Safe(Wallet) has confirmed that the Feb. 21 security breach was a state-sponsored attack, with evidence linking it to TraderTraitor, a North Korean hacking group identified by the FBI and cybersecurity firm Mandiant. 

The attack compromised a developer’s laptop, allowing hackers to bypass security measures and gain access to Safe{Wallet}’s infrastructure.

The forensic investigation, conducted in collaboration with Mandiant, has reached a critical stage, allowing Safe{Wallet} to share preliminary findings and the security measures implemented to mitigate future threats.‍

A Highly Sophisticated Breach

The attackers gained entry by compromising a developer’s workstation—one of the few with high-level access—and hijacking AWS session tokens to evade multi-factor authentication (MFA). This method allowed them to bypass security protocols and infiltrate Safe{Wallet}’s systems. Mandiant’s analysis aligns with FBI findings, attributing the breach to UNC4899, a North Korean-linked cybercrime group responsible for multiple crypto heists.

While significant progress has been made in investigating the incident, the full scope of the attack remains under review. The attackers removed traces of their malware and erased Bash history logs, complicating forensic analysis.‍

Safe(Wallet) Systems Strengthened After Attack

In response to the breach, Safe{Wallet} has undertaken extensive security enhancements to reinforce its infrastructure. 

The entire credential system has been reset, with new cryptographic keys, developer credentials, and security tokens issued to prevent unauthorized access. External access to critical services was temporarily restricted, preventing further intrusion while security measures were implemented.

Read more: Biggest ever cryptocurrency theft of $1.5bn hits Bybit

Threat detection systems have been significantly upgraded through collaboration with Blockaid, improving the identification of malicious transactions and security anomalies. 

Monitoring has also been expanded across all layers of Safe{Wallet}’s ecosystem, ensuring real-time threat tracking and faster response times. To eliminate potential risks, all pending transactions were cleared from the system.

Concerns over security vulnerabilities led to the temporary disabling of native hardware wallet signing. Safe{Wallet} has since redirected users to more secure signing alternatives to mitigate risks associated with eth_sign-based transactions. As part of efforts to enhance transparency and security, the company has introduced a third-party verification tool, Safe Utils, which allows users to independently verify transaction hashes before signing.‍

Industry-Wide Security Implications

The attack underscores the growing sophistication of state-sponsored cybercriminals targeting Web3 infrastructure. 

While self-custody provides users with greater control over their funds, this incident highlights the urgent need for stronger security measures, better transaction verification tools, and enhanced industry-wide collaboration.

Safe(Wallet) has urged Web3 developers, security firms, and exchanges to adopt best practices for securing digital assets. Mandiant has also provided a list of Indicators of Compromise (IOCs) to help other platforms detect and prevent similar breaches.

As Safe(Wallet) continues working toward fully restoring its services, the focus remains on long-term security upgrades. Further updates will be shared as the forensic investigation progresses.