Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple cybersecurity teams, including Sygnia.

This attack exposed significant security vulnerabilities across various domains, including macOS malware, AWS cloud compromise, application security, and smart contract security.

The incident involved unauthorized activity in Bybit’s Ethereum (ETH) cold wallets, where an ETH multisig transaction was manipulated through Safe{Wallet} from a cold wallet to a warm wallet, allowing attackers to siphon funds.

Attack Timeline

The earliest known malicious activity began on February 4, 2025, when a Safe{Wallet} developer’s macOS workstation was compromised, likely through social engineering.

This led to the theft of AWS access tokens, which were used to access Safe{Wallet}’s AWS infrastructure between February 5 and February 21.

During this period, attackers operated within the infrastructure, although specific details of their activities remain limited.

On February 19, JavaScript resources hosted on an AWS S3 bucket serving Safe{Wallet}’s web interface were modified with malicious code.

According to Sygnia Report, this code was designed to manipulate transactions specifically targeting Bybit’s cold wallet.

On February 21, Bybit initiated a transaction using Safe{Wallet}’s interface, which was manipulated by the attackers, allowing them to transfer over 400,000 ETH without requiring additional multisig approval.

Tactics

The attackers leveraged a delegate call mechanism in smart contracts to replace the original contract implementation with a malicious version.

This introduced sweepETH and sweepERC20 functions, enabling the unauthorized transfer of funds.

Following the transaction, the malicious code was quickly removed from the JavaScript resources, likely in an attempt to cover their tracks.

The attack has been attributed to the Lazarus Group, also known as TradeTraitor or UNC4899, a threat actor linked to the Democratic People’s Republic of Korea (DPRK).

This attribution was confirmed by both the FBI and Mandiant.

The Bybit hack highlights the lack of standardized security standards in the crypto industry, unlike traditional banking, which adheres to strict regulations.

This lack of oversight leaves the industry vulnerable to sophisticated attacks.

The incident also underscores the importance of comprehensive forensic investigations and transparency in disclosing attack vectors to enhance industry-wide defenses against such threats.

The Bybit case sets a precedent for detailed forensic transparency, which is crucial for exposing attackers’ tactics and enhancing industry defenses.

Given the high financial incentives of crypto heists, security teams must remain vigilant and proactive in developing adaptive defenses against evolving threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.