Skip to content

Info

ID: AC-0001
Campaign: The ByBit Heist
Platforms: Linux, macOS, Windows, IaaS
First Seen: February 4, 2025
Last Seen: February 21, 2025

ByBit $1.5B Crypto Heist

ByBit Crypto Heist represents one of the most significant financial attacks in cryptocurrency history, resulting in the theft of approximately $1.4-1.5 billion worth of cryptocurrency. The attack leveraged a sophisticated supply chain compromise of Safe{Wallet} infrastructure to manipulate multi-signature wallet transactions during a routine transfer between cold and hot wallets. This attack, officially attributed by the FBI to North Korea's Lazarus Group (also known as TradeTraitor), demonstrates how third-party service compromises can lead to catastrophic financial losses in the cryptocurrency sector.

Groups

ID Group Description
G0032 Lazarus Group Lazarus Group is a North Korean state-sponsored cyber warfare unit that has been active since at least 2014. The group is known for its use of advanced malware, including the WannaCry ransomware, and has been linked to numerous cyber attacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack.

Software

Name Type Platform Description
MC-Based-Stock-Invest-Simulator-main Malware macOS A malware disguised as a legitimate Docker project for social engineering delivery. The malware was designed to harvest AWS credentials and establish persistence on developer workstations allowing remote code execution through insecure deserialization.
_app-52c9031bfa03da47.js Malware Web, IaaS A malicious JavaScript code designed to manipulate Safe{Wallet} web interface transactions. The code included activation conditions specific to ByBit wallet addresses and transaction manipulation capabilities using smart contract delegatecall functionality.
Mythic Tool macOS MythicAgents is an open-source offensive framework for post-exploitation capabilities for macOS environments.

Technique Used

Tactic Technique Sub-Technique Use
Reconnaissance Public Source Code And Artifacts Analysis Static Code Analysis Adversaries downloaded the statically hosted Next.js bundle from s3 and reviewed its code and asset paths to learn where and how Safe proposes transactions and serves JavaScript, paving the way for S3 tampering.
Reconnaissance Public Source Code And Artifacts Analysis Public Repository Discovery Discovery of Safe{Wallet} developer accounts and organizational repositories to understand development processes and identify potential social engineering targets with AWS access.
Resource Development Develop Capabilities Malware Development of macOS malware disguised as legitimate Docker project "MC-Based-Stock-Invest-Simulator-main" for social engineering delivery. The malware was designed to harvest AWS credentials and establish persistence on developer workstations.
Gain Access Supply Chain Compromise Compromise Software Dependencies and Development Tools The weaponised Docker project was delivered to Developer 1 through a job-themed social-engineering lure, compromising the developer workstation and tool-chain.
Gain Access Valid Accounts Cloud Accounts Harvesting of Developer1's AWS credentials from the compromised macOS workstation, providing legitimate access to Safe{Wallet}'s AWS infrastructure.
Payload Execution Remote Code Execution Exploitation Insecure Deserialization Exploitation The malicious Docker project "MC-Based-Stock-Invest-Simulator-main" contained a data_fetcher.py class that appeared to fetch legitimate stock market data but included vulnerable deserialization functionality. The attacker-controlled server returned a malicious YAML payload, allowing for remote code execution through insecure deserialization.
Deepening Control C2 over App-Protocols Web Protocols The injected JS proposed the forged upgrade via an ordinary POST /v1/chains/…/transactions//propose to safe-client.safe.global and polled the same REST API until all signatures were gathered, tunnelling C2 over trusted HTTPS traffic.
Deepening Control Masquerading Match Legitimate Name or Location With a stolen AWS key, the attackers over-wrote Safe {Wallet}’s production JavaScript bundle (_app-.js) in the very same S3 object key that serves app.safe.global.
Expanding Control Cloud Service Discovery API-based Resource Listing Using the stolen AWS keys, the attackers enumerated IAM roles and S3 buckets via standard AWS API calls.
Impact Financial Theft The delegate-call upgrade drained ≈ 400,000 ETH (~US $1.5 B) from Bybit’s cold wallet to attacker addresses, marking the largest single crypto heist to date.

Evidence of Exploitation in the Wild

Empirical Adversary Usage: This attack represents documented, real-world adversary behavior observed through multiple intelligence sources, including incident response analysis, blockchain forensics, and attribution research. The techniques employed align with known North Korean state-sponsored group tactics and procedures (TTPs).

Scale and Impact:

  • Largest cryptocurrency heist in history: $1.5 billion USD stolen across multiple cryptocurrencies
  • Target: ByBit - one of the world's top 5 cryptocurrency exchanges by trading volume (>$10B daily)
  • Affected Infrastructure: Core trading systems, wallet infrastructure, and customer funds
  • Attribution: Lazarus Group (North Korean state-sponsored APT) - FBI assessment with high confidence
  • Secondary Effects: Market volatility, regulatory scrutiny, industry-wide security reviews

Attack Timeline & Phases:

Date Phase (Objective) Key Actions
4 Feb 2025 Initial Compromise - breach a developer workstation • Social-engineering e-mail/DM delivers malicious Docker project “MC-Based-Stock-Invest-Simulator-main”
• Docker run phones home to getstockprice[.]com, dumps AWS keys
5 Feb 2025 Infrastructure Access - turn stolen creds into cloud foothold • Login to Safe's AWS via ExpressVPN IPs + Kali UA
• Abuse session-token after failed MFA enrol to stay persistent
5 - 17 Feb 2025 Recon & Preparation - map infra & craft payloads Enumerate S3/IAM; analyse UI bundle
• Stand-up MythicAgents C2
• Build Bybit-targeted JS delegate-call payload
19 Feb 2025 Attack Implementation - weaponise the UI Overwrite _app-<hash>.js in production S3 bucket (same name/key)
• Payload activates only for Bybit wallet IDs
21 Feb 2025 Execution & Cleanup - drain funds & hide • During routine cold-to-hot transfer, payload submits forged tx; \~400 k ETH sent to attacker
Restores clean script within 2 min to erase IOC

Industry & Law Enforcement Response:

  • Emergency Advisories: CISA, FBI, and international cybersecurity agencies issued joint alerts
  • Regulatory Action: Enhanced compliance requirements for cryptocurrency exchanges globally
  • Technical Countermeasures: Enhanced multi-signature wallet security and third-party service monitoring
  • Asset Recovery: Approximately $200M recovered through blockchain analysis and exchange cooperation
Attack Mechanism

Adversary Tactics, Techniques & Procedures (TTPs)

This attack follows the adversary's strategic objectives across six tactical phases, demonstrating how application-level vulnerabilities can escalate to infrastructure compromise and financial theft.

Reconnaissance

Adversary Objective: Identify targets and gather intelligence on Safe{Wallet} infrastructure

  • Social Engineering Research:

  • Developer Targeting and Profiling:

    • Procedure Example: Lazarus Group conducted extensive research on Safe{Wallet} developers, identifying key personnel through LinkedIn, GitHub, and professional networks. The adversary created detailed profiles of developers with access to critical infrastructure, specifically targeting Developer1 who had AWS access credentials.
    • Evidence: Sygnia investigation confirmed social engineering campaigns targeting specific Safe{Wallet} developers through Docker project distribution
    • Data Sources: Social Media Analysis, Professional Networks, Developer Profiles, GitHub Activity Analysis
    • Platforms: LinkedIn, GitHub, Professional Networks, Social Media Platforms
    • Supports Remote: Yes - remote reconnaissance and profiling activities

  • Public Source Code and Artifacts Analysis:

  • Static Code Analysis:
    • Procedure Example: Analysis of Safe{Wallet} public repositories and AWS S3 bucket configurations to understand web interface architecture and JavaScript resource hosting patterns. The adversary identified that app.safe[.]global was served from AWS S3 with modifiable JavaScript resources.
    • Evidence: NCC Group technical analysis confirmed analysis of S3 bucket configuration and JavaScript resource locations
    • Data Sources: Public Repositories, AWS S3 Configuration, Web Interface Analysis
    • Platforms: Windows, macOS, Linux
  • Public Repository Discovery:
    • Procedure Example: Discovery of Safe{Wallet} developer accounts and organizational repositories to understand development processes and identify potential social engineering targets with AWS access.
    • Evidence: Elastic Security Labs research documented GitHub analysis showing Safe{Wallet} developer profiles and access patterns
    • Data Sources: API Logs, Public Repositories, Developer Activity Patterns
    • Platforms: Windows, macOS, Linux

Resource Development

Adversary Objective: Develop and stage capabilities for the attack

  • Develop Capabilities:

  • Malware:

    • Procedure Example: Development of macOS malware disguised as legitimate Docker project "MC-Based-Stock-Invest-Simulator-main" for social engineering delivery. The malware was designed to harvest AWS credentials and establish persistence on developer workstations.
    • Evidence: Elastic Security Labs analysis confirmed malicious Docker project with network communication to getstockprice[.]com domain and PyYAML exploitation
    • Data Sources: Malware Analysis, Network Traffic, DNS Logs
    • Platforms: macOS

  • JavaScript Payload Development:

  • Web Interface Manipulation Code:
    • Procedure Example: Creation of sophisticated JavaScript code designed to manipulate Safe{Wallet} web interface transactions. The code included activation conditions specific to ByBit wallet addresses and transaction manipulation capabilities using smart contract delegatecall functionality.
    • Evidence: NCC Group technical analysis confirmed malicious JavaScript with wallet-specific targeting through web archive analysis
    • Data Sources: Web Archives, Browser Cache Analysis, JavaScript Code Analysis
    • Platforms: Windows, macOS, Linux

Gain Access

Adversary Objective: Compromise Safe{Wallet} developer workstation and gain AWS access

  • Supply Chain Compromise:

    • Compromise Software Dependencies and Development Tools:
      • Social Engineering Component: Lazarus Group conducted sophisticated social engineering against Safe{Wallet} Developer1, delivering malicious Docker project "MC-Based-Stock-Invest-Simulator-main" through professional networks and GitHub repositories. The social engineering campaign leveraged detailed developer profiles gathered during reconnaissance to create convincing technical content that appeared legitimate to cryptocurrency developers.
      • Procedure Example: Social engineering attack against Safe{Wallet} Developer1 resulted in execution of malicious Docker project "MC-Based-Stock-Invest-Simulator-main" on macOS workstation. The Docker container initiated network traffic to getstockprice[.]com domain and harvested AWS credentials from the compromised system.
      • Evidence: Sygnia investigation confirmed targeted social engineering delivery and developer workstation compromise on February 4, 2025, with Docker project found in ~/Downloads folder
      • Data Sources: Email Analysis, Social Media Tracking, Developer Network Analysis, Endpoint Detection, Process Monitoring, Network Traffic, File System Analysis
      • Platforms: macOS, Professional Networks, GitHub
      • Supports Remote: Yes - remote social engineering delivery and remote access through compromised workstation

  • Valid Accounts:

    • Cloud Accounts:
      • AWS Credential Theft:
      • Procedure Example: Harvesting of Developer1's AWS credentials from the compromised macOS workstation, providing legitimate access to Safe{Wallet}'s AWS infrastructure. The adversary used ExpressVPN IP addresses with Kali Linux user-agent strings to access AWS services.
      • Evidence: Wilson Center analysis confirmed AWS credential harvesting from the compromised developer workstation
      • Data Sources: AWS CloudTrail Logs, Authentication Logs, Network Traffic Analysis
      • Platforms: AWS Cloud
      • Supports Remote: Yes - cloud service access provides remote capabilities

Payload Execution

Adversary Objective: Modify Safe{Wallet} web interface to manipulate transactions

  • Static JavaScript Resource Modification:

  • AWS S3 Bucket Tampering:

    • Procedure Example: Direct modification of JavaScript resources hosted on AWS S3 bucket serving Safe{Wallet}'s web interface (app.safe[.]global) on February 19, 2025. Malicious code was pre-embedded in static files with activation conditions specific to ByBit wallet addresses and included smart contract manipulation capabilities using delegatecall functionality.
    • Evidence: NCC Group technical analysis confirmed static JavaScript file modification targeting specific ByBit addresses: 0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4
    • Data Sources: Web Archives, Browser Cache Files, S3 Access Logs, JavaScript Code Analysis
    • Platforms: AWS S3, Web Browsers
    • Supports Remote: Yes - remote transaction manipulation through modified static resources

  • Insecure Deserialization Exploitation:

  • PyYAML Deserialization Attack:

    • Procedure Example: The malicious Docker project "MC-Based-Stock-Invest-Simulator-main" contained a data_fetcher.py class that appeared to fetch legitimate stock market data but included vulnerable yaml.load() functionality. The script, by default, fetched valid stock market-related data from getstockprice[.]info. However, based on specific conditions, the attacker-controlled server returned a malicious YAML payload instead. When processed using PyYAML's unsafe loader (yaml.load()), this payload allowed for arbitrary Python object deserialization, resulting in remote code execution and AWS credential theft from Developer1's macOS workstation.
    • Technical Implementation: The DataFetcher class included a threaded data fetching mechanism that processed different content types (JSON, form-encoded, YAML). When the attacker-controlled server returned Content-Type: application/yaml, the vulnerable yaml.load(response.text, Loader=yaml.Loader) call enabled arbitrary Python object instantiation through malicious YAML payloads containing !!python/object/apply constructs.
    • Evidence: Elastic Security Labs analysis confirmed PyYAML deserialization exploitation within the Docker container, leading to AWS credential theft through malicious YAML payloads
    • Data Sources: Process Monitoring, Python Interpreter Logs, Library Function Calls, Memory Analysis, Network Traffic Analysis
    • Platforms: macOS, Python, Docker
    • Supports Remote: Yes - remote code execution through deserialization payload delivered via HTTP response

  • Smart Contract Manipulation:

  • Target-Specific Triggering:
    • Procedure Example: Malicious JavaScript code included conditional logic to activate only when detecting specific ByBit cold wallet addresses, ensuring the attack remained dormant until the intended target initiated a transaction. The code replaced legitimate contract calls with delegatecall to attacker-controlled contract.
    • Evidence: NCC Group technical analysis confirmed wallet address-specific activation conditions and delegatecall manipulation
    • Data Sources: JavaScript Code Analysis, Blockchain Transaction Logs, Smart Contract Events
    • Platforms: Ethereum Blockchain
    • Supports Remote: Yes - conditional remote activation based on target identification

Deepening Control

Adversary Objective: Establish persistence and evade detection

  • C2 over App-Protocols:

  • Web Protocols:

    • Procedure Example: After swapping in malicious parameters, the implanted JavaScript submitted the forged upgrade transaction with a normal POST /v1/chains/1/transactions//propose call to safe-client.safe.global and then polled the same REST endpoint until the remaining signatures were gathered. All coordination therefore rode the exact Safe Client-Gateway workflow that signers use every day, hiding attacker C2 inside routine wallet-management traffic.
    • Evidence: NCC Group technical analysis reproduced the attacker's POST …/propose request (including host, path and JSON schema) and confirmed it was accepted by the Gateway during the breach.
    • Data Sources: Web-proxy/TLS inspection logs, Safe Client-Gateway API logs, Browser Developer-Tools network traces
    • Platforms: Web browsers, HTTPS, Safe Client-Gateway (Web service)
    • Defense Bypassed: C2 domain/port black-listing, anomaly-based network detection (traffic indistinguishable from legitimate Safe usage)

  • Evidence Removal:

  • Procedure Example: Immediate removal of malicious JavaScript code from Safe{Wallet}'s web interface approximately 2 minutes after successful theft execution. This rapid cleanup was designed to minimize forensic evidence and complicate incident response efforts.
  • Evidence: NCC Group analysis confirmed malicious code removal within 2 minutes of successful transaction execution through web archive analysis
  • Data Sources: S3 Access Logs, Web Archive Snapshots, Forensic Timeline Analysis
  • Platforms: AWS Cloud

  • Defense Bypassed: Forensic analysis, Evidence preservation

  • Masquerading:

  • Match Legitimate Name or Location:
    • Legitimate Transaction Appearance:
    • Procedure Example: With a stolen AWS key, the attackers over-wrote Safe {Wallet}’s production JavaScript bundle (_app-.js) in the very same S3 object key that serves app.safe.global.
    • Evidence: NCC Group analysis notes the breach was carried out by injecting malicious JavaScript into Safe {Wallet} UI through a compromised developer machine, specifying an S3 overwrite of an existing asset.
    • Data Sources: AWS S3 access logs, Browser cache captures, File-integrity monitoring outputs
    • Platforms: IaaS
    • Defense Bypassed: Sub-resource-integrity / static-asset hashing, path-based allow-lists, UI-level transaction verification (file name and location appeared legitimate).

Expanding Control

Adversary Objective: Discover and access cloud resources

  • Cloud Service Discovery:

  • API-based Resource Listing:

    • AWS Infrastructure Enumeration:
    • Procedure Example: Using stolen Developer1 credentials to enumerate Safe{Wallet}'s AWS infrastructure through AWS APIs, discovering S3 buckets hosting web interface resources and identifying modification capabilities.
    • Evidence: Wilson Center analysis confirmed reconnaissance activities within Safe{Wallet}'s AWS environment from February 5-17, 2025
    • Data Sources: AWS CloudTrail, IAM Logs, S3 Access Logs, AWS API Logs
    • Platforms: AWS Cloud
    • Supports Remote: Yes - cloud service enumeration provides remote discovery capabilities

  • AWS Session Token Harvesting:

  • Procedure Example: Harvesting of AWS session tokens from Developer1's compromised workstation, providing temporary but privileged access to Safe{Wallet}'s cloud infrastructure. Attackers adjusted working hours to match Developer1's schedule to maintain access.
  • Evidence: Sygnia investigation confirmed session token theft and usage patterns aligned with Developer1's normal working hours
  • Data Sources: AWS CloudTrail, Session Token Logs, Authentication Analysis
  • Platforms: AWS Cloud, macOS
  • Supports Remote: Yes - stolen tokens enable remote cloud access

Impact

Adversary Objective: Execute cryptocurrency theft and cover tracks

  • Financial Theft:
  • Multi-Signature Wallet Manipulation:
    • Procedure Example: Successful manipulation of ByBit's multi-signature wallet transaction on February 21, 2025, during routine transfer from cold wallet to hot wallet. The malicious JavaScript code hijacked the transaction, using delegatecall to execute attacker-controlled smart contract that transferred over 400,000 ETH to adversary addresses.
    • Evidence: FBI official attribution confirmed transfer of approximately $1.5 billion in cryptocurrency, with ZachXBT blockchain analysis linking funds to known Lazarus Group wallets
    • Data Sources: Blockchain Transaction Logs, Smart Contract Events, Multi-Signature Wallet Logs
    • Platforms: Ethereum Blockchain
  • Impact Type: Availability, Integrity - Financial operations disrupted and cryptocurrency assets compromised
Key Security Takeaways
  1. Social Engineering Sophistication: The attack demonstrated how sophisticated social engineering remains a primary attack vector against high-value targets, particularly in the cryptocurrency sector where technical trust relationships are critical
  2. Third-Party Risk: The attack highlighted the critical importance of third-party security assessments and continuous monitoring of service providers, especially for cryptocurrency infrastructure
  3. Supply Chain Security: Even trusted services like Safe{Wallet} can become attack vectors, requiring defense-in-depth approaches and comprehensive supply chain security programs
  4. Developer Workstation Security: The compromise of a single developer's macOS workstation led to a $1.5 billion theft, highlighting the critical importance of developer endpoint security and access controls
  5. Transaction Verification: The importance of independent transaction verification mechanisms beyond standard multi-signature processes, particularly for high-value cryptocurrency operations
  6. Incident Response: The value of rapid incident response and industry cooperation in cryptocurrency security incidents, as demonstrated by the coordinated response to this attack
References & Resources

Verified Primary Sources:

  1. FBI Official Attribution - TradeTraitor/Lazarus Group - "North Korea Responsible for $1.5 Billion Bybit Hack" (FBI IC3 PSA I-022625-PSA, February 26, 2025)
  2. Sygnia Investigation Report: ByBit - What We Know So Far - Comprehensive forensic analysis with detailed attack timeline and technical findings (March 16, 2025)
  3. NCC Group Technical Analysis - JavaScript injection and smart contract exploitation analysis (March 10, 2025)
  4. Safe{Wallet} Security Notice - Statement by the Safe Ecosystem Foundation (February 28, 2025)
  5. ZachXBT Blockchain Analysis - "How Lazarus Group laundered $200M from 25+ crypto hacks" (Arkham Intelligence bounty program)

Technical Vulnerability References:

Additional Technical Analysis:

Government Sources:

  • OFAC Sanctions - Wu Huihui - Related money laundering operations and sanctions
  • Mandiant Preliminary Report - Safe{Wallet} developer workstation compromise analysis (as referenced in Safe{Wallet} statement)

Similar Attack Patterns:

  • WazirX Heist (July 2024) - $230M loss with similar Safe{Wallet} front-end manipulation (as mentioned in Sygnia report)
  • Radiant Capital Heist (October 2024) - $50M loss with comparable interface manipulation techniques (as mentioned in Sygnia report)

Technical Standards & Frameworks: