Martin Köppelmann Speaks Out on Safe Global Hack—What Went Wrong?
The Safe Wallet team has gained increased attention after forensic reports on the nearly $1.5 billion ByBit hack emerged. It turns out that the North Korean hacking group Lazarus compromised one of Safe Global’s developers’ machines, targeting Bybit’s cold wallet.
On this page
As seen in the investigation results shared by Bybit CEO Ben Zhou, malicious code originated from Safe Wallet’s infrastructure, not Bybit’s.
While the situation is serious, Martin Köppelmann, co-founder of Gnosis (which is behind the development of Safe Wallet), is taking the matter head-on, offering an explanation of what really happened.
Instead of evading blame, Köppelmann acknowledges the situation, admitting that safe.global was compromised, but the interface code is safe.
In response to a plethora of questions directed to the Safe team, Köppelmann explained:
What we were trying to say was that this was not a bug in the open source code you will find on our Github but instead came through malicious access to the server. This difference is important because others use the code as well.
Although it’s still unclear how Lazarus Group found a way into the developer’s server, Köppelmann’s statement means that the open-source code is fine, but the attackers altered the code on the developer’s machine.
Safe Wallet Team Is Looking Into the Case: Martin Köppelmann Responds to CZ
After news of the breach broke, Safe released a statement, explaining what went down. They made it clear that there were no issues with their smart contracts or front-end code.
But CZ, Binance’s former CEO, wasn’t having it. He took to X, calling the update “not that great” and accusing Safe of using vague language to downplay the situation.
He wanted more details—how exactly the hacker got into the developer’s machine, how they tricked multiple signers into approving shady transactions, what kind of access the machine had to Bybit’s systems, and why only certain addresses were targeted.
Martin Köppelmann stepped in to clear things up. He explained that the hacker had tampered with a developer’s machine to specifically target the Bybit Safe. In his words:
The interface was modified specifically targeting the Bybit Safe. So when Bybit would do a transaction – it would show the transaction but actually send a different transaction to the wallet (hardware wallet).
As for how multiple signers were tricked, he admitted there’s still some uncertainty but suggested the attackers likely used advanced techniques to bypass the multisig system.
In the end, he thanked CZ for raising these important questions.
Security Matters Are More Complex Than They Can Seem
Amid the discussions, Martin Köppelmann shared his thoughts on security:
If you have a 1 line hot take of how to fix security, you are wrong.
According to him, from the outside, it might seem like fixing security is just a matter of implementing XYZ measures. But in reality, to prevent future incidents, a team needs to address all possible vulnerabilities at once – a much harder challenge.
For those unfamiliar, Martin Köppelmann is a Berlin-based founder specializing in IT Systems Engineering. He co-founded Gnosis in 2017, a blockchain infrastructure company that builds tools for developers.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
