Safe Confirms Full Infrastructure Reset After February Bybit Hack

Safe has confirmed a full infrastructure reset following the cyberattack on February 21, 2025, which compromised Bybit’s systems.

The attack, attributed to the TraderTraitor group linked to North Korea, has sparked serious concerns regarding the vulnerability of both centralized and decentralized crypto platforms. The recent cyberattack has prompted Safe{Wallet} to take urgent action to secure its infrastructure and prevent future breaches.

Safe Infrastructure Reset and Enhanced Security Measures

As part of its response to the Bybit hack, Safe has initiated a comprehensive security overhaul. The infrastructure reset includes rotating all credentials, resetting clusters, updating builds, and redeploying container images. These measures are designed to fortify Safe{Wallet}’s security and restore its services with more robust protections.

In addition to resetting infrastructure, Safe{Wallet} has worked to enhance its malicious transaction detection systems. The platform has partnered with Blockaid to improve monitoring systems, which now offer more advanced detection capabilities. This collaboration aims to prevent any further unauthorized transactions and protect users’ funds from future risks.

Safe{Wallet} has also increased real-time threat detection across all layers of its stack. By bolstering its monitoring systems, the platform aims to improve visibility into potential security threats and reduce response times. These steps are expected to increase the platform’s overall resilience against cyberattacks.

Collaboration with Mandiant and Ongoing Investigation

Post the Bybit hack, the Safe{Wallet} team has been working closely with Mandiant, a cybersecurity firm, to investigate the attack. Mandiant has been helping analyze the security breach and uncover how the attackers bypassed several security layers.

According to the latest findings, the attack was highly sophisticated and involved the hijacking of AWS session tokens, allowing the attackers to bypass multi-factor authentication controls.

Mandiant’s preliminary report confirms the involvement of the TraderTraitor group, which is known for its connection to North Korea’s hacking activities. This group has been linked to previous high-profile crypto heists. The investigation continues, with efforts focused on understanding the full scope of the attackers’ actions and identifying any remaining vulnerabilities within Safe{Wallet}’s infrastructure.

In addition to Mandiant’s findings, blockchain research firm Arkham has been tracking the activities of the attackers. On March 4, Arkham reported that the Lazarus group, associated with the North Korean regime, has successfully laundered the proceeds from the Bybit hack. The funds were transferred through various channels, including native Bitcoin transactions, and this laundering process has been closely monitored.

Actions Taken to Strengthen External Access and User Security

Following the Bybit hack, Safe{Wallet} implemented several measures to limit external access and enhance user security. The platform temporarily restricted external access to its Transaction Service and imposed stricter firewall rules on externally facing services. These measures are intended to prevent further attacks while the investigation continues.

Safe{Wallet} also temporarily disabled native hardware wallet signing due to the potential risks associated with hardware dependencies. While native hardware wallet support has been disabled, users can still access their wallets via WalletConnect. This action was taken to safeguard users while also investigating potential vulnerabilities in the hardware wallet ecosystem.

To further bolster security, Safe{Wallet} cleared all pending queued transactions from its databases. This precautionary step was taken to eliminate the possibility of human error and reduce the risk of any transactions being compromised during the recovery process. Additionally, the platform has introduced a third-party verification tool, “Safe Utils,” which enables users to independently verify transaction hashes.