Safe{Wallet} and Mandiant report that the February 21, 2025 incident tied to the Bybit heist involved compromise of a Safe developer laptop and hijacked AWS session tokens that bypassed MFA controls. The FBI attributed the theft to TraderTraitor, a DPRK-linked group that Mandiant tracks as UNC4899 and associates with multiple cryptocurrency heists. Safe says the attacker gained a path toward commit access to Safe{Wallet} servers, removed malware and Bash history to hinder forensics, and did not affect the Safe smart contracts. Remediation included credential rotation, infrastructure resets, tighter external access, stronger monitoring, pending-transaction cleanup, and additional transaction verification controls.