The US Federal Bureau of Investigation (FBI) has officially linked a record-breaking $1.5 billion Bibit hack to North Korean threat actors as its CEO Ben Zhou declared “war with Lazarus.”
The agency is attributable to a specific cluster that the Democratic Republic of South Korea (North Korea) is responsible for the theft of virtual assets from cryptocurrency exchanges and tracks it as trader trading parties, which will also be tracked as Jade mining, slow accommodation and UNC4899.
“The Traderraitor actors are moving forward quickly, converting some of the stolen assets into Bitcoin and other virtual assets distributed across thousands of addresses on multiple blockchains,” the FBI said. “These assets are expected to be washed further and eventually converted to Fiat currency.”
It is noteworthy that the Trader Traitor cluster was previously involved by Japanese and US authorities in the theft of $308 million worth of cryptocurrency from Cryptocurrency Company DMM Bitcoin in May 2024.
Threat actors are known to target companies in the Web3 sector, and often allow victims to download malware-covered cryptocurrency apps to promote theft. Alternatively, they know to coordinate social engineering campaigns based on duties that lead to the deployment of malicious NPM packages.
Meanwhile, BYBIT has launched a bounty program to help recover stolen funds, refusing to investigate and refusing to help freeze assets.
“The stolen funds have been moved to non-trackable or frozen destinations such as exchanges, mixers, bridges, and other things, and converted into stubcoins that can be frozen,” he said. “We will ensure that cooperation from all involved can either freeze funds or provide updates on their moves so that we can continue the tracing.”
The Dubai-based company also shares the conclusions of two studies conducted by Signia and Berricanes, linking the Huck to the Lazarus Group.
“Forensic investigations of the three signatories’ hosts suggest that the root cause of the attack is malicious code derived from the Safe {Wallet} infrastructure,” Sygnia said.
Verichans said, “The benign Javascript file in app.safe.global appears to have been replaced by malicious code on February 19, 2025 at 15:29:25 UTC. UTC.”
It is suspected that the AWS S3 or CloudFront account/API Safe.Global has leaked or compromised, which has led to a suspected paving the way for a supply chain attack.
In another statement, Multisig Wallet Platform Safe {Wallet} said the attack was carried out by compromising on the SAFE {Wallet} developer machines that affect accounts run by BYBit. The company also noted that it implemented additional security measures to mitigate attack vectors.
The attack was “achieved through a compromised machine by a secure {wallet} developer, resulting in the suggestion of malicious transactions that were disguised.” “Lazarus is a state-sponsored North Korean hacker group well known for sophisticated social engineering attacks on developer credentials, sometimes combined with zero-day exploits.”
It is not clear at the moment how the developer’s system was compromised, but a new analysis from silent push reveals that the Lazarus group has registered a domain-by-bit rating[.]20th February 2025 at 22:21:57 com, hours before the cryptocurrency theft.
The WHOIS record indicates that the domain was registered using the email address “trevorgreer9312@gmail[.]com, “This was previously identified as the persona used by the Lazarus Group in connection with another campaign called the Infectiousness Interview.
“The Bybit Heist appears to have been carried out by a group of DPRK threat actors known as Jade’s blanket and Trader Traitors, also known as Slow Pisces. Meanwhile, the crypto interview scam is led by a group of DPRK threat actors known as the contagious interviews, also known as the famous Cholima,” the company said.
“Victims are usually approached via LinkedIn, where they are socially designed to participate in fake employment interviews. These interviews serve as entry points for targeted malware deployment, qualification harvesting, and further compromises in financial and corporate assets.”
The North Korean-related actor is estimated to have been stolen more than $6 billion in crypto assets since 2017. The $1.5 billion stolen last week exceeds the $1.34 billion threat stolen from 47 cryptocurrency robberies throughout 2024.
Source link
