US$1.4 billion was stolen from cryptocurrency exchange Bybit: North Korean hackers invaded SafeWallet to implement the attack

Cryptocurrency exchange Bybit was previously hacked and stole approximately $1.4 billion worth of Ethereum. The stolen Ethereum was located in Bybit's warehouse wallet, which used the multi-signature wallet platform SafeWallet. After the theft, many researchers in the cryptocurrency field were unable to figure out how the hacker achieved the attack. After all, it is unlikely that the hacker also controlled Bybit's wallet manager to sign.

However, the latest investigation results show that the attack has nothing to do with Bybit. The security problem occurred in the SafeWallet wallet.In fact, the North Korean hacker group Lazarus Group has already achieved intrusion, but it is just waiting for opportunities to only attack high-value targets..

Researchers claim that this attack specifically targets Bybit, a high-value target. Hackers inject malicious JavaScript scripts into app.safe.global, which is accessible to Bybit signers. Effective malicious scripts are only activated when certain conditions are met. This selective execution ensures that the backdoor will not be discovered by ordinary users.

Based on the findings of the Bybit signer's machine and backtracking through the Internet Archive's website Time Machine (WaybackArchive), the researchers found cached malicious JavaScript scripts, and the researchers came to a strong conclusion: Safe.Global's account or API in Amazon AWS S3 or AWS Cloud Front may have been leaked or stolen.

In this case, hackers can use accounts or APIs to modify S3 or CloudFront (CDN service provided by AWS) to add malicious scripts. Researchers also discovered Ethereum multi-signature cold wallet malicious code targeting Bybit from the AWSS3 bucket of SafeWallet.

SafeWallet issued a statement stating that a forensic investigation into the attack launched by LazarusGroup against Bybit concluded that the attack was implemented through a compromised SafeWallet developer machine (In other words, after the SafeWallet developer machine was infected with malicious code, the hacker added malicious JavaScript scripts through the developer account with permissions.).

The wallet platform has now completely rebuilt and reconfigured all infrastructure, while rotating all credentials, including API keys, etc. to ensure that the attack vector has been removed and cannot be used in future attacks.

In addition, researchers have not found vulnerabilities in SafeWallet’s smart contracts or the source code of its front-end and services. They can only say that it is indeed a seamless plan for hackers to launch attacks against SafeWallet developers in advance.