Cyber Security News

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple cybersecurity teams, including Sygnia.

This attack exposed significant security vulnerabilities across various domains, including macOS malware, AWS cloud compromise, application security, and smart contract security.

The incident involved unauthorized activity in Bybit’s Ethereum (ETH) cold wallets, where an ETH multisig transaction was manipulated through Safe{Wallet} from a cold wallet to a warm wallet, allowing attackers to siphon funds.

Attack Timeline

The earliest known malicious activity began on February 4, 2025, when a Safe{Wallet} developer’s macOS workstation was compromised, likely through social engineering.

This led to the theft of AWS access tokens, which were used to access Safe{Wallet}’s AWS infrastructure between February 5 and February 21.

Bybit HackBybit Hack
Snippet from Mandiant report shared by Safe{Wallet}

During this period, attackers operated within the infrastructure, although specific details of their activities remain limited.

On February 19, JavaScript resources hosted on an AWS S3 bucket serving Safe{Wallet}’s web interface were modified with malicious code.

According to Sygnia Report, this code was designed to manipulate transactions specifically targeting Bybit’s cold wallet.

On February 21, Bybit initiated a transaction using Safe{Wallet}’s interface, which was manipulated by the attackers, allowing them to transfer over 400,000 ETH without requiring additional multisig approval.

Tactics

The attackers leveraged a delegate call mechanism in smart contracts to replace the original contract implementation with a malicious version.

This introduced sweepETH and sweepERC20 functions, enabling the unauthorized transfer of funds.

Following the transaction, the malicious code was quickly removed from the JavaScript resources, likely in an attempt to cover their tracks.

The attack has been attributed to the Lazarus Group, also known as TradeTraitor or UNC4899, a threat actor linked to the Democratic People’s Republic of Korea (DPRK).

This attribution was confirmed by both the FBI and Mandiant.

The Bybit hack highlights the lack of standardized security standards in the crypto industry, unlike traditional banking, which adheres to strict regulations.

This lack of oversight leaves the industry vulnerable to sophisticated attacks.

The incident also underscores the importance of comprehensive forensic investigations and transparency in disclosing attack vectors to enhance industry-wide defenses against such threats.

The Bybit case sets a precedent for detailed forensic transparency, which is crucial for exposing attackers’ tactics and enhancing industry defenses.

Given the high financial incentives of crypto heists, security teams must remain vigilant and proactive in developing adaptive defenses against evolving threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Critical AWS Amplify Studio Flaw Allowed Attackers to Execute Arbitrary Code

Amazon Web Services (AWS) has addressed a critical security flaw (CVE-2025-4318) in its AWS Amplify Studio platform,…

6 minutes ago

Severe Kibana Flaw Allowed Attackers to Run Arbitrary Code

A newly disclosed security vulnerability in Elastic’s Kibana platform has put thousands of businesses at…

1 hour ago

IT Worker from Computacenter Let Girlfriend Into Deutsche Bank’s Restricted Areas

A former information technology manager has filed a whistleblower lawsuit alleging a major security breach…

2 hours ago

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay approximately…

3 hours ago

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

17 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

17 hours ago