Listen to this Post
In a shocking revelation, Safe{Wallet} has confirmed that the $1.5 billion crypto theft from Bybit was orchestrated by a highly sophisticated, state-sponsored hacking group, believed to be operating from North Korea. The hackers, known by several names including TraderTraitor, Jade Sleet, PUKCHONG, and UNC4899, employed advanced techniques to conceal their tracks and avoid detection, hindering efforts to investigate the breach. This attack has not only exposed vulnerabilities in the Web3 ecosystem but also highlights the growing threat posed by state-backed cybercrime groups.
the Attack:
Safe{Wallet} recently disclosed the details of the hack, revealing that the attack was carried out using a sophisticated multi-pronged approach. The attackers gained access by compromising a developer’s laptop, specifically targeting one of the few individuals with elevated access within the platform. This led to the hijacking of AWS session tokens, bypassing multi-factor authentication (MFA) controls.
The initial breach occurred when the developer unwittingly downloaded a Docker project titled “MC-Based-Stock-Invest-Simulator-main” on February 4, 2025. This project, laced with malware, communicated with a domain that was registered only days before the attack. The TraderTraitor group used social engineering tactics to lure the developer into executing the malicious code.
Once the malware was deployed, it provided persistent remote access, allowing the hackers to gather intelligence on the company’s AWS infrastructure. By using the developer’s credentials and cloud services, they mimicked legitimate operations, making their activities harder to detect. The attackers also deployed the open-source Mythic framework and injected malicious JavaScript code into the Safe{Wallet} website during a brief window in February 2025.
Despite these sophisticated measures, Bybit has managed to trace over 77% of the stolen funds, with 83% of the stolen cryptocurrency converted into Bitcoin. However, the attack is part of a larger surge in Web3-related cybercrime, with an estimated $1.6 billion already lost to hackers in early 2025—an eightfold increase compared to the same period last year.
What Undercode Says:
The Safe{Wallet} and Bybit hack underscores the alarming scale and sophistication of attacks against the Web3 ecosystem. The fact that a highly-organized, state-backed threat actor like North Korea was involved highlights an escalating trend of geopolitical cyber warfare targeting the cryptocurrency industry. The use of social engineering to exploit trusted developers is a concerning vulnerability, revealing how even the most security-conscious platforms can be compromised when insiders or trusted employees are manipulated.
By utilizing a combination of social engineering, malware, and advanced evasion tactics like erasing traces of their activities, these threat actors have set a dangerous precedent for future attacks. The ability to hijack AWS session tokens, bypass MFA, and operate covertly within the system is indicative of the evolving nature of cyber threats in the Web3 space. Attackers are no longer limited to exploiting basic flaws; they now target the very infrastructure that is supposed to protect sensitive data and digital assets.
In addition to the technical aspects of the breach, there’s also a broader issue with how the crypto industry handles security. The fact that this attack went undetected for so long—despite multiple layers of security—points to systemic weaknesses in both individual platform defenses and the broader Web3 ecosystem. As we’ve seen with Safe{Wallet} and Bybit, it’s not enough to simply rely on traditional security measures like MFA and basic encryption. Advanced persistent threats (APTs) and state-sponsored hacking groups can easily bypass these protections if they have the time, resources, and knowledge to do so.
Furthermore, the involvement of tools like Kali Linux and the Mythic framework suggests that these attacks are being carried out by highly skilled and well-resourced hackers, with tools tailored for sophisticated operations. The industry’s growing reliance on cloud infrastructure such as AWS presents an additional risk, as compromising a developer’s access to this environment allows attackers to move through the system undetected, escalating the severity of the attack.
The staggering financial losses from this hack should serve as a wake-up call to all players in the cryptocurrency space. With Web3 technologies evolving rapidly and attracting greater attention from cybercriminals, it is crucial that platforms invest heavily in proactive security measures and threat intelligence. Furthermore, collaboration across the industry will be key in combating these attacks. The involvement of parties like Mantle, Paraswap, and ZachXBT in helping to freeze stolen assets is a positive step, but much more needs to be done to ensure the overall resilience of the Web3 ecosystem.
Fact Checker Results:
- The identity of the TraderTraitor hacking group and its links to North Korea are consistent with previous reports of state-sponsored cyber activity targeting cryptocurrency platforms.
- The claim that over 77% of the stolen funds remain traceable is backed by Bybit’s recent updates and ongoing tracking efforts.
- The 8x increase in Web3-related cybercrime compared to last year, as reported by Immunefi, is supported by various industry analyses tracking the rise in crypto-related heists.
References:
Reported By: https://thehackernews.com/2025/03/safewallet-confirms-north-korean.html
Extra Source Hub:
https://www.reddit.com
Wikipedia: https://www.wikipedia.org
Undercode AI
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2
