Full Report
Safe{Wallet} has revealed that the cybersecurity incident that led to the Bybit $1.5 billion crypto heist is a "highly sophisticated, state-sponsored attack," stating the North Korean threat actors behind the hack took steps to erase traces of the malicious activity in an effort to hamper investigation efforts. The multi-signature (multisig) platform, which has roped in Google Cloud Mandiant to
Analysis Summary
# Incident Report: State-Sponsored Compromise and $1.5B Crypto Heist via Supply Chain Attack
## Executive Summary
A highly sophisticated, state-sponsored attack attributed to North Korean threat actors (TraderTraitor/UNC4899) compromised the Safe{Wallet} platform via a developer's workstation, leading to a massive $1.5 billion cryptocurrency heist, primarily affecting Bybit. The attackers leveraged compromised AWS session tokens, bypassing MFA, after infecting a developer's macOS machine with malware planted in a seemingly legitimate Docker project obtained via social engineering. The incident highlights severe operational security risks within Web3 development environments.
## Incident Details
- Discovery Date: February 19-21, 2025 (Website Injection); Subsequent forensic discovery of initial compromise.
- Incident Date: Initial Compromise on February 4, 2025; Impact window February 19-21, 2025.
- Affected Organization: Safe{Wallet} (Multisig platform) and Bybit (Recipient of stolen funds).
- Sector: Cryptocurrency / Financial Technology (FinTech).
- Geography: Not explicitly stated beyond the organizations involved.
## Timeline of Events
### Initial Access
- Date/Time: February 4, 2025
- Vector: Social Engineering/Compromised Software Supply Chain.
- Details: Threat actors infected a developer's (Developer1) Apple macOS machine after they downloaded a Docker project named "MC-Based-Stock-Invest-Simulator-main," likely obtained via a social engineering approach (previously seen via Telegram).
- Post-Compromise: The Docker project communicated with a newly registered domain, `getstockprice[.]com`. A next-stage payload named `PLOTTWIST` was dropped, establishing persistent remote access.
### Lateral Movement
- Date/Time: Following February 4, 2025, leading up to February 19, 2025.
- Vector: Hijacked AWS Session Tokens.
- Details: The deployed malware was used to conduct reconnaissance on the company's Amazon Web Services (AWS) environment. Attackers hijacked active AWS user sessions, bypassing MFA controls, to perform actions aligning with the developer's schedule.
### Data Exfiltration/Impact
- Date/Time: February 19 - 21, 2025.
- Vector: Malicious JavaScript Injection and Unauthorized Transactions.
- Details: Attackers injected malicious JavaScript code onto the Safe{Wallet} website for a two-day period. This was presumably used to manipulate transaction signing processes, resulting in the theft of an estimated $1.5 billion in cryptocurrency (417,348 ETH converted to BTC across thousands of wallets).
### Detection & Response
- Date/Time: Between February 19 and 21, 2025 (Website compromise detection).
- Details: Safe{Wallet} engaged Google Cloud Mandiant for forensics. Bybit credited 11 external parties (including Mantle, Paraswap, ZachXBT) for tracing and freezing a portion of the assets.
## Attack Methodology
- Initial Access: Compromise of a developer's macOS laptop by downloading a malicious Docker project, likely through social engineering.
- Persistence: Dropping of the `PLOTTWIST` payload providing remote access; use of OSS frameworks like Mythic framework observed.
- Privilege Escalation: Not explicitly detailed, but access to heightened permissions was achieved via AWS credential hijacking.
- Defense Evasion: Attackers removed malware and cleared Bash history to thwart investigation immediately following the incident. Use of Kali Linux User-Agent strings (`distrib#kali.2024`) observed during AWS session use.
- Credential Access: Hijacking of live AWS session tokens.
- Discovery: Reconnaissance performed within the AWS environment using developer access.
- Lateral Movement: Utilizing compromised AWS credentials to move and execute actions within the cloud environment.
- Collection: N/A (The goal was transaction manipulation, not file collection, though reconnaissance occurred).
- Exfiltration: Manipulation of multisig signing processes via website injection to funnel funds to attacker-controlled wallets.
- Impact: Theft of approximately $1.5 billion in cryptocurrency.
## Impact Assessment
- Financial: $1.5 billion stolen. 83% (417,348 ETH) converted to Bitcoin and distributed across 6,954 wallets. (20% gone dark, 3% frozen).
- Data Breach: Primarily financial assets stolen; internal systems/data compromise related to the developer workstation.
- Operational: Significant disruption to service integrity and trust in the multisig platform. Contributed to 2025 trending as a record year for crypto heists ($1.6B lost in the first two months).
- Reputational: Severe reputational damage to Safe{Wallet} and associated platforms due to perceived security failures.
## Indicators of Compromise
- Network Indicators: Communication with `getstockprice[.]com` (registered via Namecheap). Use of ExpressVPN IP addresses during AWS activity.
- File Indicators: Malicious Docker project "MC-Based-Stock-Invest-Simulator-main." Payload named `PLOTTWIST`.
- Behavioral Indicators: Use of AWS sessions with User-Agent strings indicating Kali Linux usage (`distrib#kali.2024`). Deployment of Mythic framework. Malicious JavaScript injection on the Safe{Wallet} website.
## Response Actions
- Containment: Identification and remediation of the malicious JavaScript injection on the website (effective Feb 19-21 lockdown).
- Eradication: Forensic analysis underway by Mandiant; cleanup of the developer workstation is implied by the removal of malware.
- Recovery: Asset tracing effort involving 11 third-party entities, resulting in the freezing of 3% of stolen assets and tracing 77%.
## Lessons Learned
- The attack underscores the evolving sophistication of North Korean threat actors targeting the Web3 supply chain.
- Compromising a single senior developer's endpoint (especially one with high-privilege access) can bypass robust MFA controls if cloud credentials are stolen and abused.
- Verifying transaction intent ("What you sign is what you get") remains a critical, unsolved challenge in Web3 security.
- Operational Security (OPSEC) procedures concerning the downloading and execution of untrusted code, even within development contexts (like Docker projects), must be extremely stringent.
## Recommendations
- Implement mandatory, real-time **Transaction Verification Solutions** at the protocol or wallet level that clearly articulate the resulting transaction outcome before final signing.
- Strengthen **Endpoint Detection and Response (EDR)** specifically tailored for developer workstations, focusing on container environments (Docker) and software supply chain integrity checks.
- Immediately rotate **all high-privilege AWS session tokens**, reviews segmentation controls, and enforce stricter access policies, especially regarding the use of developer credentials in cloud access.
- Implement **Mandatory Code Review/Vetting** for all third-party or open-source projects integrated into internal development pipelines.