North Korean hackers stole $1.4 billion from Bybit after breaching Safe’s Mac laptop through a fake stock investment project that helped them bypass AWS security, Mandiant reveals.
Bybit‘s $1.4 billion cyberattack, now the largest crypto theft in history, is believed to have started with malware from a fake stock investment project that compromised Safe’s Mac laptop and bypassed Amazon Web Services security, according to Mandiant’s investigation.
In a March 6 article on X, Safe revealed that the North Korean hacking group known as TraderTraitor compromised a Safe{Wallet} developer’s laptop, “Developer1,” and used stolen AWS session tokens to bypass multi-factor authentication.
According to Mandiant’s investigation, the breach occurred on Feb. 4, when a Docker project — posing as a “stock investment simulator” — was downloaded onto Developer1’s Mac. The project communicated with a suspicious domain (getstockprice[.]com), leading to the malware’s installation.
It’s unclear what forced Developer1 to download the malware through workstation, but the investigation notes that similar social engineering tactics have already been used in previous attacks by the hacking group.
Mandiant’s report also found that the attackers bypassed AWS MFA by hijacking active user session tokens, likely through malware on Developer1’s workstation. These hijacked tokens allowed the hackers to access AWS services without needing to pass MFA checks. The attack was conducted from IP addresses linked to a VPN service and security tools designed for offensive hacking, per the report.
“Certain gaps in fully recovering certain aspects of the attack remain because the attacker removed their malware and cleared Bash history in an effort to thwart investigative efforts.”
Safe
As a precautious measure, Safe{Wallet} has reset its infrastructure, restricting external access. It also claims to have enhanced the detection of malicious transactions with Blockaid, a blockchain security firm. According to Safe, its smart contracts were not affected by the breach.
Cryptocurrency exchange Bybit revealed in early March that nearly 20% of the stolen funds are now untraceable, just less than two weeks after the exchange lost $1.46 billion in a highly sophisticated attack. In an X post, Bybit CEO Ben Zhou revealed that around 77% of the stolen funds remain traceable, but nearly 20% has “gone dark” through mixing services.
