Safe published a preliminary report on Mar. 6 attributing the breach that led to the Bybit hack to a compromised developer laptop. The vulnerability resulted in the injection of malware, which allowed the hack.
The perpetrators circumvented multi-factor authentication (MFA) by exploiting active Amazon Web Services (AWS) tokens, enabling unauthorized access.
This allowed hackers to modify Bybit’s Safe multi-signature wallet interface, changing the address to which the exchange was supposed to send roughly $1.5 billion worth of Ethereum (ETH), resulting in the largest hack in history.
Compromise of developer workstation
The breach originated from a compromised macOS workstation belonging to a Safe developer, referred to in the report as “Developer1.”
On Feb. 4, a contaminated Docker project communicated with a malicious domain named “getstockprice[.]com,” suggesting social engineering tactics. Developer 1 added files from the compromised Docker project, compromising their laptop.
The domain was registered via Namecheap on Feb. 2. SlowMist later identified getstockprice[.]info, a domain registered on Jan. 7, as a known indicator of compromise (IOC) attributed to the Democratic People’s Republic of Korea (DPRK).
Attackers accessed Developer 1’s AWS account using a User-Agent string titled “distrib#kali.2024.” Cybersecurity firm Mandiant, tracking UNC4899, noted that this identifier corresponds to Kali Linux usage, a toolset commonly used by offensive security practitioners.
Additionally, the report revealed that the attackers used ExpressVPN to mask their origins while conducting operations. It also highlighted that the attack resembles previous incidents involving UNC4899, a threat actor associated with TraderTraitor, a criminal collective allegedly tied to DPRK.
In a prior case from September 2024, UNC4899 leveraged Telegram to manipulate a crypto exchange developer into troubleshooting a Docker project, deploying PLOTTWIST, a second-stage macOS malware that enabled persistent access.
Exploitation of AWS security controls
Safe’s AWS configuration required MFA re-authentication for Security Token Service (STS) sessions every 12 hours. Attackers attempted but failed to register their own MFA device.
To bypass this restriction, they hijacked active AWS user session tokens through malware planted on Developer1’s workstation. This allowed unauthorized access while AWS sessions remained active.
Mandiant identified three additional UNC4899-linked domains used in the Safe attack. These domains, also registered via Namecheap, appeared in AWS network logs and Developer1’s workstation logs, indicating broader infrastructure exploitation.
Safe said it has implemented significant security reinforcements following the breach. The team has restructured infrastructure and bolstered security far beyond pre-incident levels. Despite the attack, Safe’s smart contracts remain unaffected.
Safe’s security program included measures such as restricting privileged infrastructure access to a few developers, enforcing separation between development source code and infrastructure management, and requiring multiple peer reviews before production changes.
Moreover, Safe vowed to maintain monitoring systems to detect external threats, conduct independent security audits, and utilize third-party services to identify malicious transactions.