778 reports
Unit 42 observed a North Korea-linked macOS campaign targeting job-seeking software developers in the cryptocurrency sector through fake recruiter or employer interactions and malicious development projects. The activity used RustDoor binaries masqueradin…
LazarusBounty is a public bounty and transparency site for tracking sanctioned Lazarus-related cryptocurrency laundering activity. The page says users can connect wallets to trace stolen funds, claim moving wallets, and receive bounties when their submiss…
A malicious LNK sample shared on X with a Kimsuky tag used a DOCX icon lure and embedded an mshta.exe command, though the author cautions against relying heavily on the group label. LECmd analysis showed the shortcut extracting data from offset 0x0938 int…
Chainbounty's second Bybit investigation expands from the shared Bybit-Phemex wallet cluster to fund aggregation and distribution patterns across BNB Chain and Ethereum. The report centers on 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572, which collects smal…
Verichains analyzed the February 21, 2025 Bybit hot wallet exploit, where a malicious transaction upgraded the Bybit Hot Wallet Proxy implementation through a SafeWallet call. The on-chain flow involved an attacker-controlled call to the proxy, delegateca…
Silent Push linked fresh Lazarus infrastructure to the February 2025 Bybit theft, including bybit-assessment[.]com, which it says was registered hours before the $1.4 billion heist. The domain's WHOIS data tied it to trevorgreer9312@gmail[.]com, a persona…
NSHC's January 2025 report observed 51 threat group activities from December 21, 2024 to January 20, 2025, with SectorJ most active and SectorA and SectorB next. SectorA cases included fake recruiter approaches on LinkedIn, Telegram, and Discord; attacks …
Chainbounty profiles laundering activity after the Bybit theft rather than the initial compromise, focusing on an address that ZachXBT linked to both the Bybit and Phemex incidents associated with Lazarus Group. The analysis treats 0x33d057af74779925c4b2e…
Notorious hacker groups such as Kimsuky, Lazarus, and Andariel have been previously attributed to RGB. EU sanctions North Korean tied to Lazarus group over involvement in Ukraine war The European Union on Monday adopted a new package of sanctions against …
The Medium post treats the February 2025 Bybit theft as a Lazarus Group operation and maps the alleged attack chain to MITRE ATT&CK tactics. It states that Lazarus compromised an offline Ethereum wallet and stole about $1.5 billion, then frames likely rec…
Cobo's Bybit analysis says attackers stole more than $1.5 billion after operators approved what appeared to be a normal Safe{Wallet} transfer from a cold wallet to a hot wallet. The transaction instead changed the Safe implementation contract and gave the…
Chainalysis reports that Bybit lost nearly $1.5 billion in ETH on February 21, 2025, making it the largest cryptocurrency heist described in the excerpt. The attack began with social engineering against cold wallet signers, causing them to sign malicious …
The excerpt attributes a malicious LNK file themed around virtual asset service provider anti-money-laundering supervision to the North Korea-linked Konni group. The file, identified by SHA-256 4a6c23e76524364fe9b9f5ecd46dc73e7714cac93849a380f0d1b746fae36…
The Bybit cold Ethereum wallet theft involved a masked Safe{Wallet} transaction that obtained three valid signer approvals while sending malicious transaction data to Ledger devices. The attacker used a delegatecall to modify the Safe masterCopy storage s…
SlowMist assessed a state-level APT campaign targeting cryptocurrency exchanges and attributed it to Lazarus Group after forensic analysis and correlation over recent incidents. The attackers used social engineering to persuade employees to run disguised …