The developer of SafeWallet has released a post-mortem report detailing the cybersecurity exploit that led to the $1.4 billion hack against Bybit in February.
According to a forensic analysis conducted by SafeWallet and cybersecurity firm Mandiant, the hacking group hijacked a Safe developer’s Amazon Web Services (AWS) session tokens to bypass the multifactor authentication security measures put in place by the firm.
SafeWallet’s AWS settings required team members to reauthenticate their AWS session tokens every 12 hours, which prompted the hacking group to attempt a breach by registering a multifactor authentication (MFA) device.
Following several failed attempts at registering an MFA device, the threat actors compromised a developer’s MacOS system, likely through malware installed on the system, and were able to use the AWS session tokens while the developer’s sessions were active.
Once the hackers gained access, they worked within the Amazon Web Services environment to set up the attack.
Mandiant’s forensic analysis also confirmed that the hackers were North Korean state actors who took 19 days to prepare and execute the attack.
The latest update reiterated that the cybersecurity exploit did not affect Safe’s smart contracts and added that the Safe development team put additional safeguards in place following what was the biggest hack in crypto history.
Related: Crypto lost to exploits, scams, hits $1.5B in February with Bybit hack: CertiK
FBI puts out an alert as Bybit hackers launder funds
The US Federal Bureau of Investigation (FBI) published an online alert asking node operators to block transactions from wallet addresses linked to the North Korean hackers, which the FBI said would be laundered and converted to fiat currency.
Since that time, the Bybit hackers laundered 100% of the stolen crypto, comprising nearly 500,000 Ether-related tokens, in only 10 days.
On March 4, Bybit CEO Ben Zhou said that around 77% of the funds, valued at roughly $1.07 billion, are still traceable onchain, while approximately $280 million have gone dark.
However, Deddy Lavid, CEO of the Cyvers cybersecurity firm, said cybersecurity teams may still be able to trace and freeze some of the stolen funds.
Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis
