A joint investigation by Safe{Wallet} and Mandiant into the largest cryptocurrency heist in history has uncovered new details: the theft of nearly $1.5 billion from the ByBit exchange was orchestrated by TraderTraitor, a North Korean-affiliated hacking group. The attackers exploited a vulnerability on a developer’s laptop, circumventing security measures to gain unauthorized access.
The hackers compromised a MacBook belonging to one of Safe{Wallet}’s developers, extracting AWS session tokens that allowed them to bypass multi-factor authentication and infiltrate the exchange’s infrastructure. This particular developer held high-level privileges necessary for working with ByBit’s codebase. Following the breach, the attackers erased the malware and cleared the Bash history to cover their tracks.
The initial infection occurred on February 4, 2025, when a Docker-based project initiated a connection to getstockprice.com. While the project itself was no longer present in the system at the time of analysis, residual traces in the ~/Downloads/ directory suggested that social engineering tactics had been employed.
The hackers also leveraged ExpressVPN to access the developer’s AWS account, synchronizing their activity with the developer’s work schedule and utilizing stolen active session tokens to maintain persistence.
The TraderTraitor group is closely linked to APT38 (BlueNoroff, Stardust Chollima), which, in turn, operates under the broader Lazarus syndicate—an infamous cybercrime collective attributed to North Korea.
Despite the sophisticated nature of the attack, Safe’s smart contracts remained intact. However, the company conducted a comprehensive security audit, significantly bolstering its defense mechanisms. The response measures included:
- A full infrastructure reset with complete credential rotation
- Disabling external access to critical services
- Enhanced detection systems for malicious transactions
- Additional verification tools for signed operations
Furthermore, Safe{Wallet} temporarily suspended native support for hardware wallets, as their functionality relied on the vulnerable eth_sign function and third-party services. To ensure transaction integrity, users were provided with a dedicated verification tool. The team is also exploring the integration of Safe{Wallet} onto the IPFS platform, which would offer an additional layer of security.
Safe emphasized the urgent need for improved tools to detect and mitigate cyberattacks. According to experts, strengthening cryptocurrency security should go hand in hand with refining the user experience, making it easier for a broader audience to minimize risks without compromising usability.
