The developer of SafeWallet has released a comprehensive post-mortem report on the cybersecurity breach that resulted in a staggering $1.4 billion hack against Bybit in February. This detailed report, developed in collaboration with the renowned cybersecurity firm Mandiant, sheds light on the methodologies employed by the hacking group, which managed to successfully hijack a Safe developer’s Amazon Web Services (AWS) session tokens.
This significant breach allowed the attackers to bypass the multifactor authentication security measures that were crucial in protecting sensitive information. The forensic analysis unveiled that SafeWallet’s AWS settings necessitated team members to reauthenticate their AWS session tokens every 12 hours.
This stringent security measure inadvertently motivated the hackers to launch an attempt to breach the system by registering a multifactor authentication (MFA) device. After several unsuccessful attempts, which likely represented a considerable investment of time and resources, the threat actors compromised a developer’s MacOS system.
This was likely achieved through sophisticated malware that enabled the hackers to utilize the AWS session tokens while the developer’s sessions were still active. Upon gaining access, the hackers maneuvered within the AWS environment to orchestrate their attack, unveiling a highly coordinated effort.
Mandiant’s thorough analysis confirmed their suspicions regarding the sophistication of the attack, identifying the hackers as North Korean state actors who meticulously planned the breach over a span of 19 days. It’s crucial to highlight that this particular cybersecurity exploit did not compromise Safe’s smart contracts, which are often the focal point in discussions surrounding blockchain security. In light of this alarming breach, the Safe development team has taken immediate actions to implement additional safeguards aimed at preventing such incidents from occurring in the future.
In a related turn of events, the U.S. Federal Bureau of Investigation (FBI) issued a crucial alert urging node operators to block transactions from wallet addresses associated with the North Korean hackers. This warning highlighted the FBI’s concerns that the stolen funds would be laundered, potentially leading to conversions into fiat currency.
Remarkably, since the alert was issued, the Bybit hackers have successfully laundered 100% of the stolen cryptocurrency, which includes a staggering nearly 500,000 Ether-related tokens, all within a mere 10 days. On March 4, Bybit’s CEO Ben Zhou reported that approximately 77% of the funds, valued at around $1.07 billion, remain traceable on the blockchain.
In contrast, about $280 million have transitioned into untraceable territories. Despite the grim statistics, Deddy Lavid, CEO of the cybersecurity firm Cyvers, expressed cautious optimism that cybersecurity professionals might still possess the capability to trace and freeze some of the stolen assets.
This incident significantly underscores the ongoing challenges facing the cryptocurrency industry in securing digital assets against increasingly sophisticated cyber threats, necessitating a continual evolution of security measures to safeguard against such alarming breaches..