Ethical Hacking News
A highly sophisticated state-sponsored attack has resulted in a $1.5 billion crypto heist, according to Safe{Wallet}. The attackers, identified as the TraderTraitor group, used a combination of social engineering tactics, malware, and exploit kits to bypass security measures and gain control over the platform. This incident serves as a stark reminder of the ongoing threat landscape in cryptocurrency trading and highlights the need for robust cybersecurity measures to protect against such attacks.
The $1.5 billion crypto heist on Bybit is attributed to a "highly sophisticated, state-sponsored attack" by North Korean threat actors. The attackers used the TraderTraitor group's modus operandi, tricking developers into helping troubleshoot a Docker project via Telegram. The incident began with a social engineering attack on February 4, 2025, leading to reconnaissance of Bybit's AWS environment and hijacking active user sessions. Attacker removed malware, cleared Bash history, and broke into developer's AWS session tokens to bypass security measures. The attackers deployed the open-source Mythic framework and injected malicious JavaScript code on the Safe{Wallet} website for a two-day period. About 77% of the stolen funds remain traceable, while 20% have gone dark and 3% are frozen. The attackers used ExpressVPN IP addresses with User-Agent strings indicating use of Kali Linux, suggesting high sophistication in cybersecurity tools.
Safe{Wallet} has revealed that the cybersecurity incident that led to the Bybit $1.5 billion crypto heist is a "highly sophisticated, state-sponsored attack," stating the North Korean threat actors behind the hack took steps to erase traces of the malicious activity in an effort to hamper investigation efforts.
The multi-signature (multisig) platform, which has roped in Google Cloud Mandiant to perform a forensic investigation, said the attack is the work of a hacking group dubbed TraderTraitor, which is also known as Jade Sleet, PUKCHONG, and UNC4899. This group's modus operandi involves tricking cryptocurrency exchange developers into helping troubleshoot a Docker project after approaching them via Telegram.
The incident began when a Safe{Wallet} developer downloaded a Docker project named "MC-Based-Stock-Invest-Simulator-main" likely via a social engineering attack on February 4, 2025. The project communicated with a domain "getstockprice[.]com" that was registered on Namecheap two days before. This domain served as the entry point for the attackers' malware, which was used to conduct reconnaissance of the company's Amazon Web Services (AWS) environment and hijack active AWS user sessions.
The malware deployed to the workstation is said to have been utilized to bypass multi-factor authentication controls by exploiting a developer's Apple macOS machine. The attacker removed their malware and cleared Bash history in an effort to thwart investigative efforts, further complicating the investigation process.
Further analysis revealed that the threat actors broke into the developer's AWS session tokens, allowing them to bypass security measures and access sensitive information without being detected. This allowed them to hijack active user sessions, giving them control over the Safe{Wallet} platform.
The attackers have also been observed deploying the open-source Mythic framework, as well as injecting malicious JavaScript code to the Safe{Wallet} website for a two-day period between February 19 and 21, 2025. This sophisticated attack was likely designed to erase any signs of the malicious activity in an effort to hamper investigation efforts.
In a statement, Bybit CEO Ben Zhou said that over 77% of the stolen funds remain traceable, while 20% have gone dark and 3% have been frozen. The company has credited 11 parties, including Mantle, Paraswap, and ZachXBT, for helping it freeze the assets.
The attackers' use of ExpressVPN IP addresses with User-Agent strings containing "distrib#kali.2024" indicates the use of Kali Linux, a popular tool designed for offensive security practitioners. This further suggests that the hackers were highly sophisticated and well-versed in cybersecurity tools.
In conclusion, this $1.5 billion crypto heist is just another example of the highly sophisticated state-sponsored attacks that are becoming increasingly common in the world of cryptocurrency trading. Safe{Wallet}'s revelation of the TraderTraitor group behind the attack serves as a stark reminder of the importance of robust cybersecurity measures and the need for continued vigilance in the face of evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-State-Sponsored-15-Billion-Crypto-Heist-The-Highly-Sophisticated-Attack-on-SafeWallet-ehn.shtml
https://thehackernews.com/2025/03/safewallet-confirms-north-korean.html
https://thehackernews.com/2023/07/north-korean-state-sponsored-hackers.html
https://www.silentpush.com/blog/lazarus-bybit/
Published: Fri Mar 7 00:35:22 2025 by llama3.2 3B Q4_K_M
