Billion-dollar coup: initial investigation details on the Bybit case

Cyber criminals were able to steal cryptocurrency worth 1.5 billion US dollars because they managed to manipulate the wallet of the provider “Safe{Wallet}” used by the company concerned. Since then, the provider has been investigating how this could have happened and how it will (hopefully) not happen again in the future. Safe has now published initial investigation details, according to which the attackers may have deceived a responsible developer at Safe, among others.

The coup that the criminals pulled off at the crypto exchange Bybit on February 21 made big headlines: When those responsible wanted to transfer a large amount of the cryptocurrency Ethereum (Ether) from one wallet to another, the coins ended up in the hands of professional attackers, probably also because they were able to manipulate the Safe wallet used. The FBI blames the “TraderTraitor” group, which has links to the North Korean state. Safe is now cooperating with the American IT security consultancy Mandiant to investigate the incident.

Safe announced the current status of the investigation on X. With the clear warning that this is only a preliminary report and that there is still much more work to be done. Certain gaps in the reconstruction would remain, as the attacker had managed to delete the malware from the affected device after the attack, as well as the history of the bash terminal. Safe is also working on restoring all services and networks for online users.

Attackers penetrated weeks earlier

The evil began on February 4: On this day, according to Safe, the laptop of a developer (“Developer1”) was compromised and a session token for Amazon Web Services (AWS) was stolen to bypass the multifactor authentication (MFA) controls. The victim was one of the few employees who had a higher level of access authorization to perform their tasks.

The security researchers assume that a Docker project called MC-Based-Stock-Invest-Simulator-main communicated with the domain getstockprice(.)com for the compromise. The Docker project was no longer available on the device, but files for it could still be found in the ~/Downloads/ directory, which is a possible indication of social engineering. Attackers try to manipulate victims by exploiting human weaknesses and characteristics. For example, so that the victims install programs on systems on their own, as in this case. Mandiant refers to other similar attacks by TraderTraitor of which the company is aware.

According to Mandiant, the domain getstockprice(.)com was registered only recently, on February 2 via the web host Namecheap, according to the WHOIS log. Mandiant refers to an almost identical domain called getstockprice(.)info with a North Korea connection, which the IT security consultancy SlowMist reported on February 23 as an indicator of compromise (IoC). This had already been registered on January 7, also via Namecheap.

AWS access via VPN and Kali Linux

According to Mandiant, the AWS account of Developer1 was first accessed on February 5, disguised via IP addresses of the provider ExpressVPN. The user agent strings contain the character string distrib#kali.2024 , from which the security researchers deduce that the attackers used a distribution of Kali Linux. Mandiant has observed the pattern of ExpressVPN and Kali Linux more frequently in TraderTraitor.

To work on the AWS configuration of Safe, multifactor authentication (MFA) was required every 12 hours. According to Mandiant, the attackers also tried several times to create their own AWS account, but failed. As a result, the attackers hijacked active session tokens from Developer1, probably with the help of malware on his laptop. Their activities had to be based on the developer’s working hours.

Injected code was the key to the loot

On February 17, the attackers then injected malicious code into Safe’s AWS source code. The IT security consultancy Ledger Insights assumes that this code was only inserted into one of Bybit’s affected wallets. This code ultimately enabled the attackers to steal the billions in assets from the Bybit wallet on February 21.

This caused a major scandal for Safe and Bybit. Especially because various experts, including Bybit CEO Ben Zhou, emphasized after the attack: The Safe wallet should never have been used for transactions of this size. It was Zhou himself who authorized the disastrous transaction.

However, Safe also mentions some of the security measures that were already in place before the attack. These included, for example, regular security audits, including with experts from outside the company. Several four-eye checks for changes to the product were also common practice. Safe has responded to the attack with a whole series of new measures. These include a temporary block on external services for the company’s own transaction system and comprehensive monitoring of all stack levels.

Report raises new questions

However, the new investigation report also raises new questions for some X users. For example, how was it possible for the attackers to infiltrate their code if every change to the product has to be checked by other Safe colleagues? Rahul Rumalla, Chief Product Officer at Safe, says that according to the current state of knowledge, the attackers “maneuvered and orchestrated” their activities very cleverly to circumvent the numerous security precautions. The attackers were quite sophisticated. The same user also wants to know whether the affected laptop was a private or work device, and whether the role of the developer was publicly known. However, to protect the employee’s privacy, Rumalla does not want to go into this.

Safe also appeals to the entire industry: the increasing sophistication of such attacks highlights critical weaknesses in Web 3.0 security. The authorization of a transaction by the user is the last line of defence against cybercrime, and it only works if those affected always know exactly what they are authorizing. Safe has drawn up guidelines for this. Overall, however, the company believes that it is not only the users of crypto transactions, but the entire industry that needs to get to grips with such problems.

(nen)