As new details keep emerging about the largest heist in history, the latest findings point to a compromised laptop, which allowed the North Korea-state-sponsored hacking group Lazarus to steal almost $1.5 billion worth of ethereum (ETH) tokens from the Bybit crypto exchange.
A joint investigation by Safe – a popular ETH multisignature solution – and cybersecurity firm Mandiant showed that the Bybit attack involved the compromise of a Safe developer’s laptop and the hijacking of AWS session tokens to bypass multi-factor authentication controls.
"This developer was one of the very few personnel that had higher access in order to perform their duties," the report said, noting that the analysis is still ongoing. Moreover, as Lazarus removed their malware and cleared Bash history, it poses additional challenges for investigators trying to fill all the gaps, fully understand the attack, and prevent similar incidents.
Mandiant found that the developer's macOS was compromised on February 4th, 2025, when a Docker project communicated with the getstockprice.com website. According to analysts, the Docker project was no longer available on the system at the time of analysis, but the files resided in the ~/Downloads/ directory, indicating possible social engineering.
The cybersecurity analysts also noted that similar stock-themed Docker projects have been utilized by the same hackers in previous heist investigations. For example, in September 2024, they allegedly socially engineered a crypto exchange developer via Telegram into helping troubleshoot a Docker project. This helped them drop a second-stage macOS malware known as PLOTTWIST, which enabled persistent access to the compromised developer workstation.
The Bybit investigation has also shown that the attackers used the Safe developer's AWS account via ExpressVPN IP addresses.
"The attacker hijacked active AWS user session tokens, likely via malware deployed on Developer1's workstation, and aligned their hours to Developer1's schedule in order to conduct their operations while the AWS sessions were active," the investigation found.
Safe has also admitted that Lazarus was able to bypass its security program despite it having many layers, such as limiting privileged access to the infrastructure, requiring multiple peer reviews before introducing changes to production, having monitoring systems in place to detect external threats, and using third-party services for security audits and malicious transaction detection.
Safe stressed that the evolving sophistication of threat actors is "an industry-wide issue that demands collective action."
"While self-custody comes with individual responsibility, in order to drive broad adoption, platforms must play a critical role by providing better tooling to detect and prevent malicious interference. We need significant UX improvements that simplify secure transaction management," Safe concluded, also offering a guide on how to verify transactions before signing them.
Your email address will not be published. Required fields are markedmarked