Bybit Hack Exposes $1.4 Billion Loss to North Korean Cyber Thieves

Coin WorldThursday, Mar 6, 2025 3:02 pm ET

1min read

SafeWallet has released a comprehensive post-mortem report detailing the $1.4 billion hack on Bybit, emphasizing the need for enhanced security measures in user interface and user experience (UI/UX) design to safeguard against future cyber threats. The report, co-authored with cybersecurity firm Mandiant, provides an in-depth analysis of how the attackers exploited vulnerabilities in Bybit’s systems.

The attack began with the compromise of a Safe developer’s amazon Web Services (AWS) session tokens, which allowed the hackers to bypass the company’s multifactor authentication (MFA) security controls. SafeWallet’s AWS policies required reauthentication every 12 hours, but the attackers managed to breach a developer’s MacOS system, likely through malware, enabling them to use the AWS session tokens as long as the developer’s sessions remained active. Once inside the AWS environment, the hackers systematically exploited cloud-based security weaknesses to gain unauthorized access.

Mandiant’s forensic analysis revealed that the attackers were state-sponsored North Korean hackers. These hackers spent 19 days meticulously planning the attack before executing the breach. Despite the significant scale of the exploit, SafeWallet assured that its smart contracts remained intact. The company has since implemented additional security protocols to prevent similar incidents in the future.

The US Federal Bureau of Investigation (FBI) issued a public advisory, urging node operators to halt transactions from wallet addresses linked to the North Korean hackers. The government agency warned that the stolen coins would be laundered and exchanged for fiat currency. The hackers successfully laundered 100% of the stolen crypto within 10 days, amounting to nearly 500,000 Ether-based tokens. Bybit CEO Ben Zhou noted that 77% of the funds, worth about $1.07 billion, are yet to be tracked on-chain, and some $280 million have disappeared into untouchable transactions.

Security experts, including Cyvers CEO Deddy Lavid, believe that there is still a possibility to track and freeze some of the stolen funds despite the rapid pace of the laundering process. As the crypto sector continues to face growing cyber threats, SafeWallet’s report underscores the critical need to strengthen security measures, particularly within cloud-based systems. The report serves as a wake-up call for the industry to prioritize UI/UX security improvements to protect against sophisticated cyber attacks.

Disclaimer: the above is a summary showing certain market information. AInvest is not responsible for any data errors, omissions or other information that may be displayed incorrectly as the data is derived from a third party source. Communications displaying market prices, data and other information available in this post are meant for informational purposes only and are not intended as an offer or solicitation for the purchase or sale of any security. Please do your own research when investing. All investments involve risk and the past performance of a security, or financial product does not guarantee future results or returns. Keep in mind that while diversification may help spread risk, it does not assure a profit, or protect against loss in a down market.