Elastic Recreates DPRK’s $1B ByBit Heist, Reveals Attack Tactics

Researchers Simulate North Korea’s Largest Cryptocurrency Heist via Compromised macOS Developer and AWS Pivoting

  • Security researchers successfully replicated the steps of the 2025 ByBit cryptocurrency theft, highlighting the attacker’s tactics.
  • The heist targeted a trusted vendor, exploiting a software vulnerability and led to the theft of 400,000 ETH, worth over $1 billion.
  • The incident underscores the need for strong user training, rapid incident detection, and tighter cloud and application security controls.

Security experts at Elastic have reconstructed the February 21, 2025, hack against cryptocurrency platform ByBit. In the attack, about 400,000 ETH—valued at over $1 billion—was stolen when Hackers exploited a relationship with multisig wallet service provider Safe{Wallet}.

- Advertisement -

This incident has been linked to north korea’s TraderTraitor cyber unit. The investigation by Elastic shows the breach began through a social engineering attack on a developer’s macOS workstation. Researchers report the initial compromise took place on February 4, 2025, when Malware was delivered, likely using platforms such as Telegram or Discord.

According to Elastic, the hackers used a Python app that leveraged a remote code execution (RCE) flaw in the PyYAML library. Unsafe handling of data allowed attackers to run unauthorized code. This enabled the deployment of a second-stage loader and a MythicC2 Poseidon agent, designed to secretly capture temporary AWS session tokens from the developer’s system.

The attackers then used these AWS credentials to enter Safe{Wallet}’s infrastructure. Over the next two weeks, they conducted reconnaissance. By February 19, the hackers modified JavaScript in the frontend of app.safe.global, redirecting ByBit transactions to wallets they controlled. Researchers demonstrated similar tactics by changing transaction logic in a test environment, confirming that the stolen tokens allowed access to and modification of sensitive S3-hosted files.

Further steps involved attempts to establish continued access through a virtual MFA device, but this was blocked by built-in AWS protections. However, the main attack succeeded by overwriting JavaScript bundles used in the wallet application. The researchers highlighted that this would have been preventable with integrity controls such as Subresource Integrity (SRI) or locking S3 objects for immutability.

Throughout the simulation, Elastic’s security tools detected suspicious signs, including the deletion of Python scripts and irregular uploads to S3, all traceable in AWS’s CloudTrail logs. The complete report shows how linking endpoint and cloud-level alerts can help organizations respond quickly to cyber incidents.

This exercise, based on reports from Sygnia, Mandiant, SlowMist, and Unit42, illustrates how North Korean groups have reportedly stolen more than $6 billion since 2017 through similar supply chain attacks and targeted phishing efforts. Elastic recommends measures such as user training, tighter session controls, and stronger file protection on cloud platforms as effective defenses against such advanced threats.

- Advertisement -

The results underline the ongoing risk to the crypto ecosystem and the importance of unified cloud and endpoint oversight when facing well-equipped adversaries like TraderTraitor.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest

Bitcoin Drops 10% From Highs Amid Quantum Computing Warnings

Bitcoin dropped nearly 10% from its record high, falling close to $103,000 after reaching $112,000 last week. BlackRock warned that advances in quantum computing could...

Czech Justice Minister Resigns Over $45M Bitcoin Donation Scandal

Czech Justice Minister Pavel Blazek resigned after controversy over accepting and selling Bitcoin from a convicted criminal.The Justice Ministry auctioned nearly 500 Bitcoin, raising...

Uniswap (UNI) Rebounds Above $6 After Brief Uptrend Breakdown

Uniswap's UNI token dropped below its key uptrend line following a failed hold above the $6.00 support level.High trading volumes accompanied the decline, including...

Michael Saylor Invites Joe Rogan to Discuss Bitcoin on Podcast

Michael Saylor has shown interest in discussing Bitcoin on The Joe Rogan Experience podcast.The idea has generated excitement in the Bitcoin community, with some...

Congress Debates Stablecoin Bill Amid Rising Bank and Crypto Tensions

U.S. lawmakers are moving forward with the Senate Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act, with debates set to resume after...

Must Read

10 Best Bitcoin Debit Cards

You are reading this post because you want to get your hands on the best bitcoin debit card - right? Well, we got you covered. We...