In February, the cryptocurrency ecosystem faced a significant threat when hackers stole $1.5 billion of Ether from the crypto exchange Bybit, marking the largest theft in the industry's history. While fears of a market collapse due to contagion were palpable, an industry-wide effort quickly stabilized the situation, with Bybit regaining control within hours.
A post-mortem analysis revealed that the hackers exploited a routine transfer of Ether (ETH) between Bybit's wallets. The attackers, widely believed to be the North Korean Lazarus Group, compromised a SafeWallet developer's machine. They injected malicious JavaScript into the user interface, which manipulated Bybit's multisignature process, leading to the approval of a malicious smart contract.
This incident served as a critical wake-up call for the entire cryptocurrency industry, highlighting the reliance on third-party infrastructure and services, such as those provided by Safe. Despite Safe being a self-custodial wallet service, the attack demonstrated that sophisticated social engineering and compromised physical hardware remain potent threats to the industry's security.
Safe CEO Rahul Rumalla discussed the crucial learnings and systemic changes necessitated by the Bybit incident and the persistent, evolving threats from cybercriminals during an appearance on Cointelegraph's Chain Reaction live show.
Self-Custody's Fragmented Landscape
Rumalla explained that the compromise of a Safe developer workstation provided the entry point for hackers to manipulate website code. He described the situation as a "reckoning moment" that prompted the team to completely reorganize its security and infrastructure, also drawing attention to industry-standard practices that may be inadequate.
Rumalla elaborated on the prevalence of "blind signing," where users often sign transactions without fully understanding what they are approving, whether on their signing device or hardware. He stressed that addressing this requires a multi-faceted approach, starting with education, awareness, and the establishment of robust standards.
Ultimately, in the world of self-custody, the actual fundamental design of this is shared responsibility of security. It’s fragmented. And this is what we started re-architecting.
Despite the intense scrutiny following the Bybit theft, Rumalla noted that Safe's core clients remained supportive and understood the primary attack vectors involved. His team subsequently focused on dissecting the layers of Safe's security infrastructure.
Rumalla detailed the breakdown into transaction-level security, signer device-level security, infrastructure-level security, alongside standards, compliance, and auditability, emphasizing their interconnectedness.
The Evolving Threat from Hackers
The Lazarus Group has emerged as a dominant threat to the cryptocurrency ecosystem in recent years. Mainstream media forecasts suggest the North Korean hacking group could accumulate over $2 billion in stolen cryptocurrency in 2025.
Rumalla identified social engineering as the most significant challenge, as hacking groups increasingly leverage it to infiltrate major industry companies.
These attackers are in Telegram channels. They’re in our company intro chats, they’re in your DAO’s posting for grants. They’re applying for jobs as IT workers. They take advantage of the human element.
However, this also presented a positive aspect for Rumalla and his team. Finding reassurance that their code and protocol were not compromised, the CEO highlighted an earnest effort to balance security with usability.
Rumalla stated that the smart accounts and core protocol underwent rigorous testing, which instilled confidence in elevating security measures across the upper layers as well.
He further added that self-custody technology has historically involved a trade-off between convenience and security. Nevertheless, a fundamental shift in mindset is necessary to drive continuous evolution in products and services that enable users to securely and easily take self-custodial control of their assets.