A recent $1.4 billion cryptocurrency theft—the largest ever recorded—has sent shockwaves through the cybersecurity and financial sectors. The breach, which targeted Bybit’s Ethereum cold wallet system, was carried out by the notorious North Korean hacking group known as Lazarus. It involved a highly coordinated attack combining social engineering, stolen cloud credentials, and manipulated code.

How It Happened

Cybersecurity investigators from Mandiant, working with the Safe{Wallet} team, discovered that the attackers used a multi-step strategy to infiltrate the system:

• Initial Access Through Social Engineering
  The attackers impersonated a trusted open-source contributor to deceive a developer at Safe{Wallet}, who held administrative privileges.
• Malicious Software Deployment
  The developer unknowingly installed a compromised Python project via Docker. This gave attackers elevated access to the workstation.
• Cloud Credentials Stolen
  From there, the attackers extracted Amazon Web Services (AWS) session tokens and bypassed multi-factor authentication (MFA), maintaining access for nearly three weeks.
• Manipulated JavaScript for Final Attack
  With access in place, the attackers replaced a harmless JavaScript file with a malicious version. When a large transaction was initiated, the script rerouted funds to wallets controlled by the hackers.

Mandiant and Safe{Wallet} believe this attack was state-sponsored, and aimed at high-value targets in the blockchain ecosystem.

Cleanup and Response

Following the breach, Safe{Wallet} implemented a full infrastructure reset to secure its systems. This included:

• Rotating all credentials and keys
• Resetting cloud clusters and developer machines
• Rebuilding container images
• Restricting access to key transaction services
• Updating firewall rules for external services

FBI Involvement and Tracing the Funds

The FBI has linked the breach to TraderTraitor, a North Korean advanced persistent threat (APT) group it has tracked since 2022. According to the agency, some of the stolen digital assets have already been converted to Bitcoin and dispersed across thousands of blockchain addresses, likely in preparation for laundering and eventual conversion to fiat currency.

Bybit’s Bounty Program

In response, Bybit has launched a bug bounty and recovery program, offering a 5% reward to anyone who helps freeze the stolen funds, and an additional 5% to those who assist in tracing them.

What This Means for Businesses

This incident is a stark reminder that even well-defended systems can fall to targeted, well-executed attacks—especially those involving insider access, supply chain risks, or cloud environments.

Organisations must remain vigilant, ensure multi-layered defences, and invest in proactive security monitoring and response.