Bybit’s $1.4B breach. [Research Saturday]

Dave Bittner

You're listening to the Cyberwire Network, powered by N2K. Is your AppSec program actually reducing risk?

Zach Edwards

Developers and AppSec teams drown in critical.

Dave Bittner

Alerts, yet 95% of fixes don't reduce real risk. Why? Traditional tools use generic prioritization and lack the ability to filter real threats from noise. High impact threats slip through and surface in production, costing 10 times more to fix. Ox Security helps you focus on the 5% of issues that truly matter before they reach the cloud. Find out what risks deserve your attention in 2025. Download the Application Security Benchmark from AUX. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Zach Edwards

This report that we did really came on the heels of the $1.4 billion Bybit hack. And our team of course went when we saw this news, along with every other researcher in the industry, we immediately said, my goodness, that's the largest heist that's ever existed in crypto. Is there anything that we can see within this hack to figure out additional details or pivot into other parts of their infrastructure?

Dave Bittner

That's Zach Edwards, a researcher at Silent Push. The research we're discussing today is titled New Lazarus Group Infrastructure Acquires Sensitive intel related to $1.4 billion Bybit hack and Past Attacks.

Zach Edwards

And so we essentially started to immediately just look for any domains that mentioned Bybit that were registered recently. And so our process was rather elementary at the start of it, but almost immediately we had a hit that there was a domain bybit-assessment.com that was registered just hours before the attack supposedly occurred. And so our team started looking into this domain and immediately in the WHOIS records there was an email address exposed which actually had been used in other Lazarus North Korean hacker attacks in the past. And so our team immediately started to wonder, is this domain, which is registered by a threat actor, associated to this North Korean group? Was this actually the domain that was used in the heist? And what was quite interesting about our early findings was that this domain was actually being used by a different North Korean threat actor, not the North Korean threat actor who did the heist against bybit? And so just to simplify this a little bit, North Korea has number of hacking groups. They're all sort of classified under this Lazarus name. And then under Lazarus there are subgroups and the group that did the billion dollar Heist is an organization known as Trader Trader, which is a mouthful, but essentially this group is going after large crypto organizations. They're doing these complicated hacks, supply chain breaches, and they've been behind similar crypto heists in the past. But this domain that we had found that was registered just hours before the Bybit hack was actually a separate group called Contagious Interview. And so what's particularly interesting about this is that across these different North Korean hacker groups, they're targeting the same companies. And so as we started to get into more details about what Contagious Interview infrastructure we were looking at, we realized that this was actually going to create an opportunity for us to understand other North Korean threat actors as well. So not just the Contagious Interview subgroup, but potentially the other attackers and campaigns that they may be launching. And so, in short, our team was looking into this new domain that was registered by a Contagious Interview Lazarus subgroup. And we found a few pivots where this domain was connected into a couple of others through Server and Whois Commonalities. And one of the domains that we pivoted into was wide open. They'd left all of their code, all their infrastructure, just waiting for anyone to download it. And so our team immediately grabbed those resources and we were essentially able to get logs of these North Korean threat actors testing their own infrastructure and not only exposing email addresses that they use for this testing, but IP addresses that they're using to communicate, to basically communicate with this infrastructure. And so this, from one tiny pivot or one little investigation into can we find anything on the Bybit hack, eventually led us into what we have now is the actual code from one of these North Korean threat actor groups and their infrastructure logs.

Dave Bittner

Wow.

Zach Edwards

No. Well, I do want to dig into that, but before we do, can we just break down the attack itself? I mean, how did Lazarus go about infiltrating Bybit?

Yeah, that's a great question. So what we sort of know about this attack right now is that an organization called SafeWallet was targeted. And essentially the threat actors at Lazarus and this subgroup, Trader Trader, set up some honey pots that they were targeting Safe Wallet developers. And through a somewhat murky process, we don't exactly know how that developer was targeted. It's possible that there's maybe some sensitive details. We don't exactly know why that developer interacted with that phishing experience. We don't exactly know what type of malware they were given, but we do know that that developer was compromised. And as soon as they had Sort of compromise, that developer's device, they went out and they essentially created a honeypot or a, a change to this code so that when a very specific wallet ID was going to interact with the safe wallet, it would switch out the wallet IDs from the known trusted Bybit wallet into an attacker's wallet. And, and so Bybit was essentially just doing their normal course of business. They were doing some process that they probably do every every other day or every week. But in this instance, the code was essentially poisoned. And so when they went to make their transfer, instead of the money going into an internal wallet, it went external. And the threat actors suddenly had basically Bybit transferred them all the money. And within minutes to hours, they were laundering that money through numerous different laundering services, sort of different exchanges. A small portion of it has been seized millions of dollars, but there's still hundreds of millions that are unaccounted for, slash, successfully laundered. And so right now, there's a lot of crypto investigators that are continuing to, to try and track that money. And whenever that money is transferred into a, a specific exchange that maybe has KYC policies, complies with abuse complaints, they are attempting to freeze those funds. And it's. So it's essentially a race to see how fast Lazarus can launder the money, and if researchers and exchanges can freeze that money before it's spread out into so many wallets that it's essentially a fool's errand to try and track this. And the long and short of it is Lazarus has been extremely successful at laundering crypto money, and there's many researchers that have been successful at stopping some of it. But the reason why we continue to have these ongoing campaigns where they're trying to basically rob crypto banks, and then they also have these other schemes where they're trying to infect crypto developers. And the reason why they're doing all of that is because this crypto is money spends like money in all the ways that North Korean laundering care about. And they're able to acquire this crypto, launder it through complex technical means, and then on the back end, use various cash for crypto laundering networks that exist all over Asia, and essentially turn that crypto into currency. And what we know about North Korea, they're taking this currency and they're using it to fund their north, their nuclear program, and their ballistic missile program. And so essentially everyone out there that cares about a safer world, a world where North Korea doesn't have the, the weapons to basically threaten allies and neighbors, needs to be thinking about these types of crypto heists, because even if you're not in the crypto game yourself, not an investor, this is serious money. And then the other reality is that the United States now has a sovereign crypto fund. So all us taxpayers in the US we technically have skin in the crypto game. And so it's a very complicated situation.

Well, Zach, help me understand here. When the Lazarus Group decided to turn the knob and start siphoning off all of this crypto from Bybit, how much infrastructure would they have needed behind the scenes to intake all of that? Would they be able to handle that in an automated way to start the distribution for the laundering? Or do you suppose they had to have a team of folks standing by?

That's a really good question. I think that it's clear that there was a team of money launderers likely standing by. And while we don't have all the details about how North Korea hackers structure their own internal operations, it's clear that they have operators, they have social engineers, they have developers, and they have experts at crypto money laundering. And there's basically tornado cash may be a phrase that people are familiar with. There have been other sort of crypto laundering services that have gone under the ire of, of the US Government. Some have been deemed sort of illegal products, and there's various litigation going on around those. But there's essentially a large number of, quote, crypto laundering services available. And so it would appear that these North Korean threat actors have their finger on the pulse of a large number of these. And this is basically one of those problems that's only going to get more complicated over time. And essentially when they have hundreds of millions of dollars, they can just hand that over to another team and then start using these tornado cash like laundering services. And the way that this essentially works, let's say you transfer in $5 million in Bitcoin or Ethereum into one of these mixers. The mixers then will generate thousands of other wallets, and they're doing this for all of their clients. And so essentially the output from these mixers is they may take $5 million and split it up into $10,000 chunks and then transmit those $10,000 chunks to each of the wallets that are being spun up. And so when you have hundreds of clients using the same service, all putting money into it, the money starts to get blended and hidden away. You can see the new wallets that are being created and the money that are being transferred from that service into them, but you don't know who controls that wallet, you don't know which pool of money was actually behind it. Now, fortunately for researchers, when you have hundreds of millions of dollars in crypto and you're putting it into these mixing services, I think that the noise from that volume ends up making it a little easier, or at least somewhat possible to track some of this money, even when it does go into a thousand other wallets. And so that's part of what these crypto investigators are really spending a lot of their time on, is investigating where the money was sent to. And then when they see that money sort of disappear into a thousand other wallets, they need to further track those thousand wallets and start to determine does that money then transfer even further. And this is the way that these chains work. It's essentially passing money from one wallet to the next. And it does take serious technical resources to track that in the crypto ecosystem.

Dave Bittner

We'll be right back. Looking for a career where innovation meets impact. Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguardjobs.com cyber threats are evolving every second. And staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.

Zach Edwards

Can you share some insights? I know for example, you and your colleagues at Silent Push, you have your own threat monitoring tools, but there's also open source intelligence. And how do each of those play into detecting this sort of attack?

Yeah, that's a great point. So Silent Push, we have our own proprietary data, we have a community tool where anyone can sort of search our data for free. But we like to think about it as it's all our own first party data. This is both good and bad. Good in that we can easily share it, make it available to other folks, but we may not have the visibility into certain niche threats. Um, and so it's essential for any researchers who use A specific tool set or use a specific platform, you absolutely have to combine that with external research methodologies. And so this type of threat, it would be impossible to track this type of threat if there weren't hundreds of people at a diverse range of research and cybersecurity companies looking into this and making their findings public about what they saw. And we basically made our report public, even though it was essentially an effort where we were trying to investigate Trader Trader, and we pivoted into Contagious Interview two separate Lazarus subgroups. But it's essential for everyone out there to know that these North Korean hackers are targeting the same brands. And so if you're a researcher investigating one Lazarus subgroup, you really need to try and make that research public, because what you found may actually impact other Lazarus subgroups and maybe a lead that someone tracking a totally separate actor or, or a totally separate subgroup could use to find their next target. And so when we think about sort of these Lazarus subgroups, Contagious Interview is a group that is essentially targeting people who are looking to work in the crypto industry. And this subgroup basically has created honeypots where they may have job websites, they may have totally fake corporate LinkedIns, they're creating fake employees, and they're reaching out to people who want to work in the crypto industry and saying, hey, we think you're a great fit for this job. Can you apply in this website? And then people are going to these websites and this is impacting a large number of crypto employees and people who want to work in the industry. And as they go through this job hiring website, it looks legitimate, it looks real, they're asking the right questions. They always have this video interview portion or something to basically record your own thoughts on a specific question that they're asking. And in this process, when you click to initiate the video, a subtle error message pops up and says, whoops, you're almost done with the job application. But unfortunately, this video, we're having an error. You just need to download this one thing real quick and it will fix it and you'll be done with this job interview and on your way. And so they have these really convincing lures in this job application process, which eventually deploys malware onto one of these crypto developers computers. And it's really important for everyone to appreciate that this type of threat actor that is able to convince an individual to basically compromise their own computer. And that individual may currently work at a crypto company. And so they're applying to work at another crypto company. But Herein lies the rub. If a crypto threat actor gets access to a developer's machine who already works at a crypto company, they could immediately get access to sensitive credentials and sensitive details, which they could pass on to another one of the Lazarus subgroups to essentially conduct a bank heist against that crypto company. And so I think it's really important for people to appreciate that Lazarus and this North Korean threat actor group, they have different schemes, some of these high level bank heist type schemes, others are this kind of little less sophisticated targeting of individual developers. But it all wraps up into this larger threat matrix where if they get one thing from the contagious interview process, they could pass it on to the other group, and suddenly someone who was applying for a job could have their own company ransomware that they currently work at. And so there's a lot of complexity between researching these Lazarus groups, understanding their shared targeting, and appreciating that we need to make details public whenever we figure out that for one of these subgroups, because it could apply broadly to Lazarus.

So given this group's resources, their sophistication, their cleverness, their persistence, what do companies do to protect their supply chains, to protect their employees against these sorts of things?

Yeah, and, and really there's no silver bullet for stopping these types of threats. Education and training people that these threats are out there is really the first step. Everyone who's in the crypto industry should hopefully be aware that this is occurring. They should be very cautious when applying for jobs or when someone proactively reaches out to them, offering them a job. The other thing that defenders should really keep in mind is that North Korean threat actors have some consistent decisions they're making. And one of them that we actually uncovered in our research was aligned to other past research that's been put out. North Korean threat actors, for whatever reason, love a VPN called Astral vpn. Now, most people here probably aren't familiar with Astral vpn. It's certainly not sponsoring podcasts and out there kind of with as much notoriety as some of the others, but it's still a legitimate, relatively large vpn. But in the logs that we acquired from this contagious interview operational failure that they had, we were seeing all of their test logs as they were testing their own infrastructure. And shockingly, we had the IP addresses in these logs. And so our team was able to look at all the IP addresses that they were using in this test submission process. And 100% of them were astral VPNs. And so I Think it's very important for defenders to know that. And our team has spoken with quite a few other organizations that have been directly targeted either with this contagious interview scheme or other variations. There's a fake IT worker scheme that North Korea is also deploying where they essentially have hundreds if not thousands of people spread out across Asia and they're applying for jobs at Western companies and not just crypto companies. And these people, once they get these jobs, they're essentially um, many of them have multiple jobs at the same time. So they're sort of juggling multiple employments at the same time and they're taking that money and they're funneling it to the same nuclear and, and ballistic missile programs that these other crypto schemes are funneling money into. And, and so there's a lot of major corporations know before is is a popular security company, they help with phishing tests. They, they hired one of these fake North Korean workers and they put out a really good blog post explaining how they were tricked, how they caught it, what the threat actors were trying to do. And it's really important for everyone to appreciate that these fake IT workers also use astral vpn. And so when we catch something like a contagious interview using an astral VPN and IT aligns with the fake IT workers using astral vpn and we see shared targeting across these groups, this, these are the details which are really important to share and to, to make public whenever possible. And so every defender out there, if you're trying to stop all of these different types of North Korean threats, from the crypto heists to the various fake worker schemes and fake hiring schemes, it's really important to track the IPs that are being used in those connections into your infrastructure. And ideally you would have a pool of Astral VPNs so that you could basically compare that against those connections. And if you see astral VPN connections in your infrastructure and those are connected with suspicious behaviors, you should strongly consider classifying that as a potential North Korean threat actor and try and make those details public.

Well Zach, before we run out of time, I do want to dig into this unique view that you and your colleagues had with this, this exposed server. I suppose we would could call it and everything that was in it. I'm trying to imagine the look on your face or your colleagues faces, the wide eyes you must have had when you realized what you had in front of you there.

That's exactly right. And it's down now, so it was only exposed for a Very short period of time. And our researchers at Silent Push, we always are looking for threat actors mistakes, and usually that's just maybe a consistency decision they're making. So some type of hosting or registrar or domain pattern that they keep on using. But occasionally you do get lucky where a threat actor, they're spinning up many different servers, maybe they forget to lock one down, and suddenly they have an open directory and all of their directory files are available immediately can download. And this is the type of accident or mistake that really can shine the light on these types of operations. Because not only do we have all the code that they're using to orchestrate on any one of these domains, we can see all these test logs, and quite honestly, we can see the victims they're targeting too. And so part of what we didn't make public is we obviously didn't list any of the victims that we saw. It's been shared with law enforcement, and we wish everyone the best in those mitigation processes. But we do know the companies that they were targeting, where they were trying to pull these victims out of. And so I could share you the list of 34 different brands that are being featured. But really the simplest way to think about it is they're targeting the top 20 major crypto companies, and then there's a small grouping of, of smaller crypto companies that even our researchers weren't familiar with immediately. And we've made that public on our website. So anyone who's in the crypto industry, who is in threat sharing circles in the crypto industry, we've made the entire corporate victim list public. So while you don't know individual names, we're not certainly exposing email addresses that were targeted. This will give you that high level view of this is who Lazarus is targeting. And likely multiple subgroups are targeting these crypto brands. And it ranges from Coinbase and Binance and Kraken to more sort of classic finance brands like Stripe and I think Stripe and Robinhood and there's a few other sort of classic finance companies that also deal in crypto. And so I think it's important to highlight that Lazarus is not just going after crypto companies, they're going after companies that deal in crypto. So you may be a classic finance brand, but as soon as you dip your toes into crypto and have some potential crypto tokens to be stolen, you will be added to their potential targeting list. And it is something to keep in mind.

And it seems as though there are no signs that they're slowing down. I mean, they're very successful.

Yeah. When you, when you successfully steal $1.4 billion, you're not going to be slowing down unless it's just to go to a vacation. And these North Korean threat actors, they, they work for North Korea. It's, it is not like your classic cybercrime group where these people are just going to stop doing their business, move to, to a resort on the Black Sea, and just retire at 25 years old. These are basically soldiers in North Korea's army. And so they've been extremely successful in their recent attacks. They've been able to gather huge amounts of resources, almost unimaginable. And so we should expect that North Korean leadership will continue to fund these efforts, will probably double down on the resources that are sent to them. And this is really the start of this type of problem. The crypto industry is very young compared to how we're going to be able to stop these. And we should expect for some significant period of time, North Korea will remain the premier threat actor targeting crypto.

Dave Bittner

Our thanks to Zach Edwards from Silent Push for joining us. The research is titled New Lazarus Group Infrastructure Acquires Sensitive intel related to $1.4 billion Bybit hack and past Attacks. We'll have a link in the show Notes. And that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpie is our publisher. And I, Dave Bittner. Thanks for listening. We'll see you back here next time.