Safe {Wallet} revealed that the cybersecurity incident that led to the $1.5 billion Crypto Heist that led to Bibit was a “very sophisticated state-sponsored attack.”
The Multi-Signature (Multisig) platform, roped to conduct forensic investigations at Google Cloud Mandiant, said the attack was a work of a hacking group called Jade Sleet, Pukchong and Traderraitor, also known as UNC4899.
“The attack involved compromises on SAFE {Wallet} developer laptops (“Developer1”) and hijacking AWS session tokens bypassing multifactor authentication (“MFA”) controls,” he said. “This developer was one of the few people who had more access to perform their duties.”
Further analysis revealed that the threat actor had invaded the developer’s Apple MacOS machine on February 4, 2025. This project communicated with the domain “GetStockPrice”[.]com “This was registered with Namecheap 2 days ago.
This is previous evidence that the Traderator actor tricked the Cryptocurrency Exchange developer to help troubleshoot the Docker project after approaching it via Telegram. The Docker project is configured to drop the next stage payload named PlottWist, which allows for persistent remote access.
It is not clear whether the same Modus Operandi was adopted in the latest attack, as Safe {Wallet} said “attackers have cleared Bash history to remove the malware and block the investigation effort.”
The malware that was eventually deployed on workstations was said to have been used to conduct reconnaissance of the company’s Amazon Web Services (AWS) environment.
“The attacker’s use of the AWS account in Developer1 originated from an ExpressVPN IP address with a user agent string containing Distrib#Kali.2024.” “This user agent string illustrates the use of Kali Linux, designed for offensive security practitioners.”
Attackers have also been observed to deploy an open source mythical framework and inject malicious JavaScript code into the SAFE {Wallet} website for a two-day period from February 19th to 21st, 2025.
Bibit CEO Ben Zhou said in an update shared earlier this week that more than 77% of the stolen funds are traceable, with 20% dark and 3% frozen. It helped 11 political parties, including the Mantle, Paraswap and ZachxBT, freeze their assets. Approximately 83% (417,348 ETH) have been converted to Bitcoin and is distributed in 6,954 wallets.
In the wake of the hack, 2025 has been on track for a record year of cryptocurrency robbery, with Web3 projects already losing an astounding $1.6 billion in the first two months alone, an eight-fold increase from $200 million this year, according to data from blockchain security platform Immunefi.
“Recent attacks highlight the evolving refinement of threat actors and critical vulnerabilities in Web3 security,” the company said.
“Ensuring that the transactions you are signing lead to the intended outcome is one of Web3’s biggest security challenges, and this is not just a question of users and education. It’s an industry-wide issue that calls for collective action.”
Source link
