February 28th, 2025: Statement by the Safe Ecosystem Foundation

Statement by the Safe Ecosystem Foundation

Since discovering the targeted attack on Bybit, our top priority at the Safe Ecosystem Foundation has been to provide support in dealing with the incident. While the Foundation is not involved in the operation of the Safe{Wallet}, our mission is to promote and protect the Safe Ecosystem. As such, the Foundation is part of the Crisis Response Task Force created by the involved stakeholders to solve and inform on the incident in an aligned manner. 

The attack on Bybit is unprecedented in terms of scale and sophistication, and the Foundation fully understands the magnitude of the situation. This warrants the utmost caution and underscores the importance of an unwavering commitment to security. 

The Safe{Wallet} team has provided several updates on the attack and the latest is found  below regarding  its preliminary findings. The Safe{Wallet} team’s investigation, on which it is working together with a leading, independent, global cybersecurity firm, is ongoing. The Safe{Wallet} team has committed to publishing a post-mortem once the investigation is complete, and is working with the appropriate authorities

Safe{Wallet} Team Statement on Targeted Attack on Bybit

• The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised Safe{Wallet} developer machine resulting in the proposal of a disguised malicious transaction. Lazarus is a state-sponsored North Korean hacker group that is well known for sophisticated social engineering attacks on developer credentials, sometimes combined with zero-day exploits.

• Important! The forensic review of external security researchers did NOT indicate any vulnerabilities in the Safe smart contracts or source code of the frontend and services.

• Following the recent incident, the Safe{Wallet} team conducted a thorough investigation and have now restored Safe{Wallet} on Ethereum mainnet with a phased rollout. The Safe{Wallet} team has fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated.

• Pending the final results of the investigation, the Safe{Wallet} team will publish a full post-mortem.

• The Safe{Wallet} frontend remains operational with additional security measures in place. However, users need to exercise extreme caution and remain vigilant when signing transactions.

• Safe commits to lead an industry-wide initiative to increase verifiability of transactions, which is an ecosystem-wide challenge.

• Safe remains committed to security, transparency, self-custody, and pushing the industry forward.

The Foundation understands that the current situation is challenging for many. It is inspiring to see an extraordinary level of collaboration between security experts inside and outside the Ethereum ecosystem. The Safe{Wallet} team is working diligently on restoring additional services online. 

The Foundation will share any substantive updates here. To obtain more regular status updates related to the incident, please visit the Safe Project X-channel, which also includes news from the Safe{Wallet} team.