Full Report
Forensic investigators have found that North Korean Lazarus hackers stole $1.5 billion from Bybit after hacking a developer's device at the multisig wallet platform Safe{Wallet}. [...]
Analysis Summary
# Incident Report: Lazarus Group Heist of Bybit ETH Cold Wallet
## Executive Summary
The cryptocurrency exchange Bybit suffered a massive security breach resulting in the theft of approximately $1.5 billion in ETH and stETH from its ETH Cold Wallet. The attack was attributed to the North Korean state-sponsored hacking group, Lazarus, who leveraged a sophisticated attack against a third-party developer involved with the Safe{Wallet} ecosystem to gain access. Bybit has since restored its reserves and confirmed solvency, though the stolen assets remain largely unrecovered.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the post-mortem was published on a Friday following the incident.
- **Incident Date:** Recently prior to the post-mortem publication in late 2024 (inferred from context).
- **Affected Organization:** Bybit (Cryptocurrency Exchange)
- **Sector:** Financial Technology (FinTech)/Cryptocurrency
- **Geography:** Global (Involving international hacking groups and a global exchange)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown
- **Vector:** Compromise of a third-party developer machine associated with the Safe{Wallet} ecosystem.
- **Details:** Attackers gained control over the developer's machine, which provided a vector into the operational environment related to Bybit's hot/cold wallet processes.
### Lateral Movement
- **Details:** The precise steps of lateral movement are not detailed, but the end result was manipulation of the smart contract logic associated with the ETH Cold Wallet, masking the signing interface.
### Data Exfiltration/Impact
- **Details:** Over **400,000 ETH and stETH**, valued at over **$1.5 billion**, were transferred out of the ETH Cold Wallet to an unidentified attacker-controlled address.
### Detection & Response
- **How it was discovered:** The transaction was flagged as unauthorized manipulation of the smart contract logic.
- **Response actions taken:** Bybit published a post-mortem update, stating they restored their ETH reserves and confirmed solvency, although the stolen funds were not fully recovered. They initiated an investigation confirming links to Lazarus.
## Attack Methodology
- **Initial Access:** Compromise of a third-party developer's machine (likely through malware or phishing targeting the developer).
- **Persistence:** Not detailed, but required long enough to manipulate contract environments.
- **Privilege Escalation:** Not detailed, but sufficient access was gained to manipulate core security components.
- **Defense Evasion:** The attack specifically involved **altering the smart contract logic and masking the signing interface** to appear legitimate during the transfer.
- **Credential Access:** Likely involved obtaining credentials or session tokens from the compromised developer machine.
- **Discovery:** Inferred reconnaissance on target systems or supply chain auditing.
- **Lateral Movement:** Movement toward the signing mechanisms for the ETH Cold Wallet.
- **Collection:** Identification and targeting of the ETH Cold Wallet keys/signing process.
- **Exfiltration:** Executing unauthorized transactions based on manipulated contract functions.
- **Impact:** Massive asset theft ($1.5B).
## Impact Assessment
- **Financial:** Loss of over $1.5 billion in crypto assets (ETH and stETH).
- **Data Breach:** No specific customer PII breach mentioned, but funds equivalent to a major financial breach were stolen.
- **Operational:** Significant operational disruption requiring immediate investigation, fund restoration, and public assurances of solvency.
- **Reputational:** Major reputational hit due to the scale of the theft and the association with the Lazarus Group.
## Indicators of Compromise
- **Network indicators:** Transactions sending stolen funds to addresses previously linked to Lazarus activities (e.g., addresses associated with Phemex, BingX, and Poloniex hacks). (Specific IoCs like IP/domains are not provided in the source text and are omitted or defanged).
- **File indicators:** Not specified.
- **Behavioral indicators:** Unexplained manipulation of smart contract signing interfaces following a presumed supply chain compromise.
## Response Actions
- **Containment measures:** Implied immediate cessation of the malicious transactions and securing remaining assets.
- **Eradication steps:** Investigation and remediation of the compromised signing environment or supply chain partner.
- **Recovery actions:** Bybit restored its ETH reserves (though the amount lost in the theft was not fully recovered) and publicly affirmed solvency.
## Lessons Learned
- The investigation confirmed the attack originated from the notorious Lazarus Group, highlighting the persistent, high-level threat actors targeting the crypto sector.
- **Supply Chain Risk:** The compromise of a third-party developer connected to the Safe{Wallet} ecosystem demonstrated a critical vulnerability within the development and integration chain.
- Sophisticated manipulation of smart contract logic and signing interfaces can bypass standard controls.
## Recommendations
- Implement enhanced, multi-layered authentication and segregation of duties for all wallet signing procedures, irrespective of the environment (hot or cold).
- Conduct stringent, independent security audits of all third-party vendors and developers who interface with critical signing infrastructure.
- Improve blockchain monitoring to swiftly detect fund movements to known North Korean-linked addresses.