Bybit Hack Linked to Compromised Developer Laptop and DPRK Ties

Safe, a prominent security firm, recently published a preliminary report revealing that the breach which led to the Bybit hack was attributed to a compromised developer laptop. The vulnerability resulted in the injection of malware, which allowed the hackers to gain unauthorized access to Bybit's systems. The perpetrators circumvented multi-factor authentication (MFA) by exploiting active amazon Web Services (AWS) tokens, enabling unauthorized access.

The breach originated from a compromised macOS workstation belonging to a Safe developer, referred to in the report as “Developer1.” On Feb. 4, a contaminated Docker project communicated with a malicious domain named “getstockprice[.]com,” suggesting social engineering tactics. Developer 1 added files from the compromised Docker project, compromising their laptop. The domain was registered via Namecheap on Feb. 2. SlowMist later identified getstockprice[.]info, a domain registered on Jan. 7, as a known indicator of compromise (IOC) attributed to the Democratic People’s Republic of Korea (DPRK).

Attackers accessed Developer 1’s AWS account using a User-Agent string titled “distrib#kali.2024.” Cybersecurity firm Mandiant, tracking UNC4899, noted that this identifier corresponds to Kali Linux usage, a toolset commonly used by offensive security practitioners. Additionally, the report revealed that the attackers used ExpressVPN to mask their origins while conducting operations. It also highlighted that the attack resembles previous incidents involving UNC4899, a threat actor associated with TraderTraitor, a criminal collective allegedly tied to DPRK.

In a prior case from September 2024, UNC4899 leveraged Telegram to manipulate a crypto exchange developer into troubleshooting a Docker project, deploying PLOTTWIST, a second-stage macOS malware that enabled persistent access. Safe’s AWS configuration required mfa re-authentication for Security Token Service (STS) sessions every 12 hours. Attackers attempted but failed to register their own MFA device. To bypass this restriction, they hijacked active AWS user session tokens through malware planted on Developer1’s workstation. This allowed unauthorized access while AWS sessions remained active.

Mandiant identified three additional UNC4899-linked domains used in the Safe attack. These domains, also registered via Namecheap, appeared in AWS network logs and Developer1’s workstation logs