Type
Incident
Actors
Lazarus GroupTraderTraitor
Pub. date
February 26, 2025
Initial access
End-user compromise
Impact
Supply chain attackDenial of wallet
Observed techniques
Reverse DNS manipulation
Targeted technologies
Safe{wallet}
References
https://x.com/benbybit/status/1894768736084885929https://www.validin.com/blog/bybit_hack_infrastructure_hunt/https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
Status
Finalized
Last edited
Mar 24, 2025 8:05 AM
On February 21, 2025, Safe{Wallet} suffered a state-sponsored attack, attributed to TraderTraitor (UNC4899), a DPRK-affiliated group. The attackers compromised a developer’s laptop, hijacked AWS session tokens, and bypassed MFA to gain unauthorized access to Safe{Wallet} servers. They attempted to erase traces of their activity by clearing Bash history and removing malware. While Safe’s smart contracts remained unaffected, the attackers exploited cloud access vulnerabilities to manipulate transactions.