Safe{Wallet} has disclosed that the breach associated with the Bybit crypto heist, which resulted in a staggering loss of $1.5 billion, was carried out by a highly sophisticated, state-sponsored actor believed to be linked to North Korea. This group took specific measures to eliminate evidence of their activities, thereby complicating ongoing investigations.
The multi-signature platform has enlisted the expertise of Google Cloud Mandiant to undertake a forensic investigation, attributing the attack to a hacking collective known as TraderTraitor. This group is also identified by other names, including Jade Sleet, PUKCHONG, and UNC4899.
According to Safe{Wallet}, the security breach was initiated through compromising a developer’s Apple macOS machine, referred to as ‘Developer1’. The attackers hijacked Amazon Web Services (AWS) session tokens to circumvent multi-factor authentication protocols, capitalizing on the elevated access privileges of the developer responsible for maintaining the system.
The breach occurred on February 4, 2025, when the individual unknowingly downloaded a Docker project labeled “MC-Based-Stock-Invest-Simulator-main.” This was likely the result of a social engineering scheme, and the project connected to a domain registered just two days earlier. Previous intelligence has suggested that TraderTraitor has lured cryptocurrency exchange developers into assisting them by posing troubleshooting requests via Telegram.
The Docker file was configured to deploy a secondary payload, known as PLOTTWIST, which facilitates ongoing remote access. Notably, Safe{Wallet} reported that the attacker took steps to obliterate any malware and erase Bash history to evade detection.
The installed malware permitted the assailants to conduct reconnaissance within the company’s AWS environment and exploit active user sessions, effectively masquerading their actions as legitimate operations performed by the developer.
Safe{Wallet}’s analysis traced the attacker’s activities back to ExpressVPN IP addresses, utilizing a User-Agent string indicative of Kali Linux, a platform often used by penetration testers. Furthermore, the attackers also leveraged the open-source Mythic framework and introduced malicious JavaScript code to the Safe{Wallet} website for a brief window from February 19 to 21, 2025.
In a recent update, Bybit’s CEO Ben Zhou revealed that over 77% of the stolen assets remain traceable, while 20% have become unlocatable and about 3% have been successfully frozen. Contributions from collaborating entities, including Mantle, Paraswap, and ZachXBT, were instrumental in this effort, leading to the conversion of a significant amount of the stolen cryptocurrency into Bitcoin, which has since been distributed across nearly 7,000 wallets.
The frequency of cryptocurrency-related heists in 2025 indicates a concerning trend, with losses already reaching an unprecedented $1.6 billion within the first two months. This figure represents an eight-fold increase from the same period last year, based on data from blockchain security platform Immunefi. The incident underscores the evolving threat landscape and the pressing need for enhanced security protocols in the cryptocurrency sphere, particularly in the wake of persistent vulnerabilities.
If the trends continue, Web3 security will undoubtedly require a more robust collective response from stakeholders to address the critical challenges in transaction validation and assurance.
