Full Report
The U.S. Federal Bureau of Investigation (FBI) formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company's CEO Ben Zhou declared a "war against Lazarus." The agency said the Democratic People's Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster
Analysis Summary
# Incident Report: Bybit Cryptocurrency Heist (\$1.5 Billion)
## Executive Summary
North Korean threat actors, specifically the Lazarus Group sub-cluster tracked as TraderTraitor (Jade Sleet/Slow Pisces/UNC4899), executed a record-breaking \$1.5 billion theft of virtual assets from the cryptocurrency exchange Bybit. The attack escalated via a supply chain compromise targeting the infrastructure of multisig wallet provider Safe{Wallet}, leading to the compromise of a Bybit Ethereum Multisig Cold Wallet transaction. Despite initial efforts to trace the funds, the attackers quickly dispersed the stolen assets across numerous addresses and blockchains.
## Incident Details
- **Discovery Date:** Information derived from forensic analysis points to compromise starting around February 19, 2025, with the final transaction occurring on February 21, 2025.
- **Incident Date:** February 21, 2025 (Date of key transaction/theft).
- **Affected Organization:** Bybit (Cryptocurrency Exchange).
- **Sector:** Cryptocurrency/Web3 Finance.
- **Geography:** Bybit is Dubai-based, though the attack vector involved US/European infrastructure (Safe{Wallet}).
## Timeline of Events
### Initial Access
- **Date/Time:** February 19, 2025 (15:29:25 UTC)
- **Vector:** Supply Chain Compromise via Safe{Wallet} infrastructure.
- **Details:** A benign JavaScript file on `app.safe.global` (infrastructure used by Safe{Wallet}) was replaced with malicious code. This compromise is suspected to stem from a leaked or compromised AWS S3/CloudFront account/API Key associated with Safe.Global, or the compromise of a Safe{Wallet} developer machine. Separately, Lazarus registered the lookalike domain `bybit-assessment[.]com` on February 20, 2025, suggesting potential pre-breach social engineering activities.
### Lateral Movement
- **Details:** The attack leveraged the compromise to propose a disguised malicious transaction targeting Bybit's Ethereum Multisig Cold Wallet. The attack was designed to activate during the *next* Bybit transaction.
### Data Exfiltration/Impact
- **Date/Time:** February 21, 2025 (14:13:35 UTC)
- **Details:** The unauthorized transaction executed, resulting in the theft of approximately \$1.5 billion in virtual assets. Stolen assets were rapidly converted to Bitcoin and dispersed across thousands of addresses on multiple blockchains, likely using mixers and bridges to obscure traceability.
### Detection & Response
- **Details:** Forensic investigations conducted by Sygnia and Verichains pinpointed the root cause to malicious code originating from Safe{Wallet}'s compromised infrastructure. Bybit subsequently launched a **Lazarus Bounty Program** to aid in fund recovery and publicly called out entities (like eXch) refusing to cooperate in freezing assets.
## Attack Methodology
- **Initial Access:** Supply Chain compromise via a malicious code injection targeting a third-party vendor (Safe{Wallet}'s infrastructure/build environment), potentially facilitated by credential compromise (AWS/API Key leak or compromised developer host). A lookalike domain (`bybit-assessment[.]com`) was registered just prior, indicative of precursor reconnaissance/social engineering setup.
- **Persistence:** Not explicitly detailed, but access was maintained long enough to inject malicious code into the vendor platform.
- **Privilege Escalation:** Inherited privileges from the compromised Safe{Wallet} infrastructure sufficient to modify production code targeting Bybit's specific multisig wallet.
- **Defense Evasion:** The malicious payload was delivered via a "benign JavaScript file," minimizing immediate detection during standard checks. The subsequent dispersal of funds across thousands of addresses aided evasion of immediate freezing efforts.
- **Credential Access:** Suspected compromise of developer credentials or API keys related to the AWS S3/CloudFront environment hosting essential code for Safe{Wallet}.
- **Discovery:** The attacker group (TraderTraitor/Lazarus) relies on established patterns, often involving social engineering campaigns (job-themed) that can lead to malware deployment or credential harvesting.
- **Lateral Movement:** Movement within the target structure was achieved by proposing the disguised malicious transaction targeting the specific multisig wallet.
- **Collection:** Focused extraction of high-value virtual assets held in the targeted multisig cold storage.
- **Exfiltration:** Rapid movement of stolen assets across multiple blockchains, utilizing mixers and bridges, and converting to Bitcoin/other stablecoins.
- **Impact:** Massive financial loss to Bybit and its users (\$1.5 Billion).
## Impact Assessment
- **Financial:** \$1.5 Billion stolen, representing a record loss for a single crypto hack and surpassing all estimated crypto theft for 2024 combined.
- **Data Breach:** Theft of virtual assets/cryptocurrency. No mention of standard PII or sensitive corporate data breach.
- **Operational:** Significant operational strain due to fund tracing, recovery efforts, and public relations management (e.g., freezing assets from unwilling exchanges).
- **Reputational:** Major reputational hit for Bybit and Safe{Wallet} due to the severity of the supply chain compromise.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- Domain registration: `bybit-assessment[.]com` (Registered Feb 20, 2025).
- Infrastructure utilized: Compromised AWS S3/CloudFront account/API keys related to Safe.Global.
- **File Indicators:**
- Maliciously replaced JavaScript file targeting Ethereum Multisig Cold Wallets.
- **Behavioral Indicators:**
- Proposal and execution of a disguised malicious multisig transaction just after code deployment.
- Rapid dispersion of stolen funds across thousands of addresses on multiple blockchains.
## Response Actions
- **Containment:** Forensic investigation by Sygnia and Verichains to determine the root cause within the supply chain. Publicly identifying the compromise actor as Lazarus.
- **Eradication:** Implementation of added security measures by Safe{Wallet} to mitigate the exploited supply chain vector (compromised developer machine/code injection capability).
- **Recovery:** Launching a public **Lazarus Bounty Program** to crowdsource assistance in tracing and freezing the dispersed assets. Publicly engaging with exchanges refusing cooperation.
## Lessons Learned
- **Supply Chain is Critical:** Compromise of a trusted third-party vendor (Safe{Wallet}) was the primary entry vector for manipulating the victim's critical assets.
- **Importance of Infrastructure Security:** Compromise of cloud credentials (AWS S3/API keys) provided sufficient access to inject malicious code into production environments.
- **Speed of Laundering:** The threat actors executed funds conversion and dispersion across thousands of addresses extremely quickly, highlighting the need for pre-arranged agreements with exchanges for rapid freezing.
## Recommendations
- **Vendor Due Diligence:** Implement enhanced, continuous monitoring and auditing of security practices, especially code signing and deployment processes, for all critical infrastructure providers (e.g., multisig wallet platforms).
- **Advanced Detection:** Focus on behavioral anomaly detection within multisig approval processes rather than relying solely on static code analysis, as malicious code can arrive disguised as benign updates.
- **Zero Trust on Infrastructure:** Enforce strict lifecycle management and rotation of AWS/Cloud keys, minimizing privileges granted to automated deployment pipelines.
- **Proactive Engagement:** Establish pre-breach communication protocols with centralized exchanges and blockchain analytics firms to expedite asset freezing during large-scale thefts.