Damn. Bybit just released a report: the compromise was not Bybit, but on the open source wallet they were using from third-party servers. They hot swapped the Gnosis SAFE UI in production with JS code that ONLY targeted Bybit's cold wallet.

Security is hard.