Security researchers at Elastic have recreated the intricate details of the February 21, 2025, ByBit cryptocurrency heist, where approximately 400,000 ETH-valued at over a billion dollars-was stolen.
Attributed to North Korea’s elite cyber unit, TraderTraitor, this attack exploited a trusted vendor relationship with Safe{Wallet}, a multisig wallet platform, turning a routine transaction into one of the largest crypto thefts in history.
By simulating the attack from initial access to cloud exploitation, the team not only dissected the tactics of the Democratic People’s Republic of Korea (DPRK) but also tested robust detection and prevention strategies using Elastic’s security solutions.
.png
)
The simulation began with the compromise of a developer’s macOS workstation through social engineering, mirroring the real-world incident on February 4, 2025.
From macOS Compromise to AWS Intrusion: A Step-by-Step Replay
Researchers emulated the execution of a malicious Python application, likely delivered via platforms like Telegram or Discord, which exploited a remote code execution (RCE) vulnerability in the PyYAML library via unsafe deserialization.
This led to the deployment of a second-stage loader and the MythicC2 Poseidon agent-a stealthy Golang payload-enabling attackers to harvest AWS session tokens from the developer’s environment.
These temporary credentials, often cached in ~/.aws files or environment variables, provided a gateway to Safe{Wallet}’s AWS infrastructure within 24 hours.
The emulation meticulously replicated reconnaissance activities between February 5 and 17, including enumeration of S3 buckets, culminating in the discovery of a statically hosted Next.js application at app.safe.global.
By tampering with the frontend JavaScript on February 19, attackers injected malicious code to redirect ByBit transactions to DPRK-controlled wallets, a tactic validated in Elastic’s controlled environment by modifying transaction logic within a test app.
The AWS phase of the simulation underscored the attackers’ precision. Using stolen session tokens, they attempted persistence by registering a virtual MFA device-an effort thwarted by AWS safeguards-and focused on overwriting S3-hosted JavaScript bundles to manipulate transactions.
Elastic’s researchers recreated this by syncing bucket contents, reverse-engineering the application, and injecting conditional logic to alter wallet addresses, demonstrating the ease of frontend tampering without integrity controls like Subresource Integrity (SRI) or S3 Object Lock.
The exercise also highlighted detection opportunities, with Elastic’s SIEM rules identifying suspicious activities such as Python script self-deletion, sensitive file access, and unusual S3 uploads via CloudTrail logs.
According to the Report, Elastic’s Attack Discovery feature further correlated endpoint and cloud events into a cohesive narrative, showcasing how defenders can accelerate response times.
This emulation, rooted in detailed reports from Sygnia, Mandiant, SlowMist, and Unit42, offers a rare glimpse into nation-state cyber tactics targeting the crypto ecosystem.
DPRK’s strategy of supply chain attacks and social engineering, responsible for over $6 billion in thefts since 2017, was laid bare through this hands-on approach.
Beyond technical insights, it emphasized the need for robust defenses-user awareness training, short-lived session tokens via AWS SSO, and immutable S3 configurations-to thwart such sophisticated intrusions.
Elastic’s platform proved instrumental in detecting and mitigating each attack stage, reinforcing the importance of unified endpoint and cloud visibility in combating advanced persistent threats like TraderTraitor.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
