**Colin Wu Uncovers Surprising Details Behind the $1.5B Bybit Hack, Pointing to Safe’s AWS Breach**
On February 26, 2025, financial journalist Colin Wu shared a surprising development regarding the $1.5 billion hack of the cryptocurrency platform Bybit, which The Guardian had previously described as the largest digital theft in history (February 23, 2025). Reports from both Bybit and wallet provider Safe revealed that the blame for the incident does not rest with Bybit, but rather with a vulnerability in Safe’s system. Safe is known for providing multisig wallets utilized by various exchanges, including Bybit.
Wu reported that the North Korean hacking group Lazarus managed to infiltrate Safe’s frontend by injecting malicious code. This breach was made possible through exposed or stolen AWS S3 or CloudFront credentials associated with SafeGlobal, enabling attackers to manipulate the system. This incident has raised concerns about the security of multisig wallets, which are endorsed by prominent figures like Vitalik Buterin. Notably, Buterin reportedly uses Safe to manage 90% of his cryptocurrency holdings, as highlighted in Wu’s thread.
The crypto community has expressed worries about how a Safe developer had unsupervised permissions to alter the frontend, a point raised by Polygon’s Mudit Gupta in his responses. Interestingly, while Safe is widely used, Bybit was the only exchange impacted during that incident.
In a positive turn, the first recovery efforts from the Bybit hack have yielded results, with approximately $43 million (15,000 cmETH) successfully reclaimed from the hacker. Mudit Gupta shared that he recognized the potential for recovery soon after the hack and credited SEAL for connecting him with the Mantle/mETH team, who facilitated the recovery. He extended his gratitude to the SEAL, Mantle, and mETH teams for their swift actions.
Wu suggested that the attack specifically targeted Bybit’s EthereumMultisig cold wallet, raising important questions about Bybit’s security measures and Safe’s defenses against state-sponsored actors like Lazarus. This group is notorious for high-profile thefts, including the $615 million Ronin Network breach in 2022, according to Trend Micro.
Financially, Safe is facing significant challenges, as the $1.5 billion loss raises doubts about its ability to compensate affected parties. Meanwhile, Bybit, which manages $20 billion in client assets, has committed to fully reimbursing its users, as stated by CEO Ben Zhou on X.
In a candid reflection, Colin Wu remarked on the unexpected outcome: “The investigations by Bybit and Safe revealed that it wasn’t Bybit’s fault; rather, Safe’s developers were compromised, with the North Korean hacking group Lazarus injecting malicious code into Safe’s frontend. The AWS S3 or CloudFront account/API keys for SafeGlobal were either leaked or stolen. How will Safe manage to cover this $1.5 billion loss?”
This incident has prompted a broader examination of multisig wallets and cloud security within the industry. Some have suggested the idea of storing frontend code on-chain to prevent tampering, referencing approaches like that of ICP.
