Safe published a preliminary report On March 6, attributing the violation which led to the hacking of bybt to a compromised developer laptop. Vulnerability has led to the injection of malware, which allowed hacking.
The authors bypassed multi-factory authentication (MFA) by operating the Amaton Web Services (AWS) tokens (AWS), allowing unauthorized access.
This allowed the pirates to modify the multi-signature portfolio interface of Bybit, modifying the address to which the exchange was supposed to send about 1.5 billion dollars of Ethereum (ETH), which resulted in the greatest hacking in history.
Compromise of the developer workstation
The violation comes from a compromise macOS workstation belonging to a safe developer, called in the “Developer1” report.
On February 4, a contaminated Docker project communicated with a malicious area called “GetstockPrice (.) Com”, suggesting social engineering tactics. Developer 1 added files from the Docker Compromise project, compromising their laptop.
The domain was recorded via Namecheap on February 2. Slowmist then identified GetstockPrice (.) Info, an area recorded on January 7, as an indicator known to the compromise (CIO) attributed to the Democratic People’s Republic of Korea (DPRC).
The attackers acceded to developer 1 AWS account using a user agent chain entitled “Distrib # Kali.2024”. The mandiant cybersecurity company, following UNC4899, noted that this identifier corresponds to the use of Kali Linux, a set of tools commonly used by offensive safety practitioners.
In addition, the report revealed that the attackers used ExpressVPN to hide their origins when carrying out operations. He too Stressed that the attack resembles previous incidents involving UNC4899, a threat actor associated with Traderraitor, a criminal collective allegedly linked to RPDC.
In an earlier case from September 2024, UNC4899 operated Telegram to manipulate an crypto exchange developer in the troubleshooting of a Docker project, deployment of Plottwist, a second -stage macos malware which allowed persistent access.
Operating AWS security checks
SAFE’s AWS configuration requested MFA Réauthetification for Safety Token Service (STS) every 12 hours. The attackers tried but failed to record their own MFA device.
To get around this restriction, they diverted the AWS active user session tokens via malware planted on the Developer1 work station. This allowed unauthorized access when the AWS sessions remained active.
Mandiant has identified three areas related to an additional UNC4899 used in the safe attack. These areas, also recorded via Namecheap, appeared in AWS Network Logs and the Developer1 work logs, indicating a broader exploitation of infrastructure.
Safe said that he had implemented significant security reinforcements following the violation. The team restructured infrastructure and strengthened security far beyond the preliminary levels. Despite the attack, Safe’s smart contracts do not remain affected.
Safe’s security program included measures such as restriction of access to privileged infrastructure to a few developers, applying the separation between the source of development and the management of infrastructure, and requiring several peers’ journals before changes in production.
In addition, he has committed safely to maintain surveillance systems to detect external threats, perform independent security audits and use third -party services to identify malware.
