Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers - Related to treason”, behind, ‘cracked’, charged, hack

Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers

The [website] Federal Bureau of Investigation (FBI) formally linked the record-breaking $[website] billion Bybit hack to North Korean threat actors, as the corporation's CEO Ben Zhou declared a "war against Lazarus."

The agency revealed the Democratic People's Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster it tracks as TraderTraitor, which is also referred to as Jade Sleet, Slow Pisces, and UNC4899.

"TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains," the FBI stated. "It is expected these assets will be further laundered and eventually converted to fiat currency."

It's worth noting that the TraderTraitor cluster was previously implicated by Japanese and [website] authorities in the theft of cryptocurrency worth $308 million from cryptocurrency business DMM Bitcoin in May 2024.

The threat actor is known for targeting companies in the Web3 sector, often tricking victims into downloading malware-laced cryptocurrency apps to facilitate theft. Alternately, it has also been found to orchestrate job-themed social engineering campaigns that lead to the deployment of malicious npm packages.

ByBit, in the meanwhile, has launched a bounty program to help recover the stolen funds, while calling out eXch for refusing to cooperate in the probe and help freeze the assets.

"The stolen funds have been transferred to untraceable or freezeable destinations, such as exchanges, mixers, or bridges, or converted into stablecoins that can be frozen," it mentioned. "We require cooperation from all involved parties to either freeze the funds or provide updates on their movement so we can continue tracing."

The Dubai-based business has also shared the conclusions of two investigations conducted by Sygnia and Verichains, linking the hack to the Lazarus Group.

"The forensics investigation of the three signers' hosts implies the root cause of the attack is malicious code originating from Safe{Wallet}'s infrastructure," Sygnia stated.

Verichains noted that "the benign JavaScript file of [website] appears to have been replaced with malicious code on February 19, 2025, at 15:29:25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit," and that the "attack was designed to activate during the next Bybit transaction, which occurred on February 21, 2025, at 14:13:35 UTC."

It's suspected that the AWS S3 or CloudFront account/API Key of [website] was likely leaked or compromised, thereby paving the way for a supply chain attack.

In a separate statement, multisig wallet platform Safe{Wallet} stated the attack was carried out by compromising one of its developer's machines which affected an account operated by Bybit. The business further noted that it implemented added security measures to mitigate the attack vector.

The attack "was achieved through a compromised machine of a Safe{Wallet} developer resulting in the proposal of a disguised malicious transaction," it noted. "Lazarus is a state-sponsored North Korean hacker group that is well known for sophisticated social engineering attacks on developer credentials, sometimes combined with zero-day exploits."

It's currently not clear how the developer's system was breached, although a new analysis from Silent Push has uncovered that the Lazarus Group registered the domain bybit-assessment[.]com at 22:21:57 on February 20, 2025, a few hours before the cryptocurrency theft took place.

"It appears the Bybit heist was conducted by the DPRK threat actor group known as TraderTraitor, also known as Jade Sleet and Slow Pisces – whereas the crypto interview scam is being led by a DPRK threat actor group known as Contagious Interview, also known as Famous Chollima," the firm noted.

"Victims are typically approached via LinkedIn, where they are socially engineered into participating in fake job interviews. These interviews serve as an entry point for targeted malware deployment, credential harvesting, and further compromise of financial and corporate assets."

North Korea-linked actors are estimated to have stolen over $6 billion in crypto assets since 2017. The $[website] billion stolen last week surpasses the $[website] billion the threat actors stole from 47 cryptocurrency heists in all of 2024.

Universities and government organizations in North America and Asia have been targeted by a previously undocumented Linux malware called Auto-Color be......

The threat actor known as Dark Caracal has been attributed to a campaign that deployed a remote access trojan called Poco RAT in attacks targeting Spa......

YouTube warns that scammers are using an AI-generated video featuring the firm's CEO in phishing attacks to steal creators' credentials.

Who’s Behind the Seized Forums ‘Cracked’ & ‘Nulled’?

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of consumers that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities displays their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

On Jan. 30, the [website] Department of Justice noted it seized eight domain names that were used to operate Cracked, a cybercrime forum that sprang up in 2018 and attracted more than four million individuals. The DOJ noted the law enforcement action, dubbed Operation Talent, also seized domains tied to Sellix, Cracked’s payment processor.

In addition, the government seized the domain names for two popular anonymity services that were heavily advertised on Cracked and Nulled and allowed consumers to rent virtual servers: StarkRDP[.]io, and rdp[.]sh.

Those archived webpages show both RDP services were owned by an entity called 1337 Services Gmbh. .com, 1337 Services GmbH is also known as AS210558 and is incorporated in Hamburg, Germany.

The Cracked forum administrator went by the nicknames “FlorainN” and “StarkRDP” on multiple cybercrime forums. Meanwhile, a LinkedIn profile for a Florian M. from Germany refers to this person as the co-founder of Sellix and founder of 1337 Services GmbH.

Northdata’s business profile for 1337 Services GmbH demonstrates the firm is controlled by two individuals: 32-year-old Florian Marzahl and Finn Alexander Grimpe, 28.

Neither Marzahl nor Grimpe responded to requests for comment. But Grimpe’s first name is interesting because it corresponds to the nickname chosen by the founder of Nulled, who goes by the monikers “Finn” and “Finndev.” NorthData reveals that Grimpe was the founder of a German entity called DreamDrive GmbH, which rented out high-end sports cars and motorcycles.

, a user named Finndev registered on multiple cybercrime forums, including Raidforums [seized by the FBI in 2022], Void[.]to, and vDOS, a DDoS-for-hire service that was shut down in 2016 after its founders were arrested.

The Justice Department mentioned the Nulled marketplace had more than five million members, and has been selling stolen login credentials, stolen identification documents and hacking services, as well as tools for carrying out cybercrime and fraud, since 2016.

Perhaps fittingly, both Cracked and Nulled have been hacked over the years, exposing countless private messages between forum individuals. A review of those messages archived by Intel 471 showed that dozens of early forum members referred privately to Finndev as the owner of shoppy[.]gg, an e-commerce platform that caters to the same clientele as Sellix.

Shoppy was not targeted as part of Operation Talent, and its website remains online. Shoppy’s business name — Shoppy Ecommerce Ltd. — is registered at an address in Gan-Ner, Israel, but there is no ownership information about this entity. Shoppy did not respond to requests for comment.

The DOJ unveiled one of the alleged administrators of Nulled, a 29-year-old Argentinian national named Lucas Sohn, was arrested in Spain. The government has not unveiled any other arrests or charges associated with Operation Talent.

Indeed, both StarkRDP and FloraiN have posted to their accounts on Telegram that there were no charges levied against the proprietors of 1337 Services GmbH. FlorainN told former clients they were in the process of moving to a new name and domain for StarkRDP, where existing accounts and balances would be transferred.

“StarkRDP has always been operating by the law and is not involved in any of these alleged crimes and the legal process will confirm this,” the StarkRDP Telegram account wrote on January 30. “All of your servers are safe and they have not been collected in this operation. The only things that were seized is the website server and our domain. Unfortunately, no one can tell who took it and with whom we can talk about it. Therefore, we will restart operation soon, under a different name, to close the chapter [of] ‘StarkRDP.'”.

Wenn Angreifer erfolgreich an einer Schwachstelle in Kibana ansetzen, können sie Systeme mit Schadcode verseuchen. Attacken sind aber nicht in jedem F......

The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated ......

Organizations today face relentless cyber attacks, with high-profile breaches hitting the headlines almost daily. Reflecting on a long journey in the ......

U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason”

A [website] Army soldier who pleaded guilty last week to leaking phone records for high-ranking [website] government officials searched online for non-extradition countries and for an answer to the question “can hacking be treason?” prosecutors in the case stated Wednesday. The government disclosed the details in a court motion to keep the defendant in custody until he is discharged from the military.

Cameron John Wagenius, 21, was arrested near the Army base in Fort Cavazos, Texas on Dec. 20, and charged with two criminal counts of unlawful transfer of confidential phone records. Wagenius was a communications specialist at a [website] Army base in South Korea, who secretly went by the nickname Kiberphant0m and was part of a trio of criminal hackers that extorted dozens of companies last year over stolen data.

At the end of 2023, malicious hackers learned that many companies had uploaded sensitive customer records to accounts at the cloud data storage service Snowflake that were protected with little more than a username and password (no multi-factor authentication needed). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations.

Among those was AT&T, which disclosed in July that cybercriminals had stolen personal information and phone and text message records for roughly 110 million people — nearly all of its customers. AT&T reportedly paid a hacker $370,000 to delete stolen phone records. More than 160 other Snowflake customers were relieved of data, including TicketMaster, Lending Tree, Advance Auto Parts and Neiman Marcus.

In several posts to an English-language cybercrime forum in November, Kiberphant0m leaked some of the phone records and threatened to leak them all unless paid a ransom. Prosecutors said that in addition to his public posts on the forum, Wagenius had engaged in multiple direct attempts to extort “Victim-1,” which appears to be a reference to AT&T. The government states that Kiberphant0m privately demanded $500,000 from Victim-1, threatening to release all of the stolen phone records unless he was paid.

On Feb. 19, Wagenius pleaded guilty to two counts of unlawfully transferring confidential phone records, but he did so without the benefit of a plea agreement. In entering the plea, Wagenius’s attorneys had asked the court to allow him to stay with his father pending his sentencing.

But in a response filed today (PDF), prosecutors in Seattle said Wagenius was a flight risk, partly because prior to his arrest he was searching online for how to defect to countries that do not extradite to the United States. , while Kiberphant0m was extorting AT&T, Wagenius’s searches included:

-“where can i defect the [website] government military which country will not hand me over”.

-“[website] military personnel defecting to Russia”.

-“Embassy of Russia – Washington, [website]”.

Prosecutors told the court investigators also found a screenshot on Wagenius’ laptop that suggested he had over 17,000 files that included passports, driver’s licenses, and other identity cards belonging to victims of a breach, and that in one of his online accounts, the government also found a fake identification document that contained his picture.

“Wagenius should also be detained because he presents a serious risk of flight, has the means and intent to flee, and is aware that he will likely face additional charges,” the Seattle prosecutors asserted.

The court filing says Wagenius is presently in the process of being separated from the Army, but the government has not received confirmation that his discharge has been finalized.

“The government’s understanding is that, until his discharge from the Army is finalized (which is expected to happen in early March), he may only be released directly to the Army,” reads a footnote in the memo. “Until that process is completed, Wagenius’ proposed release to his father should be rejected for this additional reason.”.

Wagenius’s interest in defecting to another country in order to escape prosecution mirrors that of his alleged co-conspirator, John Erin Binns, an 25-year-old elusive American man indicted by the Justice Department for a 2021 breach at T-Mobile that exposed the personal information of at least [website] million clients.

In late November 2024, Canadian authorities arrested a third alleged member of the extortion conspiracy, 25-year-old Connor Riley Moucka of Kitchener, Ontario. The [website] government has indicted Moucka and Binns, charging them with one count of conspiracy; 10 counts of wire fraud; four counts of computer fraud and abuse; two counts of extortion in relation to computer fraud; and two counts aggravated identity theft.

Less than a month before Wagenius’s arrest, KrebsOnSecurity ’s various Telegram and Discord identities over the years, revealing how the owner of the accounts told others they were in the Army and stationed in South Korea.

The maximum penalty Wagenius could face at sentencing includes up to ten years in prison for each count, and fines not to exceed $250,000.

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.

After a recent dip, ransomware attacks a......

CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.

Software running Palo Alto Networks’ firewalls i......

A cross-site scripting (XSS) vulnerability in a virtual tour framework has been weaponized by malicious actors to inject malicious scripts across hund......