Bybit $1.5B Crypto Heist Linked to North Korean Hackers in Sophisticated AWS Attack

Cybersecurity firm Safe{Wallet} has identified the Bybit $1.5 billion cryptocurrency heist as a highly advanced, state-sponsored attack, attributing it to North Korea-backed TraderTraitor hackers (also known as Jade Sleet, PUKCHONG, and UNC4899).

  Asia Cyber affairs News   Mar 7, 2025  Add to Reading List
Bybit $1.5B Crypto Heist Linked to North Korean Hackers in Sophisticated AWS Attack

Cybersecurity firm Safe{Wallet} has identified the Bybit $1.5 billion cryptocurrency heist as a highly advanced, state-sponsored attack, attributing it to North Korea-backed TraderTraitor hackers (also known as Jade Sleet, PUKCHONG, and UNC4899). The attackers took deliberate steps to erase traces of their activities, complicating forensic investigations.

Key Findings from the Investigation

  • Compromised Developer Laptop – The hackers infiltrated a Safe{Wallet} developer's macOS device on February 4, 2025, by tricking them into downloading a malicious Docker project (“MC-Based-Stock-Invest-Simulator-main”).
  • Hijacked AWS Session Tokens – The attackers bypassed multi-factor authentication (MFA) by stealing AWS session tokens, granting them unauthorized access to the company’s cloud infrastructure.
  • Persistence Through PLOTTWIST Malware – The Docker project communicated with a malicious domain (getstockprice[.]com), delivering a next-stage payload called PLOTTWIST, which enabled long-term remote access.
  • Use of Kali Linux and VPN Services – The attack was carried out via ExpressVPN IPs with user-agent strings linked to Kali Linux, a toolset commonly used by cybersecurity professionals for penetration testing.

Additional Malicious Activity

Between February 19-21, 2025, the hackers injected malicious JavaScript into the Safe{Wallet} website and leveraged the Mythic framework, an open-source post-exploitation tool.

Ongoing Crypto Theft Investigation

  • Bybit CEO Ben Zhou revealed that 77% of the stolen funds remain traceable, 20% have gone dark, and 3% have been frozen with help from Mantle, Paraswap, and ZachXBT.
  • Conversion to Bitcoin – The attackers have converted 83% (417,348 ETH) into Bitcoin, distributing the assets across 6,954 wallets.

A Record Year for Crypto Heists

With $1.6 billion stolen in Web3 attacks within the first two months of 2025, crypto heists have surged 8x compared to the same period in 2024 (which saw $200 million in losses).

Industry-Wide Security Challenges

Blockchain security firm Immunefi emphasized that the attack highlights major security gaps in Web3. Safe transaction verification remains a critical challenge, necessitating collaborative efforts across the industry to prevent future breaches.