The recent Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple cybersecurity teams, including Sygnia.
This attack demonstrated a sophisticated, multi-stage approach that allowed the threat actors to gain control of Bybit’s Ethereum cold wallets and siphon funds.
The incident highlights significant security gaps across various domains, including macOS malware, AWS cloud compromise, application security, and smart contract vulnerabilities.
Attack Timeline and Tactics
The earliest known malicious activity began on February 4, 2025, when a developer’s macOS workstation was compromised, likely through social engineering.
This initial breach led to the theft of AWS access credentials, which were used to access Safe{Wallet}’s AWS infrastructure starting from February 5.
Between February 5 and February 17, the attackers conducted reconnaissance within the AWS environment, although specific details of their activities remain limited.
On February 19, JavaScript resources hosted on an AWS S3 bucket serving Safe{Wallet}’s web interface were modified with malicious code designed to manipulate transactions specifically targeting Bybit’s cold wallet.
On February 21, Bybit initiated a transaction using Safe{Wallet}’s web interface, which was manipulated by the attackers.
According to the Report, the malicious code altered the transaction payload, allowing the attackers to transfer over 400,000 ETH without requiring multisig approval.
The attackers quickly removed the malicious code from Safe{Wallet}’s web interface two minutes after the transaction, likely to cover their tracks.
Attribution and Industry Implications
The FBI has attributed the attack to the Lazarus Group, a threat actor linked to the Democratic People’s Republic of Korea (DPRK), known for previous crypto heists.
This attribution is supported by Mandiant’s investigation and further evidence from crypto analytics firm Arkham.
The Bybit hack underscores the crypto industry’s lack of standardized security standards and third-party risk assessments, making it vulnerable to such sophisticated attacks.
The incident sets a new benchmark for forensic transparency, demonstrating how sharing detailed investigation findings can enhance industry-wide defenses against similar threats.
The attack’s complexity and the substantial financial incentives driving such heists emphasize the need for adaptive and proactive defenses in the crypto sector.
As the industry continues to evolve rapidly, it must adopt more stringent security measures to mitigate future risks.
The Bybit hack serves as a critical lesson for enhancing security across multiple domains, including social engineering, cloud security, and smart contract vulnerabilities.
