The malicious code contained an activation condition targeting specific contract addresses, along with transaction validation tampering designed to bypass security checks. Sygnia researchers identified that the earliest malicious activity began on February 4, 2025, when a Safe{Wallet} developer’s macOS workstation was compromised through social engineering. Anchain’s reverse engineering of the exploit bytecode revealed four malicious smart contract functions implemented by the attackers. This delegate call mechanism allowed the attackers to replace the wallet’s implementation with a malicious version containing “sweepETH” and “sweepERC20” functions. The attack demonstrated unprecedented sophistication across multiple security domains, including macOS malware deployment, AWS cloud infrastructure compromise, and smart contract manipulation. Just two minutes after executing the heist, the attackers removed the malicious JavaScript code from Safe{Wallet}’s web interface, attempting to cover their tracks. The technical execution involved replacing legitimate transaction payloads with delegate calls to a pre-deployed malicious smart contract. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Cryptocurrency exchange Bybit detected unauthorized activity involving its Ethereum cold wallets, leading to a major security breach. The incident occurred during an ETH multisig transaction facilitated through Safe{Wallet}, when attackers intervened and manipulated the transaction, ultimately siphoning over 400,000 ETH from the exchange’s cold storage. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A sophisticated cybersecurity threat has emerged as threat actors have begun leveraging DLL side-loading techniques to distribute malicious Python code. Between February 5 and February 17, the attackers operated within Safe{Wallet}’s AWS infrastructure after stealing AWS credentials from the compromised developer workstation. These modifications injected malicious code designed to manipulate transactions specifically from Bybit’s cold wallet address. The developer downloaded a suspicious Docker project named “MC-Based-Stock-Invest-Simulator-main” that initiated communications with a malicious domain. The FBI has attributed the attack to ‘TradeTraitor’, also known as the Lazarus group, a threat actor linked to North Korea and responsible for numerous previous cryptocurrency heists. The attackers leveraged ExpressVPN IP addresses and aligned their activity with the developer’s working hours to avoid detection. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Mar 2025 16:50:17 +0000