The fallout from the $1.5 billion Bybit cryptocurrency heist is becoming clearer, and it’s worse than initially feared. Safe{Wallet}, a platform offering secure multi-signature services for Web3 assets, has now confirmed that the attack was not only state-sponsored but also executed with surgical precision.
The culprit? A North Korea-linked hacking group known as TraderTraitor — also tracked as Jade Sleet, PUKCHONG, and UNC4899. This group has been tied to multiple previous crypto-focused breaches and is now being held responsible for one of the largest digital heists in history.
How the Attack Unfolded: From Docker to Developer
A Social Engineering Trap
According to Safe{Wallet}, the hackers tricked a developer into downloading a Trojanized Docker project disguised as a stock investment simulator. The infected file, named MC-Based-Stock-Invest-Simulator-main, was downloaded on February 4, 2025, from a site registered just two days earlier — a key indicator of a tailored attack.
This wasn’t random malware. It was specifically crafted to target the developer’s macOS system, compromise their credentials, and embed backdoors for remote access.
Targeting Developer1: A High-Privilege Victim
The victim, identified as Developer1, was one of the few with elevated privileges on the team — someone whose role granted broad AWS access. That made them a perfect target for gaining control over key systems.
After breaching the machine, the hackers used the stolen AWS session tokens to bypass multi-factor authentication (MFA). This allowed them to act as if they were the developer, carrying out malicious activity during working hours to avoid raising alarms.
From AWS Access to $1.5 Billion Gone
Moving Quietly Inside the Cloud
Once inside the AWS environment, the attackers:
- Conducted cloud reconnaissance
- Identified digital assets and access points
- Hijacked active user sessions
- Coordinated malicious activity with the developer’s real schedule
To avoid being caught, they wiped traces of the malware, deleted bash history logs, and used obfuscation tactics like routing through ExpressVPN IPs. Their user agent string (distrib#kali.2024) even pointed to the use of Kali Linux, a toolset widely used by penetration testers and cyber attackers alike.
JavaScript Injection on Safe{Wallet}
The hackers weren’t done. They injected malicious JavaScript into the Safe{Wallet} website itself between February 19 and 21, potentially compromising even more users during that window.
They also used the Mythic framework, an open-source toolkit designed for red team operations — further demonstrating how professional and adaptable this group is.
Bybit’s Response and the Aftermath
Assets Tracked, Some Frozen
Bybit CEO Ben Zhou confirmed the staggering scale of the breach and provided a breakdown of the stolen assets:
- 77% of funds still traceable
- 20% have disappeared (“gone dark”)
- 3% have been frozen with help from industry partners
In total, 417,348 ETH (around 83% of the haul) has already been converted into bitcoin, then split across nearly 7,000 wallets, making recovery complex and slow.
Zhou credited 11 organizations, including Mantle, Paraswap, and blockchain investigator ZachXBT, for their rapid assistance in freezing stolen assets.
TraderTraitor: North Korea’s Crypto Crime Machine
A Familiar Tactic with New Wrinkles
The attack fits the pattern of TraderTraitor’s earlier campaigns. These hackers have a well-documented history of targeting developers in the crypto space, often using:
- Fake job offers
- Telegram chats with “tech collaborators”
- Booby-trapped projects and shared tools
Their tool of choice for persistence in this attack was PLOTTWIST, a custom backdoor malware that enables remote control of infected machines.
While the exact infection vector this time remains unclear, Safe{Wallet} noted that signs point to a social engineering playbook—starting with that fake Docker project and ending with an empty audit trail.
Web3 Heists Surge: $1.6B Lost in Just Two Months
2025 Is Already a Record Year
With this incident, crypto theft in 2025 has already hit $1.6 billion — just two months into the year. That’s eight times more than the total for the same period in 2024.
According to blockchain security firm Immunefi, the spike reflects:
- Increased sophistication of threat actors
- Inadequate safeguards in some Web3 protocols
- Poor transaction verification flows
The attack proves that multi-signature wallets, while more secure than basic wallets, are not invincible, especially when endpoint security is weak or when developers are manipulated.
Safe{Wallet} Calls for Industry-Wide Action
It’s Not Just a User Problem
Following the attack, Safe{Wallet} released a sobering statement:
“Verifying that the transaction you are signing will result in the intended outcome remains one of the biggest security challenges in Web3. And this is not just a user or education problem — it is an industry-wide issue.”
The platform is now working closely with Google Cloud’s Mandiant team to fully understand the breach, prevent future occurrences, and share its findings with the wider Web3 community.
How This Attack Highlights Critical Web3 Flaws
Security Weak Spots Exposed
This attack lays bare several ongoing issues in the crypto and DeFi space:
- Session hijacking still bypasses MFA in many cloud environments
- Developer endpoints remain vulnerable to social engineering
- Widespread trust in “helpful” open-source projects leads to easy malware entry
- Transaction previews and confirmations are still confusing to many users
- Even “secure” wallets are only as safe as the machines they run on
FAQs
Who carried out the Bybit $1.5 billion heist?
A North Korean hacking group known as TraderTraitor, also referred to as Jade Sleet or UNC4899.
How did the hackers gain access?
They tricked a developer into downloading a malicious Docker project, compromised their macOS system, and hijacked active AWS sessions to move within the cloud.
Was multi-factor authentication bypassed?
Yes. By using stolen AWS session tokens, the hackers avoided MFA and acted as if they were the authorized user.
What tools were used in the attack?
Key tools included the PLOTTWIST malware, the Mythic framework, ExpressVPN, and JavaScript injection. The attackers also wiped logs to hinder investigation.
How much of the stolen crypto has been recovered?
Roughly 3% of the funds have been frozen, while 77% remains traceable. About 20% is currently unaccounted for.
What does this mean for crypto security in 2025?
This attack signals a new level of sophistication and volume in crypto crime. It shows that the industry must improve endpoint security, session protection, and transaction validation.
