Lazarus Group Attack on ByBit — TTP Analysis
Contents
Lazarus Group Attack on ByBit — TTP Analysis
Incident Overview: On February 24, 2025, the North Korean APT group Lazarus compromised an offline Ethereum wallet from the ByBit cryptocurrency exchange, stealing $1.5 billion in digital assets. The attack involved multiple Tactics, Techniques, and Procedures (TTPs) mapped to the MITRE ATT&CK Framework.
MITRE ATT&CK Mapping:
1. Reconnaissance (TA0043)
- T1590 — Gather Victim Network Information: Lazarus may have conducted reconnaissance on ByBit’s internal infrastructure and transaction flow.
- T1592.003 — Gather Cryptocurrency Wallet Information: The attackers likely targeted key employees or infrastructure holding cryptocurrency wallet details.
2. Resource Development (TA0042)
- T1583 — Compromise Infrastructure: Lazarus has a history of setting up fake exchanges and malicious infrastructure to facilitate cryptocurrency theft.
3. Initial Access (TA0001)
- T1566 — Phishing: Social engineering tactics could have been used to gain credentials from ByBit employees.
- T1195 — Supply Chain Compromise: A supply chain vulnerability or compromised third-party vendor could have been the entry …
Incident Overview: On February 24, 2025, the North Korean APT group Lazarus compromised an offline Ethereum wallet from the ByBit cryptocurrency exchange, stealing $1.5 billion in digital assets. The attack involved multiple Tactics, Techniques, and Procedures (TTPs) mapped to the MITRE ATT&CK Framework.
MITRE ATT&CK Mapping:
1. Reconnaissance (TA0043)
- T1590 — Gather Victim Network Information: Lazarus may have conducted reconnaissance on ByBit’s internal infrastructure and transaction flow.
- T1592.003 — Gather Cryptocurrency Wallet Information: The attackers likely targeted key employees or infrastructure holding cryptocurrency wallet details.
2. Resource Development (TA0042)
- T1583 — Compromise Infrastructure: Lazarus has a history of setting up fake exchanges and malicious infrastructure to facilitate cryptocurrency theft.
3. Initial Access (TA0001)
- T1566 — Phishing: Social engineering tactics could have been used to gain credentials from ByBit employees.
- T1195 — Supply Chain Compromise: A supply chain vulnerability or compromised third-party vendor could have been the entry …