Bybit Hack - Sophisticated Multi-Stage Attack Details Revealed

The malicious code contained an activation condition targeting specific contract addresses, along with transaction validation tampering designed to bypass security checks. Sygnia researchers identified that the earliest malicious activity began on February 4, 2025, when a Safe{Wallet} developer’s macOS workstation was compromised through social engineering. Anchain’s reverse engineering of the exploit bytecode revealed four malicious smart contract functions implemented by the attackers. This delegate call mechanism allowed the attackers to replace the wallet’s implementation with a malicious version containing “sweepETH” and “sweepERC20” functions. The attack demonstrated unprecedented sophistication across multiple security domains, including macOS malware deployment, AWS cloud infrastructure compromise, and smart contract manipulation. Just two minutes after executing the heist, the attackers removed the malicious JavaScript code from Safe{Wallet}’s web interface, attempting to cover their tracks. The technical execution involved replacing legitimate transaction payloads with delegate calls to a pre-deployed malicious smart contract. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Cryptocurrency exchange Bybit detected unauthorized activity involving its Ethereum cold wallets, leading to a major security breach. The incident occurred during an ETH multisig transaction facilitated through Safe{Wallet}, when attackers intervened and manipulated the transaction, ultimately siphoning over 400,000 ETH from the exchange’s cold storage. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. A sophisticated cybersecurity threat has emerged as threat actors have begun leveraging DLL side-loading techniques to distribute malicious Python code. Between February 5 and February 17, the attackers operated within Safe{Wallet}’s AWS infrastructure after stealing AWS credentials from the compromised developer workstation. These modifications injected malicious code designed to manipulate transactions specifically from Bybit’s cold wallet address. The developer downloaded a suspicious Docker project named “MC-Based-Stock-Invest-Simulator-main” that initiated communications with a malicious domain. The FBI has attributed the attack to ‘TradeTraitor’, also known as the Lazarus group, a threat actor linked to North Korea and responsible for numerous previous cryptocurrency heists. The attackers leveraged ExpressVPN IP addresses and aligned their activity with the developer’s working hours to avoid detection. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Mar 2025 16:50:17 +0000


Cyber News related to Bybit Hack - Sophisticated Multi-Stage Attack Details Revealed

Lazarus hacked Bybit via breached Safe{Wallet} developer machine - While investigating the attack, crypto fraud investigator ZachXBT discovered links between the Bybit hackers and the infamous North Korean Lazarus threat group after the attackers sent some of the stolen Bybit funds to an Ethereum address previously ...
3 months ago Bleepingcomputer.com Lazarus Group
North Korean hackers linked to $1.5 billion ByBit crypto heist - Since the attack, crypto fraud investigator ZachXBT has discovered links between the Bybit hackers and the infamous North Korean Lazarus threat group after the attackers sent stolen Bybit funds to an Ethereum address previously ...
3 months ago Bleepingcomputer.com Lazarus Group
FBI confirms Lazarus hackers were behind $1.5B Bybit crypto heist - Since the incident, crypto fraud investigator ZachXBT discovered multiple links to the infamous North Korean threat group after the attackers sent some of the stolen Bybit funds to an Ethereum address used in the Phemex, BingX, and Poloniex hacks ...
3 months ago Bleepingcomputer.com APT3 APT38 Lazarus Group
Hacker steals over $1.46 billion of crypto from Bybit ETH cold wallet - "Please rest assured that all other cold wallets are secure. I will keep you guys posted as more develops, If any team can help us to track the stolen fund will be appreciated," Bybit's CEO added. Bybit says all other cold wallets are fully ...
3 months ago Bleepingcomputer.com
Hacker steals record $1.46 billion from Bybit ETH cold wallet - "Please rest assured that all other cold wallets are secure. I will keep you guys posted as more develops, If any team can help us to track the stolen fund will be appreciated," Bybit's CEO added. Bybit says all other cold wallets are fully ...
3 months ago Bleepingcomputer.com
North Koreans finish initial laundering stage after more than $1 billion stolen from Bybit | The Record from Recorded Future News - TRM Labs has tracked previous thefts by North Korean actors and found a similar playbook, where the hackers use DeFi platforms to convert funds into Bitcoin before using mixers to obfuscate the source of the cryptocurrency. Last week, the FBI ...
2 months ago Therecord.media Lazarus Group
Hackers drained $1.4 billion of cryptocurrency from Bybit exchange, CEO confirms | The Record from Recorded Future News - The cryptocurrency exchange Bybit was hacked for more than $1.4 billion worth of Ethereum on Friday in what cybersecurity experts are calling the largest-ever theft targeting a cryptocurrency platform. Zhou speculated that the source of the ...
3 months ago Therecord.media Lazarus Group
Bybit Hack - Sophisticated Multi-Stage Attack Details Revealed - The malicious code contained an activation condition targeting specific contract addresses, along with transaction validation tampering designed to bypass security checks. Sygnia researchers identified that the earliest malicious activity began on ...
2 months ago Cybersecuritynews.com Lazarus Group
New .NET Multi-stage Loader Attacking Windows Systems to Deploy Malicious Payloads - While earlier variants embedded the second stage as hardcoded strings, newer versions have adopted more sophisticated concealment methods, hiding malicious code within bitmap resources to avoid triggering security alerts. A sophisticated .NET ...
2 weeks ago Cybersecuritynews.com
EncryptHub A Multi-Stage Malware Compromised 600 Organizations - The multi-stage attack begins with the execution of a PowerShell command that downloads the first-stage payload: “powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command “Invoke-RestMethod -Uri ...
2 months ago Cybersecuritynews.com
Hack The Box Launches 5th Annual University CTF Competition - PRESS RELEASE. Hack The Box, the leading gamified cybersecurity upskilling, certification, and talent assessment platform, is announcing its fifth annual global University Capture The Flag competition that will take place from December 8 to 10, 2023. ...
1 year ago Darkreading.com
North Korean Hackers Cash Out $300 Million From $1.46 Billion ByBit Crypto Heist - Lazarus Group hackers believed to be affiliated with North Korea’s regime have successfully laundered at least $300 million from their unprecedented $1.5 billion cryptocurrency heist targeting the ByBit exchange. Elliptic’s analysis ...
2 months ago Cybersecuritynews.com Lazarus Group
German operation shuts down crypto mixer eXch, seizes millions in assets | The Record from Recorded Future News - On April 30, the internet crime branch of Frankfurt’s Public Prosecutor’s Office, along with Germany’s Federal Criminal Police Office (BKA), shut down the platform, which is believed to have been used to launder much of the funds stolen in the ...
3 weeks ago Therecord.media Lazarus Group
Congressman Coming for Answers After No-Fly List Hack - U.S. Congressman Bennie Thompson is demanding answers from airlines and the federal government after a "massive hack" of the no-fly list. The congressman sent a letter to the airlines and the Department of Homeland Security asking for an explanation ...
2 years ago Therecord.media
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
7 months ago Aws.amazon.com
Nebulous Mantis Hackers Actively Deploying RomCom RAT to Attack Organizations Worldwide - The campaign employs deceptive spear-phishing tactics coupled with multi-stage malware deployment to establish persistent access to victim networks, exfiltrate sensitive data, and potentially enable lateral movement within compromised ...
4 weeks ago Cybersecuritynews.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Researchers Uncovered Hacking Tools and Techniques Discussed on Russian-Speaking Hacking Forums - Trend Micro researchers noted that these Russian-speaking forums operate with a unique hierarchical structure where established members provide mentorship and technical guidance to newcomers, creating a self-perpetuating ecosystem of cybercriminal ...
1 month ago Cybersecuritynews.com
Agent Tesla Malware Employs Multi-Stage Attacks Using PowerShell Scripts - Security researchers have identified a sophisticated malware campaign utilizing Agent Tesla variants delivered through elaborate multi-stage attack sequences. Broadcom researchers noted that these Agent Tesla variants employ particularly ...
1 month ago Cybersecuritynews.com
Konni RAT Exploit Windows Explorer To Launches a Multi-Stage Attack in Windows - The updated Konni variant specifically targets vulnerabilities in Windows Explorer’s file handling processes, enabling the malware to establish persistence and execute malicious code without triggering traditional security alerts. Organizations ...
2 months ago Cybersecuritynews.com
State-Sponsored Hacktivism Attacks on The Rise, Rewrites Cyber Threat Landscape - Cyber Security News - “What makes this campaign particularly concerning is how it combines living-off-the-land techniques with sophisticated custom code designed to operate with minimal detection footprint,” explained Maria Sanchez, Principal Threat Researcher ...
4 weeks ago Cybersecuritynews.com
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com
macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks - North Korean advanced persistent threat groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of ...
1 year ago Darkreading.com
Fake Captcha Malware Attacking Windows Users To execute PowerShell Commands - A sophisticated malware campaign is targeting Windows users through deceptive CAPTCHA verification prompts that trick victims into executing malicious PowerShell scripts. Security experts recommend implementing robust security awareness training and ...
2 months ago Cybersecuritynews.com
New Web Skimming Attack Uses Legacy Stripe API to Validate Stolen Card Details - In a report shared with Cyber Security News, Jscrambler researchers highlighted that the attack operates through a multi-stage process designed to evade detection while harvesting payment information. Second, since security researchers often use ...
1 month ago Cybersecuritynews.com