Bybit hack: ‘Reckoning’ that led SafeWallet to rearchitect its systems

In February, the cryptocurrency ecosystem stood on the precipice of calamity. Hackers stole $1.5 billion of Ether from crypto exchange Bybit, the largest theft the industry had ever seen.

Fears of a contagion-driven market collapse were alleviated by an industry-wide effort to plug the gap at Bybit, and within hours, the exchange regained control of the situation.

The post-mortem revealed that Bybit’s routine transfer of Ether (ETH) between wallets had been captured by hackers. The attackers, believed to be North Korean Lazarus Group, compromised a SafeWallet developer machine, injecting malicious JavaScript into the user interface, which tricked Bybit’s multisignature process into approving a malicious smart contract.

9 months ago, Bybit suffered the largest-ever crypto heist, as hackers stole ~$1.5 billion in Ethereum (~401,000 ETH) during a routine ETH transfer.

Since then, the team @safe has completely overhauled its infrastructure and systems. Safe CEO @rahulrumalla spoke candidly about… pic.twitter.com/fOYVOdF7ca

— Gareth Jenkinson (@gazza_jenks) November 6, 2025

The incident was a wake-up call for the cryptocurrency industry, given that many exchanges and companies rely on the infrastructure and services of players like Safe. Even though Safe is a self-custodial wallet service, the incident proved that sophisticated social engineering or compromised physical hardware remains a threat to the entire industry.

Safe CEO Rahul Rumalla joined Cointelegraph’s Chain Reaction live show to reflect on the learnings and systemic changes necessitated by the Bybit incident and the ever-present, ever-changing threats from cybercriminals.

Related: SafeWallet releases Bybit hack post-mortem report

Self-custody is fragmented

As Rumalla explained, a Safe developer workstation had been compromised, which set an entry point for hackers to stage an attack that could manipulate the website code.

The Safe CEO said that the situation “was a reckoning moment” that forced the team to reorganize its security and infrastructure. It also drew attention to industry-standard practices that may not be entirely suitable for the purpose.

“A lot of people actually are subjected to the concept of blind signing. You really don’t know what you’re signing, be it your signing device or your hardware devices. And that starts with education, that starts with awareness, that starts with standards,” Rumalla said.

“Ultimately, in the world of self-custody, the actual fundamental design of this is shared responsibility of security. It’s fragmented. And this is what we started re-architecting.”

Rumalla added that while Safe had faced significant scrutiny in the wake of the Bybit theft, its core clients were supportive and keenly aware of the core attack vectors that led to the incident.

Related: Timeline: How Bybit’s lost Ethereum went through North Korea’s washing machine

His team then set to work breaking down the layers of architecture that make up Safe’s security infrastructure.

“We broke it down by transaction level security, signer device level security, infrastructure level security, but also standards and compliance, and auditability. They all have to work together in some way,” Rumalla said.

The evolving threat from hackers

Lazarus Group hackers have been the most prolific threat to the cryptocurrency ecosystem in recent years. Mainstream media forecasts the North Korean hacking group to bag over $2 billion in stolen cryptocurrency in 2025.

Rumalla said that the biggest challenge is the aspect of social engineering that hacking groups are using to infiltrate major companies in the industry.

“These attackers are in Telegram channels. They’re in our company intro chats, they’re in your DAO’s posting for grants. They’re applying for jobs as IT workers. They take advantage of the human element.”

This also provided a silver lining for Rumalla and his team. Taking solace from the fact that their code and protocol were not at fault, the CEO said there is an earnest effort to balance security and usability.

“The smart accounts, the core protocol, that was super battle tested, which really gave us the confidence to elevate this on the layers above as well.”

Rumalla added that self-custody technology historically involved a compromise between convenience and security. However, a mindset change is required to ensure continuous evolution in products and services that make it easy and secure for people to take self-custodial control of their assets.

Magazine: North Korea crypto hackers tap ChatGPT, Malaysia road money siphoned: Asia Express

Source