- A forensic analysis has identified the prime mover in the Bybit exchange hack.
- The Lazarus Group has started hiding malware in stock trading software.
- The hack relied on an existing issue with a type of Python file.
When the news came through that crypto exchange Bybit had been hacked for $1.4 billion, nobody knew at the time how it could have happened.
The fifth-biggest exchange, which held some $15 billion worth of assets for customers, isn’t known to skimp on security.
Things took a turn when the following week multiple investigations found the hack wasn’t in Bybit’s systems, but rather due to a compromise at Safe Wallet, a popular crypto wallet provider the exchange relied on.
Now, a forensic analysis of Safe Wallet’s own systems has identified the prime mover in the sequence of events that led to the $1.4 billion hack: a bogus stock trading simulator.
Lazarus Group, the North Korean state-sponsored hackers, appears to have convinced a Safe Wallet developer to download the stock trading simulator, which contained hidden code that let them gain access to some of Safe’s systems, according to a report from cybersecurity firm Mandiant. The report was commissioned by Safe Wallet.
What followed was a weeks-long infiltration by North Korean hackers that culminated in the $1.4 billion Bybit theft.
Here’s how it happened.
Stock trading simulator?
Stock trading simulators can be found online. They allow users to practice financial trading without putting any real money on the line.
A spokesperson for Safe Wallet told DL News the firm is still investigating how the malicious file got onto the developer’s computer.
It’s possible Lazarus used social engineering techniques, Mandiant said.
Social engineering involves the psychological manipulation of a target into divulging confidential information or performing actions, such as downloading malicious files or software. The tactic is very common in hacks perpetrated by the hermit kingdom.
In a previous attack in 2023, Lazarus used phony job offers as a pretext for getting malicious files onto victims’ computers. Hackers approached workers at a target firm and asked them to download and complete test assignments that were riddled with malware.
More recently, Lazarus has started using stock or crypto trading apps instead.
A February 23 report from crypto security firm SlowMist identified “ongoing and escalating” Lazarus Group attacks against crypto exchanges which relied on social engineering to trick employees into downloading malicious files labelled as stock trading simulators.
Mandiant’s Safe Wallet investigation report also mentions a separate case in September where Lazarus socially engineered a crypto developer into downloading and troubleshooting a stock-themed project file which contained malware.
Using the guise of stock trading apps is an obvious choice because it doesn’t seem out of the ordinary to targets in the crypto industry, Mikko Ohtamaa, a security researcher and CEO of DeFi trading protocol Trading Strategy, told DL News.
Python issue
The fact that such stock trading apps are almost always written in the Python coding language is essential to the attack, Ohtamaa said.
Just creating malware and disguising wouldn’t work — even a novice developer could pick up on the ruse.
Instead, hackers must find creative ways to infiltrate their targets’ systems.
In this case, Lazarus utilised an old issue in Python when loading a file type called YAML, which let the hackers disguise the malicious elements of the file.
By using this method, Lazarus was able to remain within Safe Wallet’s systems undetected, giving the hackers weeks to engineer an attack.
Working nights
Lazarus needed to breach Safe Wallet’s Amazon Web Services account, which hosts the Safe Wallet website. Their plan: hack the website and swap Bybit’s transaction with a malicious one, seizing its wallet.
With AWS keys expiring every 12 hours, the hackers synchronised their hours with a Safe Wallet developer, which means working long nights in North Korea — if they are in North Korea — to exploit an active key.
Seventeen days later, Lazarus stole $1.4 billion. Minutes after the heist, the hackers erased malware traces, likely planning to reuse the method.
That might now be difficult given how widely publicised the Safe Wallet hack was.
Ohtamaa said Lazarus will likely change its tactics now that the stock trading ruse has become well known.
But while the delivery may change, the underlying attack method may stay the same.
“No one is prepared for the attack vector,” Taylor Monahan, the lead security researcher at the crypto wallet MetaMask, previously told DL News. “This will happen again and again and again.”
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.