SafeWallet has published a detailed post-mortem report on the $1.4 billion cyberattack against Bybit, shedding light on how the exploit occurred and the security measures needed to prevent similar incidents in the future.
How the Attack Happened
According to a forensic analysis by SafeWallet and cybersecurity firm Mandiant, the North Korean hacking group behind the attack exploited a vulnerability in Amazon Web Services (AWS) session tokens to bypass Bybit’s multifactor authentication (MFA) security.
Key findings from the investigation:
- SafeWallet’s AWS settings required session token reauthentication every 12 hours.
- The attackers attempted to register an MFA device but failed multiple times.
- They compromised a developer’s MacOS system, likely through malware, allowing them to hijack active AWS session tokens.
- With these credentials, the hackers gained unauthorized access to AWS and launched the attack.
Mandiant’s analysis confirmed that North Korean state-backed actors spent 19 days planning and executing the breach.
SafeWallet’s Response and Security Enhancements
The report clarified that Safe’s smart contracts remained unaffected by the attack. In response, SafeWallet’s development team has implemented additional security measures to prevent future exploits. The team also emphasized the need for ongoing improvements in user experience and user interface design to help combat emerging cybersecurity threats.
FBI Warns Against Laundering of Stolen Funds
Following the hack, the FBI issued an alert urging node operators to block transactions linked to the North Korean hackers, warning that they were laundering the stolen crypto.
- In just 10 days, the Bybit hackers successfully laundered 100% of the stolen funds, totaling nearly 500,000 Ether-related tokens.
- Bybit CEO Ben Zhou reported on March 4 that about 77% of the funds ($1.07 billion) remain traceable onchain, while approximately $280 million have disappeared.
- Cybersecurity experts, including Deddy Lavid, CEO of Cyvers, believe some of the stolen funds could still be traced and frozen.
This hack stands as the largest crypto theft in history, underscoring the urgent need for stronger security protocols across the blockchain industry.
