction that executes 0x9622 which in turn upgrades the cold storage vault to 0xbdd0.
2025-02-21 14:13:35 - Bybit: Attackers broadcast a new transaction to Bybit’s safe which perform the upgrade using the previously signed transaction. The cold storage vault is now ready to be drained.
2025-02-21 14:15:11 - Bybit: Test draining of 90 USDT.
2025-02-21 14:15:13 - Safe: Malicious JS removed from Safe’s frontend.
2025-02-21 14:16:11 - Bybit: heist begins which the entire ETH cold storage vault drained including stETH, cmETH, and mETH tokens.

It is especially useful to view the above timeline in the context of at least two teams targeting both Safe and Bybit in parallel. So let’s review some observations:

Dwell time in Safe’s environment was about two weeks (02/04 - 02/18) before they decided on which target to compromise.
It took just a few days to set up both on- and offchain infrastructure to target Bybit (02/18 - 02/21). Contracts were generic and did not expose their target.
Neither of the signers caught the malicious transfer contract, transaction parameters or other parameters in the 11 hour window before the final signature.
Bybit had less than 3 minutes to react to the upgrade before funds were drained.
Attackers were paranoid about testing and retesting the exploit for days before the heist. They performed a test draining transaction to make sure it worked and were careful enough to hide the Safe fontend hack immediately after.
It’s not clear if Bybit was the target all along. It may have been chosen during the reconnaissance window 02/05 - 02/17. They knew that once the news of the hack started going around other projects may be more careful so they picked the largest Safe wallet. Anyone could have been targeted with the same exploit!

The last point is critical. The hack exploited the trust assumption that many projects, exchanges, individuals put on Safe’s front-end that it wouldn’t present them with a malicious transaction to sign. However, many projects implement controls to simulate transactions, verify signing hashes, etc. that could have caught this. Was it a coincidence that signers managing a $1.5B wallet missed this?

What is clear is that even with the record $1.5B loss we got off lightly. According to Safe’s website their wallet is used by “Vitalik Buterin and leading web3 projects to secure over $100 billion”. It’s a bitter pill to swallow, but at least attackers pulled off just one mega heist instead of killing the whole industry. So the best we can do now is take as many pointers as we can from this very expensive lesson:

The initial attack vector was the familiar phishing attack. One of Safe’s devs installed a stock simulation app with malware in it. The use of MFA on AWS was not helpful since attackers simply hijacked existing session tokens.

Use dedicated machines for administrative functions separate for dev work, social media, job interviews, and most certainly random stock trading apps.

I know you are being safe, do annual phishing training, have an antivirus installed and work in a Faraday’s cage. Just buy a $200 Chromebook.
The compromised developer had admin privileges into Safe’s AWS environment which allowed bad actors to directly modify front-end S3 bucket and bypass normal code review/deployment workflows. Malicious front-end script was in the environment for two days prior to exploitation.
This is a tricky attack vector to solve which requires multiple security layers. Deployments should be fully automated without the ability to bypass the code review process. Out of band modifications, suspicious access, or authorization errors should wake people up to investigate.
The attack exploited a trust assumption by Bybit that Safe’s front-end is not compromised which led them to sign a malicious transaction.

Threat modeling is essential. Put on your paranoid hat and spend some time diagraming your internal and external systems both on- and offchain. What trust assumptions do you make? How bad can things go if one of the systems gets compromised? Who are the threat actors that you should be worried about and what are their tactics?

Luckily our community is awesome so you will find many solutions for the malicious multisig proposal scenario in the Tools section below.
The Bybit multisig executed a malicious transaction against an unknown malicious contract with a very dangerous delegatecall method. Attackers sneaked in a backdoored transfer call to execute an upgrade, but that required the vault to execute a malicious contract.Critical governance and multisig contracts must have not only a sufficiently decentralized and large quorum but additional controls such as execution delays aka timelocks with a guardian role that can at any moment cancel the action if deemed malicious.

Such critical contracts must also be restricted to the types of transactions, contracts they can interact with, and calls they can make with them.

There is a lot more, of course, but if you focus on these four, you will be in much stronger shape against this threat actor, who thrives on mixed on- and off-chain exploits involving social engineering, private keys and signatures.

On a more positive note, we witnessed what many called a masterclass in crisis communication from Bybit and Safe. The community learned about all developments in real time, with no attempts to hide or whitewash the impact. SEAL Team, ZachXBT, and many other security researchers immediately began tracking attacker funds and freezing millions, thanks to their efforts. On a higher level, Bybit quickly worked with its partners to secure loans and prevent an FTX-style bank run.

I will never stop being in awe of not only our mission but also the raw talent and dedication of so many people in this industry. It’s an honor to witness it all.

Let’s dive into the news!

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

News

Crime

Policy

Phishing

Scams

Malware

Media

Research

Tools

Hacks

DeFiAuctions

Bolt

Cardex

BADAI

StepHeroNFTs

Bybit, Gnosis Safe Wallet, Mantle, mETH Protocol

Unkn_de91e6

Hegic

Infini

Sign up for more like this.