Safe{Wallet} and external analyses described the Bybit incident as a targeted Lazarus/TraderTraitor attack in which a compromised Safe{Wallet} developer environment enabled malicious front-end code to alter a multisig transaction proposal. The injected JavaScript on Safe{Wallet}'s AWS S3-hosted front end showed signers the expected address while replacing the actual transaction data, causing a Bybit Safe wallet owner to authorize a transaction that redirected control and funds to the attacker before the code was quickly removed.