Lazarus hacked Bybit via breached Safe{Wallet} developer machine

​Forensic investigators have found that North Korean Lazarus hackers stole $1.5 billion from Bybit after hacking a developer's device at the multisig wallet platform Safe{Wallet}. Bybit CEO Ben Zhou shared the conclusions of two investigations by Sygnia and Verichains, which both found that the attack originated from Safe{Wallet}'s infrastructure. "The attack specifically targeted Bybit by injecting malicious JavaScript into app.safe.global, which was accessed by Bybit's signers. The payload was designed to activate only when certain conditions were met. This selective execution ensured that the backdoor remained undetected by regular users while compromising high-value targets," Verichains said. "Based on the investigation results from the machines of Bybit's Signers and the cached malicious JavaScript payload found on the Wayback Archive, we strongly conclude that AWS S3 or CloudFront account/API Key of Safe. Global was likely leaked or compromised." "Two minutes after the malici ... Read full article.