The $1.5B Bybit Hack & How OSINT Led to Its Attribution

2025-08-06 Netlas

https://netlas.io/blog/bybit_hack/

Thumbnail for The $1.5B Bybit Hack & How OSINT Led to Its Attribution

Bybit lost more than $1.4 billion in ETH after Lazarus-linked operators compromised Safe{Wallet} infrastructure and manipulated the multisignature transaction flow used for a routine cold-to-warm wallet transfer. The excerpt describes initial access through social engineering against a Safe{Wallet} developer, involving a crypto-themed Python/Docker project, getstockprice[.]com, IP 70.34.245[.]118, stolen AWS session tokens, AWS reconnaissance, and use of Mythic Poseidon. Attackers modified JavaScript hosted from Safe{Wallet}'s AWS S3 resources so Bybit signers saw apparently legitimate transaction data while the approved transfer was redirected to an attacker-controlled contract address. The operation matters for DPRK-focused tracking because it combines Lazarus-style developer targeting, cloud credential theft, supply-chain compromise, and high-value cryptocurrency theft against a major exchange.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN getstockprice.com 2025-03-11 2025-12-10
DOMAIN anchain.ai 2025-03-17 2025-08-06
DOMAIN goingladies.com 2025-03-11 2025-08-06
DOMAIN trashcrease.com 2025-03-11 2025-08-06
DOMAIN anglerstatic.com 2025-03-11 2025-08-06
IPv4 131.226.2.43 2025-03-11 2025-08-06
IPv4 178.128.77.132 2025-03-11 2025-08-06
IPv4 23.236.169.233 2025-03-11 2025-08-06
IPv4 70.34.245.118 2025-03-11 2025-08-06
DOMAIN showmanroast.com 2025-02-23 2025-08-06
DOMAIN getstockprice.info 2025-02-23 2025-08-06
DOMAIN gossipsnare.com 2025-02-23 2025-08-06
DOMAIN coreladao.com 2025-02-23 2025-08-06
DOMAIN replaydreary.com 2025-02-23 2025-08-06
DOMAIN cdn.clubinfo.io 2025-02-23 2025-08-06
DOMAIN eclairdomain.com 2025-02-23 2025-08-06
IPv4 131.226.2.120 2025-02-23 2025-08-06
IPv4 51.38.145.49 2025-02-23 2025-08-06
IPv4 37.120.247.180 2025-02-23 2025-08-06
IPv4 88.119.175.208 2025-02-23 2025-08-06
IPv4 193.233.171.58 2025-02-23 2025-08-06
IPv4 193.233.85.234 2025-02-23 2025-08-06
IPv4 213.252.232.171 2025-02-23 2025-08-06

Related Actors

Related Reports

2025-08-13 • 66% Match
#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004
Shares tags: Lazarus, T1036, T1204.002 • Published within a week
2025-08-25 • 53% Match
#Lazarus #GolangGhost #T1059.003 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1071.001 #T1115 #T1083 #T1056.001 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1518.001 #T1566.001 #T1547.001 #T1059.001 #T1497.001 #T1219 #T1574.002 #T1562.001 #T1622 #T1027.002 #T1573.001 #T1190 #T1123 #T1132.002 #T1564.001 #T1548.002 #T1055.012 #T1027.007 #T1217 #T1106 #T1027.009 #T1036.003 #T1055.002 #T1036.007 #T1059.010 #T1136.001 #T1134.004 #T1614.001 #T1574.007 #T1098.007 #T1010 #T1071.004 #T1021.002 #T1021.006
Shares tags: Lazarus, T1204.002, T1566.001 • Published within a month
« Back