While investigating the attack, crypto fraud investigator ZachXBT discovered links between the Bybit hackers and the infamous North Korean Lazarus threat group after the attackers sent some of the stolen Bybit funds to an Ethereum address previously used in the Phemex, BingX, and Poloniex hacks. Forensic investigators have found that North Korean Lazarus hackers stole $1.5 billion from Bybit after hacking a developer's device at the multisig wallet platform Safe{Wallet}. "The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted to the Bybit Safe was achieved through a compromised Safe{Wallet} developer machine resulting in the proposal of a disguised malicious transaction," Safe said. ZachXBT's findings were also confirmed by blockchain intelligence company TRM Labs and blockchain analysis firm Elliptic, who found "substantial overlaps observed between addresses controlled by the Bybit hackers and those linked to prior North Korean thefts" and shared more info on the hackers' attempts to slow down tracing attempts. "The benign JavaScript file of app.safe.global appears to have been replaced with malicious code on February 19, 2025, at 15:29:25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit," Verichains said. Their conclusions were also confirmed today by the Safe Ecosystem Foundation in a statement revealing that the attack was conducted by first hacking into a Safe {Wallet} developer machine, which provided the threat actors with access to an account operated by Bybit. Since the incident, the Safe{Wallet} team has restored Safe{Wallet} on the Ethereum mainnet with a phased rollout that temporarily removed the native Ledger integration, the signing device/method used in the Bybit crypto heist. As BleepingComputer reported, the North Korean hackers intercepted a planned transfer of funds from one of Bybit's cold wallets into a hot wallet. Bybit CEO Ben Zhou shared the conclusions of two investigations by Sygnia and Verichains, which both found that the attack originated from Safe{Wallet} 's infrastructure. "Based on the investigation results from the machines of Bybit's Signers and the cached malicious JavaScript payload found on the Wayback Archive, we strongly conclude that AWS S3 or CloudFront account/API Key of Safe. While a forensic review by external security researchers found no vulnerabilities in the Safe smart contracts or the source code of its frontend and services, Safe advises users to remain vigilant and "exercise extreme caution" when signing transactions. The transfer was part of a scheduled move of ETH from our ETH Multisig Cold Wallet to our Hot Wallet," Bybit shared in a post-mortem published on Friday. "On February 21, 2025, at approximately 12:30 PM UTC, Bybit detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a routine transfer process. Sygnia also said that no evidence of compromise was discovered during a forensic investigation of Bybit's infrastructure following the attack. "Unfortunately, the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Feb 2025 17:00:31 +0000