How North Korea used a bogus stock trading simulator to steal $1.4 billion from Bybit

When the quality came done that crypto speech Bybit had been hacked for $1.4 billion, cipher knew astatine the clip however it could person happened.

The fifth-biggest exchange, which held immoderate $15 cardinal worthy of assets for customers, isn’t known to skimp connected security.

Things took a crook erstwhile the pursuing week aggregate investigations recovered the hack wasn’t successful Bybit’s systems, but alternatively owed to a compromise astatine Safe Wallet, a fashionable crypto wallet supplier the speech relied on.

Now, a forensic investigation of Safe Wallet’s ain systems has identified the premier mover successful the series of events that led to the $1.4 cardinal hack: a bogus banal trading simulator.

Lazarus Group, the North Korean state-sponsored hackers, appears to person convinced a Safe Wallet developer to download the banal trading simulator, which contained hidden codification that fto them summation entree to immoderate of Safe’s systems, according to a study from cybersecurity steadfast Mandiant. The study was commissioned by Safe Wallet.

What followed was a weeks-long infiltration by North Korean hackers that culminated successful the $1.4 cardinal Bybit theft.

Here’s however it happened.

Stock trading simulator?

Stock trading simulators tin beryllium recovered online. They let users to signifier fiscal trading without putting immoderate existent wealth connected the line.

A spokesperson for Safe Wallet told DL News the steadfast is inactive investigating however the malicious record got onto the developer’s computer.

It’s imaginable Lazarus utilized societal engineering techniques, Mandiant said.

Social engineering involves the intelligence manipulation of a people into divulging confidential accusation oregon performing actions, specified arsenic downloading malicious files oregon software. The maneuver is precise communal successful hacks perpetrated by the hermit kingdom.

In a erstwhile onslaught successful 2023, Lazarus utilized phony occupation offers arsenic a pretext for getting malicious files onto victims’ computers. Hackers approached workers astatine a people steadfast and asked them to download and implicit trial assignments that were riddled with malware.

More recently, Lazarus has started utilizing banal oregon crypto trading apps instead.

A February 23 report from crypto information steadfast SlowMist identified “ongoing and escalating” Lazarus Group attacks against crypto exchanges which relied connected societal engineering to instrumentality employees into downloading malicious files labelled arsenic banal trading simulators.

Mandiant’s Safe Wallet probe report besides mentions a abstracted lawsuit successful September wherever Lazarus socially engineered a crypto developer into downloading and troubleshooting a stock-themed task record which contained malware.

Using the guise of banal trading apps is an evident prime due to the fact that it doesn’t look retired of the mean to targets successful the crypto industry, Mikko Ohtamaa, a information researcher and CEO of DeFi trading protocol Trading Strategy, told DL News.

Python issue

The information that specified banal trading apps are astir ever written successful the Python coding connection is indispensable to the attack, Ohtamaa said.

Just creating malware and disguising wouldn’t enactment — adjacent a novice developer could prime up connected the ruse.

Instead, hackers indispensable find originative ways to infiltrate their targets’ systems.

In this case, Lazarus utilised an aged contented successful Python erstwhile loading a record benignant called YAML, which fto the hackers disguise the malicious elements of the file.

By utilizing this method, Lazarus was capable to stay wrong Safe Wallet’s systems undetected, giving the hackers weeks to technologist an attack.

Working nights

Lazarus needed to breach Safe Wallet’s Amazon Web Services account, which hosts the Safe Wallet website. Their plan: hack the website and swap Bybit’s transaction with a malicious one, seizing its wallet.

With AWS keys expiring each 12 hours, the hackers synchronised their hours with a Safe Wallet developer, which means moving agelong nights successful North Korea — if they are successful North Korea — to exploit an progressive key.

Seventeen days later, Lazarus stole $1.4 billion. Minutes aft the heist, the hackers erased malware traces, apt readying to reuse the method.

That mightiness present beryllium hard fixed however wide publicised the Safe Wallet hack was.

Ohtamaa said Lazarus volition apt alteration its tactics present that the banal trading ruse has go good known.

But portion the transportation whitethorn change, the underlying onslaught method whitethorn enactment the same.

“No 1 is prepared for the onslaught vector,” Taylor Monahan, the pb information researcher astatine the crypto wallet MetaMask, antecedently told DL News. “This volition hap again and again and again.”

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach retired with tips astatine tim@dlnews.com.