Type
Incident
Pub. date
February 26, 2025
Initial access
End-user compromise
Impact
Supply chain attackDenial of wallet
Observed techniques
Targeted technologies
References
Status
Finalized
Last edited
Mar 24, 2025 8:05 AM
On February 21, 2025, Safe{Wallet} suffered a state-sponsored attack, attributed to TraderTraitor (UNC4899), a DPRK-affiliated group. The attackers compromised a developer’s laptop, hijacked AWS session tokens, and bypassed MFA to gain unauthorized access to Safe{Wallet} servers. They attempted to erase traces of their activity by clearing Bash history and removing malware. While Safe’s smart contracts remained unaffected, the attackers exploited cloud access vulnerabilities to manipulate transactions.