icon
icon
icon
Aime
Products
News
Market
Portfolio
icon
Download
Upgrade
Upgrade

News /

Articles /

Articles Details

Coin World · Follow

Quickly understand the history and background of various well-known coins

Bybit Hack Linked to Compromised Developer Laptop and DPRK Ties

Coin WorldThursday, Mar 6, 2025 2:44 pm ET
1min read
AMZN -- MFA --

Safe, a prominent security firm, recently published a preliminary report revealing that the breach which led to the Bybit hack was attributed to a compromised developer laptop. The vulnerability resulted in the injection of malware, which allowed the hackers to gain unauthorized access to Bybit's systems. The perpetrators circumvented multi-factor authentication (MFA) by exploiting active amazon Web Services (AWS) tokens, enabling unauthorized access.

The breach originated from a compromised macOS workstation belonging to a Safe developer, referred to in the report as “Developer1.” On Feb. 4, a contaminated Docker project communicated with a malicious domain named “getstockprice[.]com,” suggesting social engineering tactics. Developer 1 added files from the compromised Docker project, compromising their laptop. The domain was registered via Namecheap on Feb. 2. SlowMist later identified getstockprice[.]info, a domain registered on Jan. 7, as a known indicator of compromise (IOC) attributed to the Democratic People’s Republic of Korea (DPRK).

Attackers accessed Developer 1’s AWS account using a User-Agent string titled “distrib#kali.2024.” Cybersecurity firm Mandiant, tracking UNC4899, noted that this identifier corresponds to Kali Linux usage, a toolset commonly used by offensive security practitioners. Additionally, the report revealed that the attackers used ExpressVPN to mask their origins while conducting operations. It also highlighted that the attack resembles previous incidents involving UNC4899, a threat actor associated with TraderTraitor, a criminal collective allegedly tied to DPRK.

In a prior case from September 2024, UNC4899 leveraged Telegram to manipulate a crypto exchange developer into troubleshooting a Docker project, deploying PLOTTWIST, a second-stage macOS malware that enabled persistent access. Safe’s AWS configuration required mfa re-authentication for Security Token Service (STS) sessions every 12 hours. Attackers attempted but failed to register their own MFA device. To bypass this restriction, they hijacked active AWS user session tokens through malware planted on Developer1’s workstation. This allowed unauthorized access while AWS sessions remained active.

Mandiant identified three additional UNC4899-linked domains used in the Safe attack. These domains, also registered via Namecheap, appeared in AWS network logs and Developer1’s workstation logs

Ask Aime: What is the likelihood of further hacker attacks affecting cybersecurity firms?

Comments

Add a public comment...
Post
Refresh
Disclaimer: the above is a summary showing certain market information. AInvest is not responsible for any data errors, omissions or other information that may be displayed incorrectly as the data is derived from a third party source. Communications displaying market prices, data and other information available in this post are meant for informational purposes only and are not intended as an offer or solicitation for the purchase or sale of any security. Please do your own research when investing. All investments involve risk and the past performance of a security, or financial product does not guarantee future results or returns. Keep in mind that while diversification may help spread risk, it does not assure a profit, or protect against loss in a down market.
You Can Understand News Better with AI.
Whats the News impact on stock market?
Its impact is
fork
logo
AInvest
Aime Coplilot
Invest Smarter With AI Power.
Open App