Safe{Wallet} has revealed that the cybersecurity incident that led to the Bybit $1.5 billion crypto heist is a “highly sophisticated, state-sponsored attack,” stating the North Korean threat actors behind the hack took steps to erase traces of the malicious activity in an effort to hamper investigation efforts.
The multi-signature (multisig) platform, which has roped in Google Cloud Mandiant to perform a forensic investigation, said the attack is the work of a hacking group dubbed TraderTraitor, which is also known as Jade Sleet, PUKCHONG, and UNC4899.
“The attack involved the compromise of a Safe{Wallet} developer’s laptop (‘Developer1’) and the hijacking of AWS session tokens to bypass multi-factor authentication (‘MFA’) controls,” it said. “This developer was one of the very few personnel that had higher access in order to perform their duties.”
Further analysis has determined that the threat actors broke into the developer’s Apple macOS machine on February 4, 2025, when the individual downloaded a Docker project named “MC-Based-Stock-Invest-Simulator-main” likely via a social engineering attack. The project communicated with a domain “getstockprice[.]com” that was registered on Namecheap two days before.
This is prior evidence indicating that the TraderTraitor actors have tricked cryptocurrency exchange developers into helping troubleshoot a Docker project after approaching them via Telegram. The Docker project is configured to drop a next-stage payload named PLOTTWIST that enables persistent remote access.
It’s not clear if the same modus operandi was employed in the latest attacks, as Safe{Wallet} said “the attacker removed their malware and cleared Bash history in an effort to thwart investigative efforts.”
Ultimately, the malware deployed to the workstation is said to have been utilized to conduct reconnaissance of the company’s Amazon Web Services (AWS) environment and hijack active AWS user sessions to perform their own actions aligning with the developer’s schedule in an attempt to fly under the radar.
“The attacker use of Developer1’s AWS account originated from ExpressVPN IP addresses with User-Agent strings containing distrib#kali.2024,” it said. “This User-Agent string indicates use of Kali Linux which is designed for offensive security practitioners.”
The attackers have also been observed deploying the open-source Mythic framework, as well as injecting malicious JavaScript code to the Safe{Wallet} website for a two-day period between February 19 and 21, 2025.
Bybit CEO Ben Zhou, in an update shared earlier this week, said over 77% of the stolen funds remain traceable, and that 20% have gone dark and 3% have been frozen. It credited 11 parties, including Mantle, Paraswap, and ZachXBT, for helping it freeze the assets. About 83% (417,348 ETH) has been converted into bitcoin, distributing it across 6,954 wallets.
In the wake of the hack, 2025 is on track for a record year for cryptocurrency heists, with Web3 projects already losing a staggering $1.6 billion in the first two months alone, an 8x increase from the $200 million this time last year, according to data from blockchain security platform Immunefi.
“The recent attack underscores the evolving sophistication of threat actors and highlights critical vulnerabilities in Web3 security,” the company said.
“Verifying that the transaction you are signing will result in the intended outcome remains one of the biggest security challenges in Web3, and this is not just a user and education problem — it is an industry-wide issue that demands collective action.”
