SlowMist examines the Bybit theft as a targeted Lazarus Group attack in which a compromised Safe{Wallet} developer environment enabled malicious front-end code to alter a multisig transaction proposal. The attack injected malicious JavaScript into Safe{Wallet}’s AWS S3-hosted front end on February 19, 2025, and triggered on February 21 when Bybit executed a multisig transaction. The modified interface showed the expected address while replacing the actual transaction data, causing a Bybit Safe wallet owner to sign a transaction that redirected control and funds to the attacker. The malicious logic targeted Bybit’s multisig cold wallet address and a test address, and the attackers removed the code roughly two minutes after execution to reduce evidence. The excerpt cites the FBI as confirming North Korea’s TraderTraitor, also known as Lazarus Group, as responsible for the $1.5 billion crypto-asset theft.