CZ reacts to Bybit’s detailed forensics report on the recent $1.4B hack

Safe{Wallet} has released a statement on Bybit’s targeted. The forensic report left former Binance CEO Changpeng Zhao with more questions than answers, and he heavily criticized them, claiming the report was written in vague language to brush over the issues. 

According to Safe’s investigation report, the forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted the Bybit Safe was achieved through a compromised Safe developer machine. The hack resulted in the proposal of a disguised malicious transaction that saw the hackers draw funds from Bybit’s wallet.

According to the report, the forensic audit on external security researchers did not indicate any shortcomings in the Safe smart contracts or source code of the frontend and services. 

The report also indicated that the Safe team conducted a thorough investigation and has now reinstated Safe on the Ethereum mainnet with a phased rollout. The Safe team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated.

The Safe frontend remains operational with additional security measures in place. However, the report cautioned users to carry out extreme caution and remain vigilant when signing transactions. 

CZ criticizes Safe’s forensics report for not being detailed enough

I usually try not to criticize other industry players, but I still do it once in a while. 😂

This update from Safe is not that great. It uses vague language to brush over the issues. I have more questions than answers after reading it.

1. What does "compromising a Safe… https://t.co/VxywHyzqXb

— CZ 🔶 BNB (@cz_binance) February 26, 2025

The report has received heavy backlash from Binance founder and former CEO CZ. According to CZ, the report is not detailed enough to address all concerns and has gaping holes as to how the occurrence happened. CZ first questioned what “compromising a Safe developer machine” means. He also questioned how the hackers compromised the subject machine and wondered if it was social engineering, a virus, or something else. 

CZ also expressed concerns about how a developer machine gained access to an exchange account. He asked if some code got remotely deployed from the developer machine straight to the prod. CZ also expressed his concerns about how the hackers bypassed the ledger verification step at multiple signers. He questioned if the signers failed to verify properly or if they did a blind signing.

Bybit also embarked on a deep forensics investigation by contracting to blockchain security firms Sygnia and Verichains. The aim of the investigations centered around the three signers’ hosts as a follow-up on the $1.4 billion hack. 

CZ also questioned if the $1.4 billion was the largest address managed using Safe and why the hackers didn’t target other wallets. CZ also asked what lessons other “self-custody, multi-sig” wallet providers and users can learn from the ordeal.

The investigations from Sygnia concluded that the cause of the incident was a malicious code emanating from Safe’s infrastructure. The report concluded that Bybit’s infrastructure was not affected or compromised in any way during the attack. The report highlighted that the investigations will deepen further to confirm the recent findings.

Preliminary conclusions from Verichains revealed that the benign JavaScript file of app.safe.global was replaced on February 19th with malicious code aimed at maiming Bybit’s Ethereum Multisig Cold Wallet. Verichains investigators also recommended that further investigations be conducted to confirm the root cause.

Lazarus Group reportedly launders Bybit funds via meme coins

UAE-based Bybit exchange fell victim to hackers last week, resulting in the loss of $1.5 billion. The exchange’s CEO said the funds were drawn from one of Bybit’s cold multisig wallets. 

According to onchain data, North Korean hacking collective Lazarus Group, believed to be behind the attack, was observed to have been leveraging memecoins to launder the stolen funds. Cybersecurity researcher ZachXBT reported that Lazarus Group distributed several meme coins on Pump.fun.

Binance has also been affected by malicious attacks from cyber criminals. Recently, Hong Kong-based crypto entrepreneur Joe Zhou reported that scammers sent him a message through the usual Binance number where he typically receives his verification codes, telling him his account was accessed from North Korea. 

Joe Zhou got on a call with the attackers who misled him into sending funds to a different wallet. Zhou managed to act fast and recover most of his funds before the hackers cashed out.

Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More