Safe{Wallet} Reports $1.5 Billion Bybit Heist Linked to North Korean TraderTraitor Hackers

07.03.2025

Safe{Wallet} has confirmed that the $1.5 billion Bybit crypto heist was the result of a “highly sophisticated, state-sponsored attack” orchestrated by North Korean hacking group TraderTraitor, also known as Jade Sleet, PUKCHONG, and UNC4899. The attackers strategically erased traces of their activity to obstruct forensic investigations, prompting Safe{Wallet} to enlist Google Cloud Mandiant for a detailed security analysis.

The breach originated from the compromise of a Safe{Wallet} developer’s macOS laptop on February 4, 2025, when the individual downloaded a malicious Docker project via a social engineering attack. The project, linked to a domain registered just days earlier, delivered malware that hijacked AWS session tokens, bypassed multi-factor authentication (MFA), and enabled persistent remote access. The attackers later deleted their malware and cleared Bash history to cover their tracks.

Further analysis revealed that the threat actors used ExpressVPN and Kali Linux-based tools to infiltrate the company’s AWS environment, aligning their activity with the developer’s schedule to evade detection. Additionally, they deployed the open-source Mythic framework and injected malicious JavaScript into the Safe{Wallet} website between February 19-21, 2025, leveraging multiple attack vectors to maximize their impact.

Bybit CEO Ben Zhou stated that 77% of the stolen funds remain traceable, with 20% unaccounted for and 3% frozen, thanks to efforts from various industry players. The attackers have converted 83% (417,348 ETH) into bitcoin, distributing it across nearly 7,000 wallets.

The incident underscores the escalating sophistication of cyber threats in Web3. According to Immunefi, cryptocurrency heists have surged in early 2025, with $1.6 billion lost in just two months—an eightfold increase from the previous year. Safe{Wallet} emphasized that securing transactions remains one of Web3’s biggest challenges, requiring collective industry action to address critical vulnerabilities.