Elastic Recreates DPRK’s $1B ByBit Heist, Reveals Attack Tactics

Researchers Simulate North Korea’s Largest Cryptocurrency Heist via Compromised macOS Developer and AWS Pivoting

  • Security researchers successfully replicated the steps of the 2025 ByBit cryptocurrency theft, highlighting the attacker’s tactics.
  • The heist targeted a trusted vendor, exploiting a software vulnerability and led to the theft of 400,000 ETH, worth over $1 billion.
  • The incident underscores the need for strong user training, rapid incident detection, and tighter cloud and application security controls.

Security experts at Elastic have reconstructed the February 21, 2025, hack against cryptocurrency platform ByBit. In the attack, about 400,000 ETH—valued at over $1 billion—was stolen when Hackers exploited a relationship with multisig wallet service provider Safe{Wallet}.

- Advertisement -

This incident has been linked to north korea’s TraderTraitor cyber unit. The investigation by Elastic shows the breach began through a social engineering attack on a developer’s macOS workstation. Researchers report the initial compromise took place on February 4, 2025, when Malware was delivered, likely using platforms such as Telegram or Discord.

According to Elastic, the hackers used a Python app that leveraged a remote code execution (RCE) flaw in the PyYAML library. Unsafe handling of data allowed attackers to run unauthorized code. This enabled the deployment of a second-stage loader and a MythicC2 Poseidon agent, designed to secretly capture temporary AWS session tokens from the developer’s system.

The attackers then used these AWS credentials to enter Safe{Wallet}’s infrastructure. Over the next two weeks, they conducted reconnaissance. By February 19, the hackers modified JavaScript in the frontend of app.safe.global, redirecting ByBit transactions to wallets they controlled. Researchers demonstrated similar tactics by changing transaction logic in a test environment, confirming that the stolen tokens allowed access to and modification of sensitive S3-hosted files.

Further steps involved attempts to establish continued access through a virtual MFA device, but this was blocked by built-in AWS protections. However, the main attack succeeded by overwriting JavaScript bundles used in the wallet application. The researchers highlighted that this would have been preventable with integrity controls such as Subresource Integrity (SRI) or locking S3 objects for immutability.

Throughout the simulation, Elastic’s security tools detected suspicious signs, including the deletion of Python scripts and irregular uploads to S3, all traceable in AWS’s CloudTrail logs. The complete report shows how linking endpoint and cloud-level alerts can help organizations respond quickly to cyber incidents.

This exercise, based on reports from Sygnia, Mandiant, SlowMist, and Unit42, illustrates how North Korean groups have reportedly stolen more than $6 billion since 2017 through similar supply chain attacks and targeted phishing efforts. Elastic recommends measures such as user training, tighter session controls, and stronger file protection on cloud platforms as effective defenses against such advanced threats.

- Advertisement -

The results underline the ongoing risk to the crypto ecosystem and the importance of unified cloud and endpoint oversight when facing well-equipped adversaries like TraderTraitor.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Maine Attorney General Recovers Thousands in Crypto Scam Case

The Maine Attorney General's Office has recovered thousands of dollars for a victim of...

Coinbase Shares Hit Highest Level Since 2021 Nasdaq Debut

Coinbase stock reached its highest price since its 2021 listing, nearly returning to debut...

BPX Gains FCA Nod to Trade Tokenized Securities in the UK

BPX, a startup focused on trading tokenized securities, received several authorizations from the UK’s...

Shopify, Coinbase Launch USDC Payments; Mastercard Expands Crypto Access

Shopify and Coinbase allow merchants to accept USDC stablecoin payments, making crypto transactions easier...

Coinbase Launches Wrapped ADA and LTC on Base, COIN Hits New High

Coinbase has introduced wrapped versions of Cardano (ADA) and Litecoin (LTC) on its Ethereum...

Must Read

This is How to Buy and Sell Bitcoin

Now more than ever, there are a variety of ways to enter and exit the crypto market. While this is good, the availability of...