North Korean TraderTraitor group executed largest crypto theft in history through sophisticated Safe{Wallet} supply chain attack targeting Bybit exchange.

Continue reading
The threat landscape witnessed an unprecedented breach in February 2025 when North Korea's TraderTraitor hacking collective orchestrated the largest cryptocurrency theft in history, stealing $1.5 billion from Bybit exchange through a sophisticated supply chain compromise targeting Safe{Wallet}'s multisignature platform.
The operation began on February 4, 2025, when TraderTraitor operatives compromised a Safe{Wallet} developer's macOS workstation through a targeted social engineering campaign[3][4]. The attackers, masquerading as recruiters on LinkedIn, lured the developer into downloading a malicious Docker container named "MC-Based-Stock-Invest-Simulator-main," which established communication with the command-and-control domain getstockprice[.]com.
Following the initial compromise, the threat actors gained access to Safe{Wallet}'s Amazon Web Services infrastructure on February 5 by hijacking the developer's AWS session tokens, effectively bypassing multi-factor authentication controls. The attackers operated within the compromised environment for nearly two weeks, conducting reconnaissance and preparing for the final assault.
The critical phase occurred on February 19, when the attackers injected malicious JavaScript code into Safe{Wallet}'s web interface resources hosted on AWS S3 buckets. This code was specifically engineered to target Bybit's cold wallet transactions while remaining dormant for other users, demonstrating the precision and sophistication of the attack.
On February 21, 2025, when Bybit employees initiated what appeared to be a routine $7 million transfer from their cold wallet to a warm wallet, the malicious JavaScript code intercepted and modified the transaction parameters. The user interface displayed the legitimate transaction details to the three required signers, but the underlying smart contract logic was altered to transfer 401,000 ETH (approximately $1.5 billion) to attacker-controlled wallets.
The sophistication of the attack extended to its immediate aftermath, with the malicious code being automatically removed from Safe{Wallet}'s infrastructure just two minutes after the successful theft, demonstrating advanced operational security practices. This rapid cleanup complicated forensic investigations and highlighted the threat actors' experience in covering their tracks.
The Federal Bureau of Investigation formally attributed the attack to TraderTraitor, a financially motivated subgroup operating under North Korea's Lazarus Group umbrella. TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces, represents one of several elite hacking units controlled by North Korea's Reconnaissance General Bureau (RGB).
This attack continues a pattern of escalating North Korean cryptocurrency theft, with the regime stealing an estimated $1.34 billion across 47 incidents in 2024 alone. Intelligence assessments indicate that up to 50% of North Korea's foreign currency income derives from malicious cyber activities, with these funds directly supporting the country's nuclear weapons and ballistic missile programs.
The Bybit heist represents the culmination of TraderTraitor's evolving tactics, building upon previous successful operations including the $308 million DMM Bitcoin theft in May 2024. In that attack, operatives used similar social engineering techniques, targeting a Ginco cryptocurrency wallet developer through a fake LinkedIn recruitment scheme that delivered Python-based malware designated as RN Loader and RN Stealer.
TraderTraitor's methodology consistently leverages supply chain vulnerabilities, as demonstrated in the 2023 JumpCloud compromise where the group infiltrated the cloud identity management provider to access downstream cryptocurrency customers. This approach exploits the trust relationships inherent in modern software development and deployment pipelines.
The attack exposed critical vulnerabilities in multisignature wallet implementations, particularly the risk of user interface manipulation in web-based signing processes. Security researchers emphasized that while the underlying smart contract remained secure, the compromise of the presentation layer enabled the deception of authorized signers.
Bybit maintained solvency through emergency bridge loans and implemented a "Lazarus Bounty Program" offering rewards for the recovery of stolen assets. However, blockchain intelligence firms confirmed that over $300 million of the stolen cryptocurrency had already been successfully laundered through mixing services and decentralized exchanges.
The incident prompted renewed scrutiny of supply chain security practices across the cryptocurrency industry, with particular focus on the verification of software dependencies and the implementation of code signing verification mechanisms. Organizations utilizing multisignature solutions have initiated comprehensive reviews of their transaction signing processes and user interface integrity controls.
This unprecedented breach underscores the sophisticated capabilities of state-sponsored threat actors in exploiting complex software supply chains, demonstrating how traditional security boundaries become ineffective against advanced persistent threats with strategic patience and significant resources.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation