Safe released findings from the $1.5B Bybit hack investigation, highlighting the need for enhanced cybersecurity in the crypto community.
Attack Details
The U.S. FBI blamed the North Korean hacking group TraderTraitor for the attack on the Safe platform, backed by North Korean authorities. Safe and Mandiant confirmed the attribution to known group UNC4899. The hackers compromised a Safe developer's laptop, which had higher access. Using AWS session tokens, they bypassed multifactor authentication.
Intrusion and Impact
The developer's computer was compromised on February 4, and the attackers accessed Safe's AWS environment on February 5. They inserted malicious code on the Safe website by February 19. On February 21 at 14:13 UTC, the Bybit exploit occurred. The malware was removed a minute later. The attack targeted a signed Bybit cold wallet transaction.
Findings and Recommendations
Safe concluded web3 organizations need major UX improvements for secure transaction management. The act of signing a transaction is the last defense line and only effective if users understand what they sign. Safe listed resets and enhancements to eliminate threats. Authorities fault Bybit for using a less secure version of Safe. The hackers laundered all 499,000 ETH by March 4.
The investigation highlighted the importance of enhancing security and user awareness in crypto. Safe and Bybit are working to address identified vulnerabilities.
