SafeWallet Bybit Hack Post-Mortem Report
SafeWallet has published a post-mortem report analyzing the $1.4 billion Bybit hack, calling for enhanced security measures in UI/UX to protect against future attacks.
How the Attack Unfolded
SafeWallet and cybersecurity company Mandiant outline how the attackers compromised Bybit’s systems by taking over a Safe developer’s Amazon Web Services (AWS) session tokens, which allowed them to compromise the company’s multifactor authentication (MFA) security controls.
SafeWallet’s AWS policies were set to reauthenticate every 12 hours. The attackers attempted to register an MFA device multiple times but failed. They then breached a developer’s MacOS system—likely through malware—enabling them to use AWS session tokens as long as the developer’s sessions remained active.
Once inside AWS, the hackers methodically mounted their attack, leveraging cloud-based security weaknesses to gain unauthorized access.
North Korean Hackers Behind the Attack
Mandiant’s forensic analysis confirmed that the attackers were state-sponsored North Korean hackers. They spent 19 days planning the attack before executing the breach.
Despite the scale of the exploit, SafeWallet assured that its smart contracts remained intact. The company has since incorporated additional security protocols to prevent such an occurrence.
FBI Issues Warning as Hackers Launder Stolen Funds
The US Federal Bureau of Investigation (FBI) issued a public advisory, requesting node operators to halt transactions from wallet addresses linked to the North Korean hackers. The government agency cautioned that the stolen coins would be laundered and exchanged for fiat.
Bybit hackers successfully laundered 100% of the stolen crypto within 10 days—nearly 500,000 Ether-based tokens. Bybit CEO Ben Zhou noted that 77% of the funds worth about $1.07 billion are yet to be tracked on-chain, and some $280 million have disappeared into untouchable transactions.
Security experts like Cyvers CEO Deddy Lavid are of the view that a possibility still remains to track and freeze some of the stolen funds despite the fast pace of the laundering process.
As the crypto sector faces growing cyber attacks, SafeWallet’s report brings into focus the need to tighten security measures, especially within cloud-based systems.
