North Korean Hackers Steal 5 Billion from Bybit in Largest Crypto Heist Ever

By /

Listen to this Post

In a shocking cybersecurity breach, North Korean hacking group Lazarus has been identified as the mastermind behind the largest cryptocurrency heist in history. The attack, which resulted in the theft of over $1.5 billion from Bybit, was carried out by infiltrating Safe{Wallet}, a multisig wallet platform, and compromising a developer’s machine. This allowed the attackers to inject malicious code into the platform, ultimately enabling them to intercept and redirect a massive transfer of Ethereum (ETH) and staked Ethereum (stETH).

Investigations conducted by cybersecurity firms Sygnia and Verichains confirmed that Safe{Wallet}’s infrastructure was the primary entry point for the hackers. Bybit has since reassured users of its solvency despite the losses, but the incident raises major concerns about the security of crypto exchanges and multisig wallets. This article delves into how the attack unfolded, its implications, and what it signals for the broader cryptocurrency industry.

The Attack: How It Happened

  • Investigators found that hackers targeted Bybit through a security breach at Safe{Wallet}, a multisig wallet platform.
  • A compromised developer’s machine allowed attackers to inject malicious JavaScript into Safe{Wallet}’s website (app.safe.global).
  • The malicious script remained hidden, executing only under specific conditions to avoid detection by regular users.
  • When Bybit signers accessed the compromised Safe{Wallet} interface, the injected script manipulated a transaction to redirect funds to an attacker-controlled wallet.
  • The attack targeted Bybit’s Ethereum Multisig Cold Wallet, intercepting a scheduled transfer from cold storage to a hot wallet.
  • Within minutes of executing the hack, attackers removed the malicious code from Safe{Wallet}’s AWS S3 bucket to cover their tracks.
  • Over $1.5 billion in ETH and stETH were siphoned off in what is now the largest crypto theft ever recorded.
  • Bybit confirmed that its reserves have been replenished and assured customers that the exchange remains solvent.

What Undercode Says: A Deeper Analysis of the Bybit Hack

1. The Lazarus Group: A Cybercrime Empire

The Lazarus Group, a North Korean state-sponsored hacking unit, has a long history of targeting financial institutions and cryptocurrency exchanges. Over the years, they have been responsible for multiple high-profile cyber heists, using stolen funds to support North Korea’s economy and weapons programs. Blockchain analytics firms like Elliptic have linked Lazarus to over $6 billion in stolen crypto assets since 2017. This latest Bybit attack only cements their position as the most prolific crypto hacking syndicate.

2. Exploiting the Weakest Link: Third-Party Security Risks

One of the biggest takeaways from this incident is the critical role that third-party security plays in crypto infrastructure. Bybit itself was not initially compromised; instead, hackers infiltrated Safe{Wallet}, a service Bybit relied on for secure transactions. This highlights how attackers increasingly target auxiliary platforms rather than the main exchanges. Crypto firms must reassess the security of their entire ecosystem, not just their own infrastructure.

3. JavaScript Injection: A Simple Yet Lethal Attack

The use of JavaScript injection in this attack is particularly alarming. Unlike more complex exploits that rely on deep vulnerabilities in blockchain protocols, this method leveraged basic web security flaws. Injecting malicious JavaScript into Safe{Wallet}’s interface enabled the attackers to manipulate transaction signing without breaching Bybit directly. This underscores the need for stricter web application security in the crypto space.

4. Cloud Security: The Silent Vulnerability

Investigators strongly suspect that AWS S3 or CloudFront credentials were compromised, allowing hackers to modify Safe{Wallet}’s hosted scripts. This demonstrates how cloud-based storage solutions, widely used by Web3 applications, can become a single point of failure. Enhanced monitoring, real-time logging, and strict access controls for cloud-based assets are crucial for mitigating such risks.

5. The Fallout: What’s Next for Crypto Security?

The Bybit hack is a wake-up call for the entire cryptocurrency industry. With decentralized finance (DeFi) platforms and centralized exchanges both under constant threat, security protocols must evolve. Moving forward, crypto firms should:

  • Implement stricter authentication mechanisms for all transaction-signing processes.
  • Enhance real-time monitoring to detect and flag unauthorized transaction modifications instantly.
  • Reduce reliance on third-party wallets or enforce stricter security audits on external platforms.
  • Improve smart contract security to prevent manipulation of transaction logic.
  1. Lazarus Group’s Tactics: A Pattern of Sophisticated Attacks
    This attack follows a recognizable pattern in Lazarus’ operations. Previously, the group has:

– Used phishing campaigns to compromise exchange employees.

  • Exploited software supply chains to infiltrate target systems.
  • Laundered stolen crypto through decentralized exchanges (DEXs) and mixing services to avoid detection.

ZachXBT’s blockchain analysis, which connected Bybit’s stolen funds to previous Lazarus-linked heists (Phemex, BingX, and Poloniex hacks), further confirms their involvement. As tracking methods improve, hackers are shifting to more sophisticated laundering techniques, such as chain-hopping and private transactions.

  1. The Future of Crypto Heists: Will They Get Worse?
    With North Korea’s continued reliance on cybercrime to fund its missile program, state-backed hacking is unlikely to slow down. The growing adoption of cryptocurrencies provides an ever-expanding attack surface, making security breaches inevitable unless industry-wide changes are implemented. In 2024 alone, North Korean hackers stole $1.34 billion from 47 crypto-related heists—this trend shows no sign of stopping.

  2. The Road to Recovery: Can Bybit Regain Trust?
    While Bybit has reassured users of its financial stability, reputational damage is harder to repair. Customers and institutional investors may hesitate to engage with an exchange that was just looted for over a billion dollars. Transparency in security improvements, insurance policies for lost

References:

Reported By: https://www.bleepingcomputer.com/news/security/lazarus-hacked-bybit-via-breached-safe-wallet-developer-machine/
Extra Source Hub:
https://www.medium.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image

Explore More: