Audit log

Every state-changing event for Safe{Wallet}: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-03 00:07:51Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,915,031

   sig

   58RgvPYaCW3C…6fs4w8dBcopyexplorer ↗

   hash

   BwW5nmiWSK4Q…xfjnBhD1copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (30690 B) ▸

   {"actor":"system:backfill","investigation_id":"8eb20d93-59f9-4e55-92e2-19a221de6836","kind":"publish","page_slug":"safe-wallet","published_at":"2026-06-03T00:07:51.386Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Safe{Wallet}","sections":[{"content":"Safe{Wallet}, originally launched in 2017 as the Gnosis Multi-signature Wallet, was rewritten as Gnosis Safe in 2018 introducing a proxy-singleton architecture for gas efficiency and modularity. Following a GnosisDAO community decision, the project was spun off into an independent entity: the Safe Ecosystem Foundation was incorporated and SafeDAO was formed in 2023 after a fundraise from strategic investors. The product was rebranded from Gnosis Safe to Safe in 2022. Safe is a non-custodial smart-contract wallet that holds assets in a programmable account controlled by a configurable set of signers, requiring a minimum threshold of approvals before any transaction executes. As of Q1 2026, Safe secures approximately $35.25 billion in digital assets across 61.11 million accounts on Ethereum, Polygon, Arbitrum, Optimism, Base, BNB Chain, Avalanche, and more than 30 additional networks. The platform processed a record 122.9 million transactions and 4.79 million ETH in transaction volume in Q1 2026 alone. Safe reported over $10 million in annualized recurring revenue for 2025, a fivefold increase from approximately $2 million in 2024. Safe Labs, a wholly owned subsidiary of the Safe Foundation, took direct operational control of the wallet product in 2025 under CEO Rahul Rumalla, who joined in July 2024.","heading":"Overview and Background","severity":"low","sources":[{"credibility":1,"name":"History of Safe: From Gnosis Safe to beyond — Safe Foundation","type":"official","url":"https://safefoundation.org/blog/history-of-safe"},{"credibility":1,"name":"Safe Q1 2026 Quarterly Report — Safe Community Forum","type":"official","url":"https://forum.safefoundation.org/t/safe-q1-2026-quarterly-report-is-now-live/6990"},{"credibility":2,"name":"Non-custodial crypto wallet Safe reports fivefold revenue jump in 2025 — The Block","type":"news_article","url":"https://www.theblock.co/post/388098/crypto-wallet-safe-reports-fivefold-revenue-jump-2025-not-break-even-profitability"},{"credibility":2,"name":"Safe Labs Takes the Reins of Popular Multi-Signature Wallet — The Defiant","type":"news_article","url":"https://thedefiant.io/news/infrastructure/safe-labs-takes-the-reins-of-popular-multi-signature-wallet"}]},{"content":"On February 21, 2025, approximately $1.5 billion in ETH and stETH was stolen from cryptocurrency exchange Bybit in what became the largest cryptocurrency theft in recorded history. Forensic investigations by Sygnia and Verichains, commissioned in the aftermath of the hack, determined the attack originated from a supply-chain compromise of Safe{Wallet}'s developer infrastructure — not from any flaw in the Safe smart contracts themselves.\n\nThe attack chain proceeded as follows. On approximately February 4, 2025, a Safe{Wallet} developer's macOS workstation was compromised via social engineering. The developer was induced to download a file named 'MC-Based-Stock-Invest-Simulator-main,' a Docker-based project that exploited a remote code execution vulnerability in the PyYAML library to gain control of the host system. Using credentials extracted from the developer's machine, the attackers (identified as Lazarus Group / TraderTraitor) hijacked an active AWS session token, bypassing multi-factor authentication. Between February 5 and February 17, attackers conducted reconnaissance within Safe's AWS environment. On February 19, they modified the file '_app-52c9031bfa03da47.js' hosted in Safe's AWS S3 bucket, which serves JavaScript assets for app.safe.global. The injected payload was specifically crafted to activate only when a transaction was initiated from Bybit's known contract addresses, remaining dormant for all other users and thus evading routine detection. On February 21, 2025 at approximately 14:13 UTC, Bybit's signers used the compromised Safe frontend to authorize what appeared to be a routine cold-wallet transfer. The malicious JavaScript silently replaced the transaction's destination address while displaying a normal-looking UI to the signers. Approximately two minutes after the malicious transaction was published — at around 14:15 UTC — the attackers uploaded clean versions of the JavaScript files back to the S3 bucket to erase forensic evidence. The attack resulted in the transfer of approximately 400,000 ETH to attacker-controlled addresses. The Safe Ecosystem Foundation's statement confirmed that 'the forensic review of external security researchers did NOT indicate any vulnerabilities in the Safe smart contracts or source code of the frontend and services.' The hack exploited infrastructure compromise, not a protocol flaw.","heading":"February 2025 Supply-Chain Compromise: The Bybit Heist","severity":"critical","sources":[{"credibility":2,"name":"Sygnia's Investigation into the Bybit Hack: What We Know So Far","type":"research","url":"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"},{"credibility":2,"name":"Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist — The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/03/safewallet-confirms-north-korean.html"},{"credibility":2,"name":"Lazarus hacked Bybit via breached Safe{Wallet} developer machine — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/lazarus-hacked-bybit-via-breached-safe-wallet-developer-machine/"},{"credibility":1,"name":"Statement by the Safe Ecosystem Foundation — Safe Foundation","type":"official","url":"https://safefoundation.org/blog/safe-ecosystem-foundation-statement"},{"credibility":1,"name":"FBI/IC3 Public Service Announcement: North Korea Responsible for $1.5 Billion Bybit Hack","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"credibility":2,"name":"Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers — The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html"},{"credibility":2,"name":"Bit ByBit — Emulation of the DPRK's Largest Cryptocurrency Heist — Elastic Security Labs","type":"research","url":"https://www.elastic.co/security-labs/bit-bybit"}]},{"content":"On February 26, 2025, the U.S. Federal Bureau of Investigation (FBI) issued a public service announcement formally attributing the Bybit theft to North Korea's TraderTraitor threat group. The FBI defines TraderTraitor as a specific pattern of North Korean state-sponsored malicious cyber activity targeting virtual asset service providers. The group is also tracked as Lazarus Group and UNC4899, and is assessed to operate under the North Korean Reconnaissance General Bureau. The attribution was corroborated by multiple independent cybersecurity firms including Mandiant, Sygnia, Elastic Security Labs, and Check Point Research. Following the theft, TraderTraitor actors rapidly laundered the stolen assets: by March 20, 2025, approximately 86% of the stolen ETH had been converted to Bitcoin and dispersed across thousands of addresses using decentralized exchanges, cross-chain bridges, and multiple intermediary wallets. The FBI requested that RPC node operators, exchanges, and blockchain analytics firms block transactions originating from 50+ identified addresses linked to the laundering operation. The same group has been linked to prior major crypto thefts including the Phemex and Poloniex hacks.","heading":"Attack Attribution: DPRK TraderTraitor / Lazarus Group","severity":"critical","sources":[{"credibility":1,"name":"FBI/IC3: North Korea Responsible for $1.5 Billion Bybit Hack","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"credibility":1,"name":"North Korea Responsible for $1.5 Billion Bybit Hack — FBI","type":"regulatory","url":"https://www.fbi.gov/investigate/cyber/alerts/2025/north-korea-responsible-for-1-5-billion-bybit-hack"},{"credibility":1,"name":"How North Korea cracked Bybit's crypto safe to steal $1.5 billion — Fortune","type":"news_article","url":"https://fortune.com/crypto/2025/03/04/north-korea-bybit-hack-ethereum-safe-dprk-lazarus-group-tradertraitor/"}]},{"content":"Multiple independent forensic investigators confirmed that the Safe smart contracts deployed on-chain were not compromised at any point. The Safe protocol's audited Solidity code remained intact; Safe maintains comprehensive audit documentation for all major versions of its smart contracts at docs.safe.global. The attack was confined to the application layer: specifically the JavaScript bundle served via Safe's AWS CloudFront/S3 infrastructure to the app.safe.global web application. The malicious code did not affect Safe's mobile applications, browser extensions, or any direct interaction with the smart contract. The payload was targeted and conditional — it activated only when specific Bybit-associated contract addresses were detected, meaning the attack did not compromise or endanger other Safe users during the active window (February 19–21, 2025). Safe serves hundreds of DAOs, DeFi protocols, and institutional custodians. No other confirmed cases of funds being stolen via this specific attack vector have been publicly reported as of June 2026, consistent with the payload's narrow, Bybit-targeted design.","heading":"Scope of Compromise: What Was and Was Not Affected","severity":"high","sources":[{"credibility":1,"name":"Statement by the Safe Ecosystem Foundation — Safe Foundation","type":"official","url":"https://safefoundation.org/blog/safe-ecosystem-foundation-statement"},{"credibility":2,"name":"Sygnia's Investigation into the Bybit Hack — Sygnia","type":"research","url":"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"},{"credibility":1,"name":"Safe Smart Account Audits — Safe Docs","type":"official","url":"https://docs.safe.global/advanced/smart-account-audits"}]},{"content":"Following the hack, a public dispute emerged between Safe and Bybit over apportionment of responsibility. Bybit's forensic review concluded that 'the credentials of a Safe developer were compromised,' framing Safe's infrastructure as the proximate cause. Safe's response acknowledged the developer machine compromise but emphasized that no vulnerabilities existed in the smart contracts or frontend source code, and that the attack affected 'an account operated by Bybit' specifically. Security researchers and analysts have noted that the attack was also made possible by Bybit's practice of 'blind signing' — approving a transaction without being able to fully verify its contents, a known risk in multisig operations. Had Bybit's signers used hardware wallet verification of the raw transaction payload (rather than relying solely on the UI display), the attack's core deception mechanism may have been detectable. A parallel dispute between WazirX and Liminal Custody following a $230 million exploit in July 2024 has been cited as a precedent for similar unresolved custody-layer responsibility conflicts. As of the available public record, no formal settlement or legal agreement between Bybit and Safe over this incident has been disclosed.","heading":"Responsibility Dispute: Safe vs. Bybit","severity":"high","sources":[{"credibility":2,"name":"Bybit and Safe Custody Are at Odds on Who's to Blame for $1.5B Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/02/26/bybit-and-safe-custody-blame-each-other-over-usd1-5b-hack"},{"credibility":2,"name":"Who's to Blame for Bybit? — Security Boulevard","type":"news_article","url":"https://securityboulevard.com/2025/04/whos-to-blame-for-bybit/"},{"credibility":2,"name":"The Bybit Breach: Why Multi-Sig Alone Isn't Enough — Cobo","type":"research","url":"https://www.cobo.com/post/the-bybit-breach-why-multi-sig-alone-isn-t-enough"}]},{"content":"Following the February 21, 2025 hack, Safe placed its wallet service in lockdown mode and initiated a phased restoration of Ethereum mainnet access. The Safe{Wallet} team fully rebuilt and reconfigured all cloud infrastructure, rotated all credentials, and confirmed the elimination of the attack vector before resuming service. By March 3, 2025, co-founder Martin Koeppelmann confirmed that ten specific changes had been shipped to the UI, including: displaying full raw transaction data to signers, removing hardware wallet integrations that raised security concerns, and implementing stricter validation and enhanced monitoring. Safe also commissioned independent external cybersecurity firms to conduct forensic review and pledged to publish a full post-mortem. The incident accelerated Safe's architectural rethinking around what the CEO described as 'fragmented self-custody security.' Safe framed the fundamental problem as blind signing and the absence of a trust anchor between what a user intends to sign and what the interface presents — a structural issue across the multisig industry, not unique to Safe.","heading":"Safe's Remediation Response","severity":"medium","sources":[{"credibility":2,"name":"Safe Wallet responds to Bybit hack with major security improvements — Crypto.news","type":"news_article","url":"https://crypto.news/safe-wallet-responds-to-bybit-hack-with-major-security-improvements/"},{"credibility":2,"name":"Safe CEO Says Bybit Hack Exposed Fragmented Self-Custody Security — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/bybit-hack-safe-rearchitects-systems"},{"credibility":1,"name":"Statement by the Safe Ecosystem Foundation — Safe Foundation","type":"official","url":"https://safefoundation.org/blog/safe-ecosystem-foundation-statement"}]},{"content":"On April 2, 2026, Safe Foundation announced the launch of Safenet Beta at EthCC in Cannes. Safenet is a decentralized transaction-security network designed to address the class of vulnerability exploited in the Bybit attack: the gap between what a user intends to sign and what the signing interface presents. Safenet enforces transaction security at the protocol level before a Safe transaction executes, replacing centralized warning systems and offchain heuristics with cryptographic attestations verified onchain. Independent validators assess proposed transactions against predefined security rules; when a transaction satisfies these rules, validators generate a cryptographic proof. A Guard installed on the user's Safe account verifies this proof before allowing execution. If a user chooses to bypass validation, they must provide explicit additional owner approval after a mandatory delay. The network launched with six genesis validators — Greenfield, Gnosis, Safe Labs, Rockaway, Blockchain Capital, and Core Contributors GmbH — each staking a minimum of 3.5 million SAFE tokens. For the first time, SAFE token holders can delegate tokens to validators and earn staking rewards, representing the first live economic function for the SAFE token beyond governance. Staking rewards are pending SafeDAO approval under SEP-55 as of the launch date.","heading":"Safenet: Structural Response to the Attack Vector","severity":"low","sources":[{"credibility":1,"name":"Safe Launches Safenet Beta, Giving SAFE Token Holders a Role in Network Security — Safe Foundation","type":"official","url":"https://safefoundation.org/blog/safe-launches-safenet-beta"},{"credibility":2,"name":"Safe Launches Safenet Beta, Giving SAFE Token Holders a Role in Network Security — GlobeNewswire","type":"news_article","url":"https://www.globenewswire.com/news-release/2026/4/2/3267250/0/en/safe-launches-safenet-beta-giving-safe-token-holders-a-role-in-network-security.html"},{"credibility":2,"name":"Non-custodial wallet provider Safe unveils security network — The Block","type":"news_article","url":"https://www.theblock.co/post/396147/non-custodial-wallet-safe-security-safenet-tokens"}]},{"content":"The SAFE governance token was launched on April 20, 2022, with a total supply of 1 billion tokens minted by the Safe Foundation. SAFE token holders vote on proposals within SafeDAO covering protocol upgrades, treasury management, and strategic direction. The token reached an all-time high of approximately $2.69–$4.48 (sources vary) in April–May 2024. As of approximately April 2026, SAFE traded at roughly $0.14 per token, with a market capitalization of approximately $104 million — representing a decline of approximately 94% from its all-time high. The token has historically served a governance-only function; the Safenet Beta launch in April 2026 introduced the first live staking and economic utility function for SAFE, with staking rewards pending DAO approval. SAFE token holders face smart contract risk and non-on-demand withdrawal terms when delegating to Safenet validators.","heading":"SAFE Token and Governance","severity":"medium","sources":[{"credibility":2,"name":"Safe price today, SAFE to USD live price, marketcap and chart — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/safe1/"},{"credibility":2,"name":"Safe Price Prediction 2025: SAFE Faces Further Challenges After Recent All-time Low — CCN","type":"news_article","url":"https://www.ccn.com/analysis/crypto/safe-price-prediction/"},{"credibility":1,"name":"Safe Launches Safenet Beta — Safe Foundation","type":"official","url":"https://safefoundation.org/blog/safe-launches-safenet-beta"}]},{"content":"The Bybit incident exposed a class of risk inherent to any web-application-layer multisig interface: the trust assumptions users make about frontend rendering. When a user's signing environment (hardware wallet, browser, or app) cannot independently verify raw transaction payloads against the displayed intent, a compromised frontend can substitute malicious calldata without the signer's knowledge. This is sometimes called the 'blind signing problem.' Safe's smart contracts are among the most audited on Ethereum and have maintained an unblemished on-chain security record; the Bybit theft did not originate from the contracts. However, the incident demonstrates that nation-state threat actors actively target developers at critical infrastructure providers — including those whose software is used as a dependency by high-value targets. Safe's very ubiquity (used by hundreds of DeFi protocols, DAOs, and institutional custodians) makes its development and deployment pipeline a high-value supply-chain target. The Check Point Research analysis and the Elastic Security Labs 'Bit ByBit' report both note that the attack's sophistication and patience (weeks of AWS reconnaissance before payload delivery) reflects the operational resources and risk tolerance of a state-sponsored actor rather than opportunistic criminals.","heading":"Systemic Supply-Chain Risk Signals","severity":"high","sources":[{"credibility":2,"name":"The Bybit Incident: When Research Meets Reality — Check Point Research","type":"research","url":"https://research.checkpoint.com/2025/the-bybit-incident-when-research-meets-reality/"},{"credibility":2,"name":"Bit ByBit: Emulation of the DPRK's Largest Cryptocurrency Heist — Elastic Security Labs","type":"research","url":"https://www.elastic.co/security-labs/bit-bybit"},{"credibility":2,"name":"The Bybit Hack and What It Teaches Us About Multisig Wallet Security — Certora","type":"research","url":"https://www.certora.com/blog/bybit-hack-multisig-wallet-security"},{"credibility":1,"name":"The Bybit Heist and the Future of U.S. Crypto Regulation — CSIS","type":"research","url":"https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation"}]}],"sources_used":[{"credibility":1,"name":"Statement by the Safe Ecosystem Foundation","type":"official","url":"https://safefoundation.org/blog/safe-ecosystem-foundation-statement"},{"credibility":1,"name":"FBI/IC3 Public Service Announcement: North Korea Responsible for $1.5 Billion Bybit Hack","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"credibility":1,"name":"North Korea Responsible for $1.5 Billion Bybit Hack — FBI","type":"regulatory","url":"https://www.fbi.gov/investigate/cyber/alerts/2025/north-korea-responsible-for-1-5-billion-bybit-hack"},{"credibility":2,"name":"Sygnia's Investigation into the Bybit Hack: What We Know So Far","type":"research","url":"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"},{"credibility":2,"name":"Lazarus hacked Bybit via breached Safe{Wallet} developer machine — BleepingComputer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/lazarus-hacked-bybit-via-breached-safe-wallet-developer-machine/"},{"credibility":2,"name":"Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion — The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/03/safewallet-confirms-north-korean.html"},{"credibility":2,"name":"Bybit and Safe Custody Are at Odds on Who's to Blame for $1.5B Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/02/26/bybit-and-safe-custody-blame-each-other-over-usd1-5b-hack"},{"credibility":1,"name":"How North Korea cracked Bybit's crypto safe to steal $1.5 billion — Fortune","type":"news_article","url":"https://fortune.com/crypto/2025/03/04/north-korea-bybit-hack-ethereum-safe-dprk-lazarus-group-tradertraitor/"},{"credibility":2,"name":"Bit ByBit: Emulation of the DPRK's Largest Cryptocurrency Heist — Elastic Security Labs","type":"research","url":"https://www.elastic.co/security-labs/bit-bybit"},{"credibility":2,"name":"The Bybit Incident: When Research Meets Reality — Check Point Research","type":"research","url":"https://research.checkpoint.com/2025/the-bybit-incident-when-research-meets-reality/"},{"credibility":1,"name":"The Bybit Heist and the Future of U.S. Crypto Regulation — CSIS","type":"research","url":"https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation"},{"credibility":2,"name":"Safe Wallet responds to Bybit hack with major security improvements — Crypto.news","type":"news_article","url":"https://crypto.news/safe-wallet-responds-to-bybit-hack-with-major-security-improvements/"},{"credibility":2,"name":"Safe CEO Says Bybit Hack Exposed Fragmented Self-Custody Security — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/bybit-hack-safe-rearchitects-systems"},{"credibility":1,"name":"Safe Launches Safenet Beta — Safe Foundation","type":"official","url":"https://safefoundation.org/blog/safe-launches-safenet-beta"},{"credibility":2,"name":"Safe Launches Safenet Beta — GlobeNewswire","type":"news_article","url":"https://www.globenewswire.com/news-release/2026/4/2/3267250/0/en/safe-launches-safenet-beta-giving-safe-token-holders-a-role-in-network-security.html"},{"credibility":2,"name":"Non-custodial wallet provider Safe reports fivefold revenue jump in 2025 — The Block","type":"news_article","url":"https://www.theblock.co/post/388098/crypto-wallet-safe-reports-fivefold-revenue-jump-2025-not-break-even-profitability"},{"credibility":1,"name":"Safe Q1 2026 Quarterly Report — Safe Community Forum","type":"official","url":"https://forum.safefoundation.org/t/safe-q1-2026-quarterly-report-is-now-live/6990"},{"credibility":1,"name":"History of Safe: From Gnosis Safe to beyond — Safe Foundation","type":"official","url":"https://safefoundation.org/blog/history-of-safe"},{"credibility":1,"name":"Safe Smart Account Audits — Safe Docs","type":"official","url":"https://docs.safe.global/advanced/smart-account-audits"},{"credibility":2,"name":"Safe Labs Takes the Reins of Popular Multi-Signature Wallet — The Defiant","type":"news_article","url":"https://thedefiant.io/news/infrastructure/safe-labs-takes-the-reins-of-popular-multi-signature-wallet"},{"credibility":2,"name":"Safe price today, SAFE to USD live price, marketcap and chart — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/safe1/"},{"credibility":2,"name":"The Bybit Hack and What It Teaches Us About Multisig Wallet Security — Certora","type":"research","url":"https://www.certora.com/blog/bybit-hack-multisig-wallet-security"},{"credibility":2,"name":"Bybit Hack Traced to Safe{Wallet} Supply Chain Attack — The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html"}],"summary":"Safe{Wallet}, operated by the Safe Ecosystem Foundation, is the dominant smart-contract multisig platform on Ethereum and EVM-compatible chains, securing approximately $35 billion in assets across 61 million accounts as of Q1 2026. In February 2025, a developer machine compromise by North Korea's Lazarus Group (TraderTraitor) allowed attackers to inject malicious JavaScript into the app.safe.global frontend, enabling the theft of approximately $1.5 billion in ETH from Bybit — the largest cryptocurrency heist in history. The Safe smart contracts themselves were not compromised; the attack was entirely at the infrastructure and frontend layer. Safe has since rebuilt its infrastructure and launched Safenet, a decentralized transaction-security network, as a structural response.","timeline":[{"date":"2017-01-01","event":"Safe launched as Gnosis Multi-signature Wallet, the first version of what would become the industry-standard Ethereum multisig.","source":"History of Safe — Safe Foundation","source_url":"https://safefoundation.org/blog/history-of-safe"},{"date":"2018-01-01","event":"Gnosis Safe released, introducing a proxy-singleton architecture and modular design, replacing the original Gnosis Multisig.","source":"History of Safe — Safe Foundation","source_url":"https://safefoundation.org/blog/history-of-safe"},{"date":"2022-04-20","event":"Project rebranded from Gnosis Safe to Safe; SAFE governance token launched with 1 billion total supply.","source":"Safe — IQ.wiki","source_url":"https://iq.wiki/wiki/safe"},{"date":"2023-01-01","event":"Safe Ecosystem Foundation formally incorporated; SafeDAO formed following strategic fundraise from investors.","source":"History of Safe — Safe Foundation","source_url":"https://safefoundation.org/blog/history-of-safe"},{"date":"2024-04-25","event":"SAFE token reached its all-time high of approximately $2.69–$4.48 per token.","source":"Safe Price History — CoinMarketCap","source_url":"https://coinmarketcap.com/currencies/safe1/"},{"date":"2025-02-04","event":"A Safe{Wallet} developer's macOS workstation was compromised via social engineering. The developer downloaded a Docker project ('MC-Based-Stock-Invest-Simulator-main') containing malware that exploited a PyYAML RCE vulnerability.","source":"Sygnia Investigation into the Bybit Hack","source_url":"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"},{"date":"2025-02-05","event":"Attackers used the developer's extracted AWS credentials to access Safe's cloud infrastructure, hijacking an active session token to bypass MFA.","source":"Sygnia Investigation into the Bybit Hack","source_url":"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"},{"date":"2025-02-19","event":"Attackers injected malicious JavaScript into the file '_app-52c9031bfa03da47.js' in Safe's AWS S3 bucket. The payload was designed to activate only when Bybit's contract addresses were detected.","source":"Sygnia Investigation into the Bybit Hack","source_url":"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"},{"date":"2025-02-21","event":"Bybit's signers used the compromised app.safe.global interface to authorize what appeared to be a routine cold-wallet transfer. The malicious JavaScript silently replaced the transaction's destination, resulting in approximately 400,000 ETH (~$1.5 billion) transferred to attacker-controlled addresses at approximately 14:13 UTC.","source":"FBI/IC3 Public Service Announcement","source_url":"https://www.ic3.gov/psa/2025/psa250226"},{"date":"2025-02-21","event":"Approximately two minutes after the malicious transaction was executed (~14:15 UTC), attackers uploaded clean JavaScript files back to Safe's AWS S3 bucket to erase forensic evidence.","source":"Sygnia Investigation into the Bybit Hack","source_url":"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"},{"date":"2025-02-26","event":"FBI formally attributed the Bybit theft to North Korea's TraderTraitor threat group via IC3 public service announcement. Safe and Bybit issued competing statements on responsibility.","source":"FBI/IC3 Public Service Announcement","source_url":"https://www.ic3.gov/psa/2025/psa250226"},{"date":"2025-02-28","event":"Safe Ecosystem Foundation published its official statement, confirming the developer machine compromise, confirming smart contracts were unaffected, and announcing full infrastructure rebuild and credential rotation.","source":"Statement by the Safe Ecosystem Foundation","source_url":"https://safefoundation.org/blog/safe-ecosystem-foundation-statement"},{"date":"2025-03-03","event":"Safe co-founder Martin Koeppelmann confirmed ten UI security improvements had been shipped, including displaying full raw transaction data and removing hardware wallet integrations that raised security concerns.","source":"Safe Wallet responds to Bybit hack with major security improvements — Crypto.news","source_url":"https://crypto.news/safe-wallet-responds-to-bybit-hack-with-major-security-improvements/"},{"date":"2025-03-20","event":"Approximately 86% of the stolen ETH had been converted to Bitcoin and dispersed across thousands of addresses, according to tracking by blockchain analytics firms.","source":"Bybit Hack 2025: $1.5B Stolen by North Korea — Cloudskope","source_url":"https://www.cloudskope.com/breaches/bybit-hack-2025"},{"date":"2025-07-01","event":"Rahul Rumalla joined the Safe ecosystem as VP of Product and Engineering; later became CEO of Safe Labs as the subsidiary took direct operational control of Safe{Wallet}.","source":"Non-custodial crypto wallet Safe reports fivefold revenue jump — The Block","source_url":"https://www.theblock.co/post/388098/crypto-wallet-safe-reports-fivefold-revenue-jump-2025-not-break-even-profitability"},{"date":"2026-04-02","event":"Safe Foundation launched Safenet Beta at EthCC in Cannes, a decentralized transaction-security network using cryptographic attestations to address the blind-signing vulnerability class. Six genesis validators each staked a minimum of 3.5 million SAFE tokens.","source":"Safe Launches Safenet Beta — Safe Foundation","source_url":"https://safefoundation.org/blog/safe-launches-safenet-beta"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision c318c471-eca0-4df4-9af9-7b708686a870copy