Safe Wallet has released new details on the cyberattack that led to the $1.5 billion Bybit hack. The investigation conducted with Google Cloud’s Mandiant confirms that a North Korean state-sponsored group was behind the heist.
The attackers erased digital footprints to hinder forensic efforts. The breach occurred on February 21, 2025, and is now considered one of the most advanced crypto thefts in history.
TraderTraitor Group Behind the Breach
Safe Wallet identified the hacking group as TraderTraitor, also known as Jade Sleet, PUKCHONG, and UNC4899.
The FBI had already linked this group to previous cryptocurrency heists. Mandiant’s findings support this conclusion.
The hackers gained access by compromising a Safe Wallet developer’s laptop. They then hijacked AWS session tokens to bypass multi-factor authentication. This developer had elevated privileges, making the attack more effective.
How the Attack Was Carried Out
The hackers executed a well-planned attack. They infected the developer’s laptop with malware and stole access tokens.
This allowed them to infiltrate Safe Wallet’s infrastructure undetected. Once inside, they manipulated the system to steal funds.
The attackers also deleted their malware and cleared Bash history to cover their tracks. This made it harder for investigators to trace their steps.
Despite these efforts, cybersecurity experts have been able to uncover critical details about the breach.
Also Read: Entire $1.4 Billion Crypto Stolen In Bybit Hack Likely To Be Laundered Through Mixers, Report
Safe Wallet’s Response and Security Upgrades
Following the attack, Safe Wallet took immediate action. The company reset its entire infrastructure, rotated credentials, and implemented stricter security measures.
All external access was temporarily restricted. The team also enhanced transaction monitoring with help from security firm Blockaid.
To prevent future breaches, Safe Wallet upgraded its logging and real-time threat detection. Pending transactions were wiped to remove potential security risks. Native hardware wallet signing was also temporarily disabled.
Additionally, Safe Wallet introduced new tools for verifying transactions. One such tool, “Safe Utils,” helps users independently check transaction hashes. The company is also working on a fully decentralized version of its platform hosted on IPFS.
Growing Threats in Crypto Security
The Bybit hack is part of a larger trend in crypto thefts. Web3 projects have already lost $1.6 billion in 2025, an eightfold increase from the same period last year. This surge in attacks highlights the urgent need for better security in the crypto space.
Cybercriminals are becoming more advanced. Traditional security measures are no longer enough. The industry must adopt stronger protections to safeguard digital assets.
A Call for Better Security in Web3
Safe Wallet’s investigation sheds light on the growing risks in the blockchain world. The company urges other crypto platforms to strengthen security and learn from this attack.
Crypto transactions need to be more transparent and easier to verify. Users must understand what they are signing up for before approving any transaction. The industry as a whole must work together to develop better security tools.
Also Read: Analysts Identify $2,300 as Key Support Level for Ethereum After the ByBit Hack Debacle