Lmst
Login

#SafeWallet

lazarusholiclazarusholic@infosec.exchange
2025-05-06

"Bit ByBit - emulation of the DPRK's largest cryptocurrency heist" published by Elastic. #Bybit, #SafeWallet, #TraderTraitor, #DPRK, #CTI elastic.co/security-labs/bit-b

lazarusholiclazarusholic@infosec.exchange
2025-03-18

"Bybit – What Do We Know So Far" published by Sygnia. #Bybit, #SafeWallet, #DPRK, #CTI sygnia.co/blog/sygnia-investig

lazarusholiclazarusholic@infosec.exchange
2025-03-14

"How North Korean hackers executed history’s biggest $1.5 billion crypto heist" published by BBC. #Bybit, #SafeWallet, #Youtube, #News, #DPRK, #CTI youtube.com/watch?v=gpLYnKC3mGk

lazarusholiclazarusholic@infosec.exchange
2025-03-12

"Lazarus Group Bybit Heist: C2 forensics" published by Validin. #Bybit, #SafeWallet, #Lazarus, #DPRK, #CTI validin.com/blog/bybit_hack_in

lazarusholiclazarusholic@infosec.exchange
2025-03-11

"In-Depth Technical Analysis of the Bybit Hack" published by NCCGroup. #Bybit, #SafeWallet, #DPRK, #CTI nccgroup.com/us/research-blog/

Cyb3r1c 🇧🇪 ☠️Belganon
2025-03-07

confirme que les pirates informatiques nord-coréens de ont volé 1,5 milliard de dollars dans le vol

thehackernews.com/2025/03/safe

⚯ Michel de Cryptadamus ⚯cryptadamist@universeodon.com
2025-03-07

#SafeWallet published the results of an investigation into #NorthKorea's theft of $1.4 billion worth of ethereum from #Bybit.

x.com/safe/status/189766351497

#infosec #mandiant #cybersecurity #crypto #DPRK #TraderTraitor #LazarusGroup

lazarusholiclazarusholic@infosec.exchange
2025-03-07

"Investigation Updates and Community Call to Action" published by Safe.eth. #Bybit, #SafeWallet, #UNC4899, #DPRK, #CTI archive.is/OxemM

⚯ Michel de Cryptadamus ⚯cryptadamist@universeodon.com
2025-03-04

#NorthKorea has finished laundering all of the $1.4 billion worth of crypto it stole from #Bybit into other tokens almost entirely through #ThorChain who made $5.5 million in fees on the laundering effort 👏🏼👏👏🏾.

x.com/benbybit/status/18967984

#LazarusGroup #moneylaundering #crime #Infosec #cybersecurity #DPRK #SafeWallet

screenshot of linked tweet
⚯ Michel de Cryptadamus ⚯cryptadamist@universeodon.com
2025-03-03

this interview w/one of the only #cybersecurity people in the crypto industry who has any idea what he's talking about goes through all the incredible failures at every level of both #Bybit & #SafeWallet (whose main product is #GnosisSafe, AKA "the most important smart contract in the industry"), from the most basic opsec to permissioning to whatever, is a fun time if you're interested in that kind of thing.

tl;dr the whole crypto industry is an absolute clown car. a clown car that stores $1.4 billion in a single account that the entire C-suite can access.

youtube.com/watch?v=W82FxAK9Ac

#infosec #LazarusGroup #NorthKorea #DPRK #crypto

lazarusholiclazarusholic@infosec.exchange
2025-02-28

"On hindsight and risk assessment" published by Privy. #Bybit, #SafeWallet, #DPRK, #CTI privy.io/blog/bybit-lookback

lazarusholiclazarusholic@infosec.exchange
2025-02-27

"Bybit’s $1.5 Billion Theft Unveiled: Safe{Wallet} Front-End Code Tampered" published by Slowmist. #Bybit, #SafeWallet, #DPRK, #CTI slowmist.medium.com/bybits-1-5

lazarusholiclazarusholic@infosec.exchange
2025-02-27

"Dissecting the Bybit Cryptocurrency Exchange Malicious UI Spoofing Javascript" published by DanchoDanchev. #Bybit, #SafeWallet, #DPRK, #CTI ddanchev.blogspot.com/2025/02/

lazarusholiclazarusholic@infosec.exchange
2025-02-26

"BYBIT Interim Investigation Report" published by Sygnia. #Bybit, #SafeWallet, #DPRK, #CTI docsend.com/view/s/rmdi832mpt8

lazarusholiclazarusholic@infosec.exchange
2025-02-26

"Bybit Incident Investigation Preliminary Report" published by Verichains. #Bybit, #SafeWallet, #DPRK, #CTI docsend.com/view/s/rmdi832mpt8

lazarusholiclazarusholic@infosec.exchange
2025-02-26

"Safe{Wallet} Statement on Targeted Attack on Bybit" published by Safe.eth. #Bybit, #SafeWallet, #DPRK, #CTI archive.is/I3UEz

⚯ Michel de Cryptadamus ⚯cryptadamist@universeodon.com
2025-02-26

#Bybit released the conclusions of their investigation into how they got rekt for $1.4 billion by North Korea's #LazarusGroup. Summary:

1. (background) Bybit were dumb enough to store billions of dollars in a single wallet contract using software from a company called SafeWallet (a "Gnosis Safe")

2. A dev machine of SafeWallet (name is lol) was compromised by Lazarus and used to access SafeWallet's cloud data stores (S3)

3. malicious JavaScript was pushed to the cloud drive and eventually distributed in a release (?).

4. The malicious JavaScript code targeted specifically the Bybit contract address to change the content of the transaction during the signing / approval process.

* Bybit reports: docsend.com/view/s/rmdi832mpt8
* Full Statement from SafeWallet: x.com/safe/status/189476852272

in a normal world Bybit could probably sue SafeWallet, but I'm sure SafeWallet barely exists as an entity.

#infosec #cybersecurity #safewallet #gnosissafe #ethereum #DPRK #NorthKorea #crime #hackers #blackhat

1.1 KEY FINDINGS Thus far, the forensics investigation highlighted the following findings: • Forensic investigation of all hosts used to initiate and sign the transaction revealed malicious JavaScript code injected to a resource served from Safe{Wallet}'s AWS S3 bucket. • Resource modification time and publicly available web history archives suggest the injection of the malicious code was performed directly to Safe{Wallet}'s AWS S3 bucket. • Initial analysis of the injected JavaScript code suggests it's primary objective is to manipulate transactions, effectively changing the content of the transaction during the signing process. • Additionally, the analysis of the injected JavaScript code identified an activation condition designed to execute only when the transaction source matches one of two contract addresses: Bybit's contract address and a currently unidentified contract address, likely associated with a test contract controlled by the threat actor. • Two minutes after the malicious transaction was executed and published, new versions of the JavaScript resources were uploaded to Safe{Wallet}'s AWS S3 bucket. These updated versions had the malicious code removed. • The highlighted initial findings suggest the attack originated from Safe{Wallet}'s AWS infrastructure. • Thus far, the forensics investigation did not identify any compromise of Bybit's infrastructure.

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst