Shares tags: Bybit, SafeWallet • Published within a month
Dissecting the Bybit Cryptocurrency Exchange Malicious UI Spoofing Javascript
2025-02-26 • Dancho Danchev •
https://ddanchev.blogspot.com/2025/02/dissecting-bybit-cryptocurrency.html
Danchev's preserved excerpt is an indicator-oriented note on a malicious JavaScript sample associated by the article title with Bybit UI spoofing. The text says the script was not obfuscated and that the author extracted callback URLs, Safe ecosystem endpoints, scanner APIs, analytics services, and many Ethereum addresses from it. The archive is most useful as supporting indicator material for the Bybit/Safe investigation, rather than a complete narrative of the intrusion chain or actor attribution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | polygon-rpc.com | 2025-02-26 | 2026-04-29 |
| DOMAIN | app.safe.global | 2025-02-26 | 2025-05-06 |
| HASH | be9397a0b6f01d21e15c70c4b37487fe | 2025-02-26 | 2025-02-26 |
| HASH | 12cd7127f9cfb1cddab1f354252074b7 | 2025-02-26 | 2025-02-26 |
| URL | http://viem.sh | 2025-02-26 | 2025-02-26 |
| URL | http://api-sepolia.basescan.org | 2025-02-26 | 2025-02-26 |
| URL | http://safe.widget.testnet.kiln… | 2025-02-26 | 2025-02-26 |
| URL | http://help.safe.global/en/arti… | 2025-02-26 | 2025-02-26 |
| URL | http://mui.com/production-error… | 2025-02-26 | 2025-02-26 |
| URL | http://holesky.beaconcha.in | 2025-02-26 | 2025-02-26 |
| URL | http://community.safe.global | 2025-02-26 | 2025-02-26 |
| URL | http://safe-claiming-app-data.s… | 2025-02-26 | 2025-02-26 |
| URL | http://docs.soliditylang.org/en… | 2025-02-26 | 2025-02-26 |
| URL | http://api-goerli.arbiscan.io | 2025-02-26 | 2025-02-26 |
| URL | http://gateway.ipfs.io/ipfs/ | 2025-02-26 | 2025-02-26 |
| URL | http://simulation.safe.global | 2025-02-26 | 2025-02-26 |
| URL | http://help.safe.global | 2025-02-26 | 2025-02-26 |
| URL | http://safe.mirror.xyz/rInLWZwD… | 2025-02-26 | 2025-02-26 |
| URL | http://api.spindl.xyz/v1 | 2025-02-26 | 2025-02-26 |
| URL | http://redux-toolkit.js.org/Err… | 2025-02-26 | 2025-02-26 |
| URL | http://cloudflare-eth.com/ | 2025-02-26 | 2025-02-26 |
| URL | http://safe-client.safe.global | 2025-02-26 | 2025-02-26 |
| URL | http://gasstation-testnet.polyg… | 2025-02-26 | 2025-02-26 |
| URL | http://12cd7127f9cfb1cddab1f354… | 2025-02-26 | 2025-02-26 |
| URL | http://client.blockaid.io | 2025-02-26 | 2025-02-26 |
| URL | http://api-amoy.polygonscan.com | 2025-02-26 | 2025-02-26 |
| URL | http://polygon-rpc.com/ | 2025-02-26 | 2025-02-26 |
| URL | http://app.getbeamer.com/js/bea… | 2025-02-26 | 2025-02-26 |
| URL | http://chat.safe.global | 2025-02-26 | 2025-02-26 |
| URL | http://safe-client.staging.5afe… | 2025-02-26 | 2025-02-26 |
| URL | http://links.ethers.org/v5-erro… | 2025-02-26 | 2025-02-26 |
| URL | http://safe-claiming-app-data.s… | 2025-02-26 | 2025-02-26 |
| URL | http://spindl.link | 2025-02-26 | 2025-02-26 |
| URL | http://abitype.dev | 2025-02-26 | 2025-02-26 |
| URL | http://beaconcha.in | 2025-02-26 | 2025-02-26 |
| URL | http://relay.gelato.digital/tas… | 2025-02-26 | 2025-02-26 |
| URL | http://app.safe.global/images/s… | 2025-02-26 | 2025-02-26 |
| URL | http://gasstation.polygon.techn… | 2025-02-26 | 2025-02-26 |
| URL | http://noteforms.com/forms/safe… | 2025-02-26 | 2025-02-26 |
| URL | http://safe.widget.kiln.fi/over… | 2025-02-26 | 2025-02-26 |
| URL | http://rsms.me/inter/font-files… | 2025-02-26 | 2025-02-26 |
| URL | http://third-party-cookies-chec… | 2025-02-26 | 2025-02-26 |
| URL | http://firebaseinstallations.go… | 2025-02-26 | 2025-02-26 |
| DOMAIN | viem.sh | 2025-02-26 | 2025-02-26 |
| DOMAIN | safe.widget.kiln.fi | 2025-02-26 | 2025-02-26 |
| DOMAIN | simulation.safe.global | 2025-02-26 | 2025-02-26 |
| DOMAIN | safe.mirror.xyz | 2025-02-26 | 2025-02-26 |
| DOMAIN | abitype.dev | 2025-02-26 | 2025-02-26 |
| DOMAIN | api.spindl.xyz | 2025-02-26 | 2025-02-26 |
| DOMAIN | app.getbeamer.com | 2025-02-26 | 2025-02-26 |
| DOMAIN | safe-client.staging.5afe.dev | 2025-02-26 | 2025-02-26 |
| DOMAIN | client.blockaid.io | 2025-02-26 | 2025-02-26 |
| DOMAIN | holesky.beaconcha.in | 2025-02-26 | 2025-02-26 |
| DOMAIN | safe-claiming-app-data.safe.glo… | 2025-02-26 | 2025-02-26 |
| DOMAIN | o4507209696739328.ingest.de.sen… | 2025-02-26 | 2025-02-26 |
| DOMAIN | noteforms.com | 2025-02-26 | 2025-02-26 |
| DOMAIN | api-goerli.arbiscan.io | 2025-02-26 | 2025-02-26 |
| DOMAIN | links.ethers.org | 2025-02-26 | 2025-02-26 |
| DOMAIN | cloudflare-eth.com | 2025-02-26 | 2025-02-26 |
| DOMAIN | community.safe.global | 2025-02-26 | 2025-02-26 |
| DOMAIN | safe.widget.testnet.kiln.fi | 2025-02-26 | 2025-02-26 |
| DOMAIN | api-amoy.polygonscan.com | 2025-02-26 | 2025-02-26 |
| DOMAIN | rsms.me | 2025-02-26 | 2025-02-26 |
| DOMAIN | beaconcha.in | 2025-02-26 | 2025-02-26 |
| DOMAIN | chat.safe.global | 2025-02-26 | 2025-02-26 |
| DOMAIN | safe-claiming-app-data.staging.… | 2025-02-26 | 2025-02-26 |
| DOMAIN | api-sepolia.basescan.org | 2025-02-26 | 2025-02-26 |
| DOMAIN | safe-client.safe.global | 2025-02-26 | 2025-02-26 |
| DOMAIN | third-party-cookies-check.gnosi… | 2025-02-26 | 2025-02-26 |
| DOMAIN | spindl.link | 2025-02-26 | 2025-02-26 |
| DOMAIN | help.safe.global | 2024-10-18 | 2025-02-26 |
Related Reports
Shares tags: Bybit, SafeWallet • Published within a month
Shares tags: Bybit, SafeWallet • Published within a month
Shares tags: Bybit, SafeWallet • Published within a month
Shares tags: Bybit, SafeWallet • Published within a month
Shares tags: Bybit, SafeWallet • Published within a month