A significant security incident was reported by a well-known cryptocurrency exchange when it suffered a breach that allowed unauthorized transfers exceeding $1.4 billion worth of liquid-staked Ether (ETH) and MegaETH (mETH). The exchange indicated that there was unauthorized access to one of its Ethereum cold wallets on February 21, 2025.
The breach occurred during a multisignature transaction that involved Safe Wallet. A malicious actor intercepted the transaction process, altered its parameters, and took control of the wallet, subsequently moving the funds to a wallet under the attacker’s management.
After the incident was realized, the exchange sought the expertise of a cybersecurity firm, Sygnia, to conduct a forensic investigation. The goal of the investigation was to identify the source of the breach, evaluate the full extent of the attack, and outline strategies to prevent similar incidents in the future.
The forensic analysis uncovered that malicious JavaScript code had been inserted into resources served from Safe Wallet’s AWS S3 bucket. Historical timestamps and web records indicated that this malicious code was added on February 19, 2025, just two days prior to the fraudulent transaction.
This injected code was specifically designed to alter transaction data during the signing process, activating only when transactions were initiated from certain contract addresses, including one associated with the exchange and potentially additional unidentified addresses. This suggests that the assailant may have had predetermined targets for exploiting the vulnerabilities.
Further investigation into the systems of the three signers revealed evidence of the compromised JavaScript resource at the time of the fraudulent transaction. The browser cache from their systems showed that the Safe Wallet resource had been altered shortly before the attack took place.
Intriguingly, it was noted that two minutes after executing the fraudulent transaction, new versions of the affected JavaScript files were uploaded to the Safe Wallet’s AWS S3 bucket, which effectively removed the malicious code. This may indicate an attempt to hide the unauthorized changes from detection.
Public archives documented two snapshots of Safe Wallet’s JavaScript resources on February 19, with one snapshot displaying the unmodified version and the other showing the malicious code. This adds credibility to the conclusion that the attack originated from the AWS infrastructure associated with Safe Wallet.
Notably, the forensic investigation has not uncovered any breaches within the exchange’s own infrastructure. The preliminary findings suggest that the unauthorized access was made possible through vulnerabilities inherent in Safe Wallet’s systems. The exchange and Sygnia continue to work on verifying these findings and assessing additional security concerns.
The preliminary forensic review concluded that the exchange’s systems remained secure and uncompromised, which underscores the persistent and evolving threats present in the cryptocurrency sector. The exchange is actively initiating measures to bolster security and enhance protection for its users amidst this serious incident.