A meticulously orchestrated cyber intrusion led to the theft of approximately 400,000 ETH from ByBit, marking it as one of the largest cryptocurrency heists ever attributed to North Korean (DPRK) state-sponsored actors, specifically the group dubbed TraderTraitor.
In a technical simulation conducted by Elastic’s security researchers-leveraging incident reports from Sygnia, Mandiant, SlowMist, and Unit42-the full attack chain was replicated to extract practical lessons and reinforce modern defense strategies.
The intrusion was initiated through a sophisticated social engineering campaign targeting a Safe{Wallet} developer using macOS.
By posing as a legitimate contact via platforms like Telegram or Discord, the attackers convinced the victim to execute a Python application embedded with a remote code execution vulnerability via the PyYAML library.
The payload, packaged to mimic a common development tool and even Dockerized for additional stealth, bypassed macOS endpoint defenses and established persistence using a Golang-based MythicC2 Poseidon agent.
This agent enabled both system reconnaissance and theft of AWS credentials, which were stored locally as temporary session tokens from routine development activities.
Armed with these short-lived AWS session tokens, the attackers gained direct access to Safe{Wallet}’s cloud infrastructure.
Efforts to establish persistent AWS access by registering their own MFA device were thwarted by IAM policy limitations tied to session token context, but this setback was inconsequential.
Over the next two weeks, the DPRK operatives conducted detailed reconnaissance, enumerating IAM roles, S3 buckets, and other resources-culminating in the identification of the S3 bucket hosting Safe{Wallet}’s Next.js-based frontend.
Frontend Tampering and Transaction Redirection
The threat actors reverse-engineered the statically hosted Next.js assets, isolating the logic handling multi-signature transaction requests from ByBit’s cold wallet.
By injecting malicious JavaScript directly into a primary JavaScript bundle and re-uploading it to S3, they established client-side control over transaction construction.
The script was designed to only trigger for transactions involving ByBit’s multisig addresses, dynamically modifying transaction parameters to redirect funds to attacker-controlled wallets.
Notably, post-attack, the malicious code was scrubbed from the application, indicating careful operational security by the adversaries.
According to the Report, The research team’s simulation confirmed that the compromise did not require backend API or smart contract exploitation-frontend supply chain tampering alone sufficed to subvert trust at the transaction approval layer.
The exposure of developer credentials via insecure local storage, coupled with insufficient S3 hardening (lack of Object Lock, SRI, and access boundary enforcement), were critical failures.
Elastic’s platform successfully detected each attack phase through rules targeting suspicious Python script behaviors, cloud credential access from unusual directories, AWS session token misuse, S3 frontend asset modification, and Dockerized process anomalies.
The employment of OSQuery and centralized cloud log ingestion bolstered visibility, while AI-powered attack correlation accelerated incident response timelines.
This simulated breach underscores the growing risk posed by supply chain and endpoint compromise within crypto infrastructure.
As DPRK-aligned actors refine their tradecraft-leveraging social engineering, macOS-specific payloads, and exploitations of cloud platform misconfigurations-organizations must prioritize least-privilege cloud policy, robust endpoint detection and response, immutable frontend deployment pipelines, and continuous user security awareness.
Through disciplined emulation and defense-in-depth, defenders can better anticipate and mitigate the tactics now defining the future of state-level cryptocurrency thef
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
.webp?w=1200&resize=1200,0&ssl=1 "Microsoft 365 Authentication Issues")
