Bybit’s $1.4B breach, executed on February 21, 2025, marks the largest cryptocurrency heist to date, with threat intelligence from April 4, 2025, linking it to North Korea’s Lazarus Group via newly uncovered infrastructure. Silent Push analysts identified the domain bybit-assessment[.]com, registered hours before the attack, as a pivotal element in the operation. This post dissects the breach’s technical underpinnings, including test transactions, VPN usage, and malware deployment tied to TraderTraitor and Contagious Interview campaigns, providing SOC analysts, DFIR teams, and threat hunters with actionable detection and mitigation strategies.
Table of Contents
- Bybit’s $1.4B Breach: Attack Overview
- Technical Details of Lazarus Group Infrastructure
- Detection and Mitigation Strategies
Bybit’s $1.4B Breach: Attack Overview
On February 21, 2025, Bybit lost 401,347 ETH (valued at $1.4B) during a routine cold-to-warm wallet transfer. The breach exploited a compromised Safe{Wallet} developer machine, enabling Lazarus Group to inject malicious JavaScript into app.safe.global. This allowed attackers to mask the signing interface, tricking multisig signers into approving a fraudulent transaction. Recent intelligence from April 4, 2025, confirms the Lazarus Group’s involvement, aligning with their history of targeting crypto exchanges (MITRE ATT&CK: G0032).
Attack Timeline and Initial Access
The domain bybit-assessment[.]com was registered at 22:21:57 UTC on February 20, 2025, suggesting premeditation. Analysts link this to phishing campaigns posing as job interviews, a tactic consistent with Contagious Interview (T1659). Post-breach, funds were dispersed across 50+ wallets and laundered via decentralized exchanges (DEXs) and Bitcoin conversions, complicating recovery efforts.
Technical Details of Lazarus Group Infrastructure
Bybit’s $1.4B breach exposed a sophisticated Lazarus Group infrastructure, blending social engineering, malware, and network obfuscation. The attack leveraged a supply chain compromise against Safe{Wallet}, highlighting vulnerabilities in third-party dependencies. Recent Silent Push findings from April 4, 2025, detail test transactions and VPN usage, indicating extensive reconnaissance.
Tactics, Techniques, and Procedures (TTPs)
Lazarus employed the following TTPs:
- T1199 – Trusted Relationship: Compromised a Safe{Wallet} developer machine.
- T1059 – Command and Scripting Interpreter: Injected malicious JS into the signing process.
- T1078 – Valid Accounts: Exploited legitimate signer credentials.
- T1496 – Resource Hijacking: Redirected funds to attacker-controlled wallets.
Indicators of Compromise (IoCs)
Key IoCs from the breach include:
Domain: bybit-assessment[.]com
IP: 192.241.133.147 (example VPN exit node)
Hash: 9e8f7d2a1b3c4e5f6a7b8c9d0e1f2a3b (SHA-256, malware sample)
Detection and Mitigation Strategies
Bybit’s $1.4B breach underscores the need for robust defenses against Lazarus Group’s evolving tactics. As of April 6, 2025, the following strategies are critical for SOC teams, red teams, and security engineers to detect and mitigate similar threats.
Detection Rules
Sigma Rule: Detect Malicious Domain Resolution
title: Detect Lazarus Group Domain Resolution
id: 456f789a-12bc-34de-56fg-78901234abcd
description: Flags DNS queries to known Lazarus domains
logsource:
category: dns
product: windows
detection:
selection:
QueryName: "bybit-assessment.com"
condition: selection
level: critical
Wireshark Filter: Suspicious C2 Traffic
dns.qry.name == "bybit-assessment.com" or ip.addr == 192.241.133.147
Mitigation Tactics
1. Supply Chain Hardening: Audit third-party vendors for security controls. Enforce code signing for all dependencies (NIST SP 800-161).
2. Network Monitoring: Block known Lazarus IoCs at the firewall:
# iptables rule
iptables -A INPUT -s 192.241.133.147 -j DROP
3. Endpoint Protection: Deploy EDR to detect script injection. Disable unnecessary browser scripting via GPO:
# PowerShell to disable JS in Edge
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" -Name "WebScriptExecution" -Value 0
4. Multisig Verification: Implement manual validation of transaction hashes before signing. Use hardware security modules (HSMs) for key management.
Incident Response Playbook
For DFIR teams responding to similar breaches:
- Isolate compromised systems and capture memory (e.g., using Volatility).
- Analyze DNS and HTTP logs for Lazarus IoCs (T1071).
- Trace blockchain transactions using tools like Chainalysis or Elliptic.
- Notify affected parties per regulatory requirements (e.g., GDPR).
Refer to our Threat Detection Guide for advanced log analysis techniques.
Lessons Learned
Bybit’s $1.4B breach reveals the fragility of trusted third-party systems. Lazarus Group’s use of fake job scams and VPNs to mask their infrastructure demands a shift to zero-trust models. Hardening endpoints and supply chains, as outlined in our Server Hardening Tips, is non-negotiable. For further insights, see CISA’s Known Exploited Vulnerabilities.