Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple cybersecurity teams, including Sygnia.

This attack exposed significant security vulnerabilities across various domains, including macOS malware, AWS cloud compromise, application security, and smart contract security.

The incident involved unauthorized activity in Bybit’s Ethereum (ETH) cold wallets, where an ETH multisig transaction was manipulated through Safe{Wallet} from a cold wallet to a warm wallet, allowing attackers to siphon funds.

Attack Timeline

The earliest known malicious activity began on February 4, 2025, when a Safe{Wallet} developer’s macOS workstation was compromised, likely through social engineering.

This led to the theft of AWS access tokens, which were used to access Safe{Wallet}’s AWS infrastructure between February 5 and February 21.

During this period, attackers operated within the infrastructure, although specific details of their activities remain limited.

On February 19, JavaScript resources hosted on an AWS S3 bucket serving Safe{Wallet}’s web interface were modified with malicious code.

According to Sygnia Report, this code was designed to manipulate transactions specifically targeting Bybit’s cold wallet.

On February 21, Bybit initiated a transaction using Safe{Wallet}’s interface, which was manipulated by the attackers, allowing them to transfer over 400,000 ETH without requiring additional multisig approval.

Tactics

The attackers leveraged a delegate call mechanism in smart contracts to replace the original contract implementation with a malicious version.

This introduced sweepETH and sweepERC20 functions, enabling the unauthorized transfer of funds.

Following the transaction, the malicious code was quickly removed from the JavaScript resources, likely in an attempt to cover their tracks.

The attack has been attributed to the Lazarus Group, also known as TradeTraitor or UNC4899, a threat actor linked to the Democratic People’s Republic of Korea (DPRK).

This attribution was confirmed by both the FBI and Mandiant.

The Bybit hack highlights the lack of standardized security standards in the crypto industry, unlike traditional banking, which adheres to strict regulations.

This lack of oversight leaves the industry vulnerable to sophisticated attacks.

The incident also underscores the importance of comprehensive forensic investigations and transparency in disclosing attack vectors to enhance industry-wide defenses against such threats.

The Bybit case sets a precedent for detailed forensic transparency, which is crucial for exposing attackers’ tactics and enhancing industry defenses.

Given the high financial incentives of crypto heists, security teams must remain vigilant and proactive in developing adaptive defenses against evolving threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!