Bybit Hack – Sophisticated Multi-Stage Attack Details Revealed

Cryptocurrency exchange Bybit detected unauthorized activity involving its Ethereum cold wallets, leading to a major security breach. The incident occurred during an ETH multisig transaction facilitated through Safe{Wallet}, when attackers intervened and manipulated the transaction, ultimately siphoning over 400,000 ETH from the exchange’s cold storage. The attack demonstrated unprecedented sophistication across multiple security domains, including […] The post Bybit Hack – Sophisticated Multi-Stage Attack Details Revealed appeared first on Cyber Security News.

Mar 18, 2025 - 18:52

Bybit Hack – Sophisticated Multi-Stage Attack Details Revealed

Cryptocurrency exchange Bybit detected unauthorized activity involving its Ethereum cold wallets, leading to a major security breach.

The incident occurred during an ETH multisig transaction facilitated through Safe{Wallet}, when attackers intervened and manipulated the transaction, ultimately siphoning over 400,000 ETH from the exchange’s cold storage.

The attack demonstrated unprecedented sophistication across multiple security domains, including macOS malware deployment, AWS cloud infrastructure compromise, and smart contract manipulation.

The FBI has attributed the attack to ‘TradeTraitor’, also known as the Lazarus group, a threat actor linked to North Korea and responsible for numerous previous cryptocurrency heists.

Sygnia researchers identified that the earliest malicious activity began on February 4, 2025, when a Safe{Wallet} developer’s macOS workstation was compromised through social engineering.

The developer downloaded a suspicious Docker project named “MC-Based-Stock-Invest-Simulator-main” that initiated communications with a malicious domain.

Between February 5 and February 17, the attackers operated within Safe{Wallet}’s AWS infrastructure after stealing AWS credentials from the compromised developer workstation.

The attackers leveraged ExpressVPN IP addresses and aligned their activity with the developer’s working hours to avoid detection.

On February 19, the attackers modified JavaScript resources hosted on Safe{Wallet}’s AWS S3 bucket.

Malicious JavaScript code (Source – Sygnia)

These modifications injected malicious code designed to manipulate transactions specifically from Bybit’s cold wallet address.

Technical Execution

The technical execution involved replacing legitimate transaction payloads with delegate calls to a pre-deployed malicious smart contract.

This delegate call mechanism allowed the attackers to replace the wallet’s implementation with a malicious version containing “sweepETH” and “sweepERC20” functions.

These functions enabled the transfer of funds without requiring the standard multisig approval process.

The malicious code contained an activation condition targeting specific contract addresses, along with transaction validation tampering designed to bypass security checks.

Anchain reverse engineer of the Bybit exploit bytecode (Source – Sygnia)

Anchain’s reverse engineering of the exploit bytecode revealed four malicious smart contract functions implemented by the attackers.

Just two minutes after executing the heist, the attackers removed the malicious JavaScript code from Safe{Wallet}’s web interface, attempting to cover their tracks.

The Bybit case has set a new benchmark for forensic transparency, as the detailed disclosure of the investigation findings allows the industry to develop more effective defenses against similar attacks in the future.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post Bybit Hack – Sophisticated Multi-Stage Attack Details Revealed appeared first on Cyber Security News.