Bit ByBit - emulation of the DPRK's largest cryptocurrency heist
Contents
Key takeaways
Key takeaways from this research:
- PyYAML was deserialization as initial access vector
- The attack leveraged session token abuse and AWS lateral movement
- Static site supply chain tampering
- Docker-based stealth on macOS
- End-to-end detection correlation with Elastic
Introduction
On February 21, 2025, the crypto world was shaken when approximately 400,000 ETH vanished from ByBit —one of the industry’s largest cryptocurrency exchanges. Behind this incredible theft is believed to be North Korea’s elite cyber-offensive unit, referred to as TraderTraitor. Exploiting a trusted vendor relationship with Safe{Wallet}, a multisig (multi-signature) wallet platform, TraderTraitor transformed a routine transaction into a billion-dollar heist. Supply chain targeting has become a hallmark of the DPRK’s cyber strategy, underpinning the regime’s theft of more than $6 billion in cryptocurrency since 2017. In this article we’ll dissect this attack, carefully emulate its tactics within a controlled environment, and provide practical lessons to reinforce cybersecurity defenses using Elastic’s product and features.
Our …
Key takeaways from this research:
- PyYAML was deserialization as initial access vector
- The attack leveraged session token abuse and AWS lateral movement
- Static site supply chain tampering
- Docker-based stealth on macOS
- End-to-end detection correlation with Elastic
Introduction
On February 21, 2025, the crypto world was shaken when approximately 400,000 ETH vanished from ByBit —one of the industry’s largest cryptocurrency exchanges. Behind this incredible theft is believed to be North Korea’s elite cyber-offensive unit, referred to as TraderTraitor. Exploiting a trusted vendor relationship with Safe{Wallet}, a multisig (multi-signature) wallet platform, TraderTraitor transformed a routine transaction into a billion-dollar heist. Supply chain targeting has become a hallmark of the DPRK’s cyber strategy, underpinning the regime’s theft of more than $6 billion in cryptocurrency since 2017. In this article we’ll dissect this attack, carefully emulate its tactics within a controlled environment, and provide practical lessons to reinforce cybersecurity defenses using Elastic’s product and features.
Our …
IoC
http://getstockprice.com
https://app.safe.global/_next/static/chunks/pages/_app-52c9031bfa03da47.js
http://app.safe.global
e89bf606fbed8f68127934758726bbb5e68e751427f3bcad3ddf883cb2b50fc7
47e997b85ed3f51d2b1d37a6a61ae72185d9ceaf519e2fdb53bf7e761b7bc08f
937c533bddb8bbcd908b62f2bf48e5bc11160505df20fea91d9600d999eafa79
https://app.safe.global/_next/static/chunks/pages/_app-52c9031bfa03da47.js
http://app.safe.global
e89bf606fbed8f68127934758726bbb5e68e751427f3bcad3ddf883cb2b50fc7
47e997b85ed3f51d2b1d37a6a61ae72185d9ceaf519e2fdb53bf7e761b7bc08f
937c533bddb8bbcd908b62f2bf48e5bc11160505df20fea91d9600d999eafa79