Inside Story of the Bybit Heist: How North Korean Hackers Stole $1.5 Billion in Crypto

In a shocking development, Safe{Wallet} has confirmed that the $1.5 billion cryptocurrency heist involving Bybit was a “highly sophisticated, state-sponsored attack.” The cybercriminals behind this breach, identified as the North Korean group TraderTraitor (also known as Jade Sleet, PUKCHONG, and UNC4899), went to great lengths to erase their tracks, making it difficult for investigators to trace their activities.

The attack primarily targeted a Safe{Wallet} developer’s laptop, referred to as “Developer1.” The hackers managed to hijack AWS session tokens, bypassing multi-factor authentication (MFA) controls. This developer had higher access privileges, which the attackers exploited to their advantage.

The Role of Malware and Social Engineering

According to forensic analysis conducted with the help of Google Cloud Mandiant, the hackers initially gained access to the developer’s Apple macOS machine on February 4, 2025. The breach occurred when the developer downloaded a Docker project titled “MC-Based-Stock-Invest-Simulator-main,” likely through a social engineering attack. The project communicated with a domain, “getstockprice[.]com,” registered just two days before on Namecheap.

This attack method aligns with previous tactics used by TraderTraitor. The group has previously tricked cryptocurrency exchange developers by reaching out via Telegram, asking for help troubleshooting a Docker project. Once downloaded, the project executes a next-stage payload called PLOTTWIST, granting the attackers persistent remote access to the victim’s system.

Although it remains unclear if the same approach was used in this attack, Safe{Wallet} confirmed that the hackers took extensive measures to cover their tracks. They removed the malware and cleared the Bash history, making it harder for investigators to uncover details of the breach.

How the Hackers Exploited AWS

Once inside the system, the attackers carried out reconnaissance of Safe{Wallet}’s Amazon Web Services (AWS) environment. They then hijacked active AWS user sessions, strategically performing actions according to the developer’s usual schedule to avoid raising suspicion. The use of ExpressVPN IP addresses with a “distrib#kali.2024” User-Agent string linked to the Kali Linux security distribution further suggests that this was a well-planned cyber operation.

Investigators also discovered that the hackers used the open-source Mythic framework and injected malicious JavaScript into the Safe{Wallet} website between February 19 and 21, 2025. This indicates a broader attack strategy aimed at deeper infiltration into the system.

The Impact on Bybit and the Crypto Industry

Bybit CEO Ben Zhou shared that over 77% of the stolen funds remain traceable, with 20% going dark and 3% already frozen. Several blockchain security experts, including Mantle, Paraswap, and ZachXBT, assisted in freezing a portion of the stolen assets. Analysis reveals that 83% of the stolen funds, equivalent to 417,348 ETH, were converted into Bitcoin and distributed across 6,954 wallets.

The massive heist marks a troubling trend for the cryptocurrency industry. Already in the first two months of 2025, Web3 projects have lost $1.6 billion to cyber attackers, an 8x boost from the $200 million lost in the same two months of last year, as per blockchain security platform Immunefi.

Safe{Wallet} observed that the attack underscores the growing sophistication of Web3 platforms’ cybercriminals. They stressed that verifying transactions before signing remains a major security challenge in the crypto space. More than just a user-awareness issue, the company called for industry-wide collaboration to strengthen security measures and protect digital assets from evolving threats.