ByBit hack

Type

Incident

Actors

⚰️Lazarus Group 💰TraderTraitor

Pub. date

February 26, 2025

Initial access

End-user compromise

Impact

Supply chain attackDenial of wallet

Observed techniques

Reverse DNS manipulation

Targeted technologies

Safe{wallet}

References

https://x.com/benbybit/status/1894768736084885929https://www.validin.com/blog/bybit_hack_infrastructure_hunt/https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/

Status

Finalized

Last edited

Mar 24, 2025 8:05 AM

On February 21, 2025, Safe{Wallet} suffered a state-sponsored attack, attributed to TraderTraitor (UNC4899), a DPRK-affiliated group. The attackers compromised a developer’s laptop, hijacked AWS session tokens, and bypassed MFA to gain unauthorized access to Safe{Wallet} servers. They attempted to erase traces of their activity by clearing Bash history and removing malware. While Safe’s smart contracts remained unaffected, the attackers exploited cloud access vulnerabilities to manipulate transactions.