Sygnia summarizes the February 2025 Bybit heist as a multi-stage compromise attributed by the FBI to TradeTraitor, also known as Lazarus Group and UNC4899. The attack began with a Safe{Wallet} developer's macOS workstation, likely compromised through social engineering involving a Docker project named MC-Based-Stock-Invest-Simulator-main and traffic to getstockprice.com. The attackers used the developer's AWS access to operate in Safe{Wallet}'s infrastructure, then modified JavaScript resources in the S3 bucket serving app.safe.global so the web interface would manipulate transactions only for Bybit's targeted ETH cold wallet. After Bybit signed the transaction, the attackers siphoned funds and removed the malicious code within minutes, exposing weaknesses across endpoint, cloud, application, and smart-contract trust boundaries.