Bybit_Interim_Investigation_Report.pdf (679 KB)

Sygnia's interim Bybit report concludes that malicious code served from Safe{Wallet}'s AWS S3 infrastructure manipulated the transaction during the February 21, 2025 ETH cold-wallet signing process. Forensic review of the three signer hosts found cached Safe{Wallet} resources last modified on February 19 that contained injected code designed to alter transaction content when the source matched Bybit's contract or a likely attacker test contract. Current Safe{Wallet} bucket files no longer contained the code, and the relevant resources were updated about two minutes after the malicious transaction executed. Sygnia says it had not found evidence of compromise inside Bybit's own infrastructure at the time of the interim report.