A recent cybersecurity incident has led to the Bybit $1.5 billion crypto heist, which Safe{Wallet} has described as a “highly sophisticated, state-sponsored attack.” The North Korean threat actors behind the hack attempted to erase traces of the malicious activity, hindering investigation efforts.
The multi-signature (multisig) platform has enlisted the help of Google Cloud Mandiant to perform a forensic investigation. The attack is attributed to a hacking group known as TraderTraitor, also referred to as Jade Sleet, PUKCHONG, and UNC4899.
The attack involved the compromise of a Safe{Wallet} developer’s laptop and the hijacking of AWS session tokens to bypass multi-factor authentication (‘MFA’) controls. The developer, known as ‘Developer1,’ had higher access privileges to perform their duties and was one of the few personnel with such access.
Upon further analysis, it was determined that the threat actors broke into the developer’s Apple macOS machine on February 4, 2025, via a social engineering attack. The attacker downloaded a Docker project named “MC-Based-Stock-Invest-Simulator-main,” which communicated with a domain “getstockprice[.]com” registered two days prior on Namecheap.
This incident is similar to previous attacks where the TraderTraitor actors have tricked cryptocurrency exchange developers into helping troubleshoot a Docker project after approaching them via Telegram. The Docker project is configured to drop a next-stage payload named PLOTTWIST, enabling persistent remote access.
Although the exact modus operandi used in the latest attack is unclear, Safe{Wallet} stated that “the attacker removed their malware and cleared Bash history in an effort to thwart investigative efforts.”
Ultimately, the malware deployed to the workstation was utilized to conduct reconnaissance of the company’s Amazon Web Services (AWS) environment. The attackers hijacked active AWS user sessions to perform actions aligned with the developer’s schedule, attempting to avoid detection.
The attack originated from ExpressVPN IP addresses with User-Agent strings containing distrib#kali.2024. The User-Agent string indicates the use of Kali Linux, which is designed for offensive security practitioners.
The attackers were also observed deploying the open-source Mythic framework and injecting malicious JavaScript code into the Safe{Wallet} website for a two-day period between February 19 and 21, 2025.
Bybit CEO Ben Zhou shared an update earlier this week, stating that over 77% of the stolen funds remain traceable, while 20% have gone dark and 3% have been frozen. The company credits 11 parties, including Mantle, Paraswap, and ZachXBT, for helping to freeze the assets. Approximately 83% (417,348 ETH) has been converted into bitcoin, distributed across 6,954 wallets.
The hack has significant implications, as 2025 is on track for a record year for cryptocurrency heists. Web3 projects have already lost a staggering $1.6 billion in the first two months alone, an 8x increase from the $200 million lost this time last year, according to data from blockchain security platform Immunefi.
“The recent attack highlights the evolving sophistication of threat actors and critical vulnerabilities in Web3 security,” the company stated.
“Verifying that the transaction you are signing will result in the intended outcome remains one of the biggest security challenges in Web3. This is not just a user and education problem — it is an industry-wide issue that demands collective action.”
