- Security researchers successfully replicated the steps of the 2025 ByBit cryptocurrency theft, highlighting the attacker’s tactics.
- The heist targeted a trusted vendor, exploiting a software vulnerability and led to the theft of 400,000 ETH, worth over $1 billion.
- The incident underscores the need for strong user training, rapid incident detection, and tighter cloud and application security controls.
Security experts at Elastic have reconstructed the February 21, 2025, hack against cryptocurrency platform ByBit. In the attack, about 400,000 ETH—valued at over $1 billion—was stolen when Hackers exploited a relationship with multisig wallet service provider Safe{Wallet}.
This incident has been linked to north korea’s TraderTraitor cyber unit. The investigation by Elastic shows the breach began through a social engineering attack on a developer’s macOS workstation. Researchers report the initial compromise took place on February 4, 2025, when Malware was delivered, likely using platforms such as Telegram or Discord.
According to Elastic, the hackers used a Python app that leveraged a remote code execution (RCE) flaw in the PyYAML library. Unsafe handling of data allowed attackers to run unauthorized code. This enabled the deployment of a second-stage loader and a MythicC2 Poseidon agent, designed to secretly capture temporary AWS session tokens from the developer’s system.
The attackers then used these AWS credentials to enter Safe{Wallet}’s infrastructure. Over the next two weeks, they conducted reconnaissance. By February 19, the hackers modified JavaScript in the frontend of app.safe.global, redirecting ByBit transactions to wallets they controlled. Researchers demonstrated similar tactics by changing transaction logic in a test environment, confirming that the stolen tokens allowed access to and modification of sensitive S3-hosted files.
Further steps involved attempts to establish continued access through a virtual MFA device, but this was blocked by built-in AWS protections. However, the main attack succeeded by overwriting JavaScript bundles used in the wallet application. The researchers highlighted that this would have been preventable with integrity controls such as Subresource Integrity (SRI) or locking S3 objects for immutability.
Throughout the simulation, Elastic’s security tools detected suspicious signs, including the deletion of Python scripts and irregular uploads to S3, all traceable in AWS’s CloudTrail logs. The complete report shows how linking endpoint and cloud-level alerts can help organizations respond quickly to cyber incidents.
This exercise, based on reports from Sygnia, Mandiant, SlowMist, and Unit42, illustrates how North Korean groups have reportedly stolen more than $6 billion since 2017 through similar supply chain attacks and targeted phishing efforts. Elastic recommends measures such as user training, tighter session controls, and stronger file protection on cloud platforms as effective defenses against such advanced threats.
The results underline the ongoing risk to the crypto ecosystem and the importance of unified cloud and endpoint oversight when facing well-equipped adversaries like TraderTraitor.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Ethereum’s Pectra Upgrade Goes Live, Boosts Scaling and Usability
- Visa Invests €2M in BVNK, Boosting Stablecoin Payment Growth
- Voltage Finance Exploiter Moves Dormant Ether to Tornado Cash
- Canaan Stock Soars on Benchmark Buy Rating, Eyes 5x Upside
- CFTC Seeks to Drop Appeal, Opening Door for Kalshi Election Bets
