Last week’s $1.4 billion cryptocurrency heist was the result of a multi-pronged attack that combined social engineering, stolen AWS session tokens, MFA bypasses, and a seemingly benign JavaScript file.
That’s the conclusion from forensics experts at Mandiant called in to figure out how North Korea’s Lazarus hacking crew was able to compromise ByBit’s Ethereum cold wallet system in the biggest documented cryptocurrency theft ever.
Working alongside the Safe{Wallet} team to piece together the chain of events, Mandiant said the attackers first targeted a developer by posing as a trusted open-source contributor. The developer, one of a few Safe{Wallet} personnel with admin rights, was then tricked into installing a malicious Docker Python project.
As the supply chain compromise unfolded, the investigation found that the Docker project was executed with elevated privileges, paving the way for the hackers to compromise the developer’s workstation.
With access to this machine, the attackers were able to steal AWS session tokens and use those to bypass multi-factor authentication and maintain access to the system for nearly 20 days.
The North Korean cryptocurrency thieves then turned their attention to Bybit’s Ethereum cold wallet system by replacing a harmless JavaScript file with a tampered version designed to manipulate the transaction process.
When the compromised file was activated during a high-value transaction, it redirected funds to addresses controlled by the government-linked North Korean operatives.
“Evidence suggests that this was a highly sophisticated, state-sponsored attack,” Safe{Wallet] said, noting that some technical details of the hack are still hazy because the attacker removed their malware and cleared Bash history in an effort to thwart investigative efforts.
Safe{Wallet] said it has implemented a full infrastructure reset that includes rotating of all credentials, resetting clusters, rotating keys and secrets, provisioning new developer machines, updating builds, and redeploying container images.
The embattled vendor has also restricted external access to the Transaction Service, allowing only internal communication, and added new firewall rules for externally facing services.
The FBI has linked the incident to a North Korean APT it tracks as TraderTraitor, which the agency has been monitoring since 2022 for its attacks on blockchain companies.
“TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains. It is expected these assets will be further laundered and eventually converted to fiat currency,” the FBI said in a statement.
Bybit, which claims to be the world’s second-largest cryptocurrency exchange by trading volume, has launched a bug bounty program in an effort to recover the stolen funds, offering 5% of the recovered amount to the entity that manages to freeze the funds and 5% to those who helped trace the funds.
Related: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge
Related: $1.5 Billion Bybit Heist Linked to North Korean Hackers
Related: Bybit Hack Drains $1.5 Billion From Cryptocurrency Exchange
Related: Windows Zero-Day Attack Linked to North Korea’s Lazarus APT
