Not So Safe

North Korean hackers didn't need a zero-day exploit or billion-dollar quantum computer to pull off history's largest crypto heist.

The culprits? Not some basement-dwelling script kiddies, but TraderTraitor, a North Korean hacker unit operating under the Lazarus Group umbrella.

They socially engineered a developer into running a malicious Docker project and turned Web3's promises of security into digital ash.

You are one yaml.load away from losing everything – a bitter lesson Bybit learned when $1.4 billion vanished from their Safe multisig, the industry's supposedly unbreakable standard.

Safe's security reputation shattered in a heartbeat.

A decade of being crypto's Fort Knox crumbled not because of some revolutionary hack, but a boring config file mistake that Kim Jong Un's cyber goons exploited with surgical precision.

Laugh-cry at the irony: billions guarded by battle-tested smart contracts got jacked because someone screwed up a YAML file.

Web3 keeps flexing triple-audited code and mathematically perfect protocols while the billions they protect sit behind doors with Web2 locks that might as well be made of cardboard.

When a simple syntax error can cost more than the GDP of some nations, maybe it's time to ask: is our precious self-custody just an elaborate magic show where we pretend not to see the trap doors?

On Wednesday, February 26th, ByBit CEO Ben Zhou dropped a bombshell that redefined the hack narrative.

Two independent forensic reports from Sygnia and Verichains confirmed what many feared - this wasn't a ByBit breach at all.

Those initial reports implicated Safe's infrastructure as the attack vector, shifting focus from Bybit's security practices to a compromised component in the Safe system itself.

Fast forward to March 6th, Safe's investigation, conducted in collaboration with Mandiant, confirms what we already knew while painting an even more disturbing picture of the attack's sophistication.

The smoking gun? A compromised Safe{Wallet} developer machine that became TraderTraitor’s trojan horse into crypto's most trusted vault.

The North Korean hackers didn't just penetrate any system - they executed a meticulously planned 19-day operation to surgically infect the very interface Bybit's signers used to manage billions.

Forget the "blockchain is unhackable" platitudes. This elite hacking crew slipped malicious JavaScript into the Safe{Wallet} website, rigging the game so only Bybit's Cold Wallet signers would trigger the trap.

Every other Safe user remained blissfully unaware of the digital time bomb ticking away in their interface.

When Bybit's signers initiated what they thought was a routine transfer, the malicious code swapped their legitimate transaction with a delegate call to the attacker's contract - essentially handing over the keys to a $1.4 billion kingdom with a single click.

"The attack specifically targeted Bybit by injecting malicious JavaScript... designed to activate only when certain conditions were met." Verichains reported.

Mandiant's investigation indicates that a Safe developer’s laptop was compromised, allowing attackers to hijack AWS session tokens and bypass MFA protections - creating a single point of failure in a system designed to eliminate exactly that kind of risk.

Bybit paid the $1.4 billion price tag for Safe's lax security practices.

For those keeping score at home, this was no opportunistic smash-and-grab.

Mandiant's forensic investigation revealed the initial compromise occurred on February 4th, with the attacker first accessing Safe's AWS environment the very next day.

Wayback Machine snapshots showed the malicious code was injected two days before execution (snapshots not included in report).

The DPRK hackers had been casually browsing Safe's AWS closet, tried on their infrastructure, and walked out wearing $1.4 billion worth of ETH like a new outfit – a haul larger than the GDP of several small nations and more than double the previous record crypto heist.

And what did they do after the heist?

Like professionals taking pride in their craft, they covered their tracks. "Two minutes after the malicious transaction was executed and published, new versions of the JavaScript resources were uploaded to Safe{Wallet}'s AWS S3 bucket.

These updated versions had the malicious code removed," Sygnia noted.

Now the industry faces uncomfortable questions: If North Korea can compromise the gold standard of crypto custody by hacking a single developer laptop, what the hell are your funds secured with?

Inside the Heist

Mandiant's forensic investigation reads like a failed movie pitch - too absurd for fiction, too real for crypto.

The following timeline is based on Mandiant’s forensic investigation - buckle up for the play-by-play of how Kim Jong Un's keyboard warriors made off with history's biggest bag…

February 2, 2025: While VCs were busy explaining how their underwater token positions are "actually long-term strategic investments," the hackers registered the innocent-looking domain getstockprice[.]com through Namecheap. A digital breadcrumb trail revealed this was just one of several domains set up for the attack.

February 4, 2025: The trap was sprung. Developer1's MacOS workstation at Safe fell victim to social engineering, running a Docker project named MC-Based-Stock-Invest-Simulator-main. The payload connected to the attacker's freshly registered domain, giving TraderTraitor their first foothold.

If this sounds eerily familiar, it should - Mandiant confirmed this wasn't TraderTraitor’s first rodeo: "Similar stock-themed Docker projects have been utilized by UNC4899 in previous heist investigations."

Just months earlier, they'd pulled the same stock-simulator bullshit on another exchange dev who probably thought he was gonna retire early.

February 5, 2025: No time for a coffee break - within 24 hours, North Korea's keyboard warriors were already balls deep in Safe's AWS environment. First attempt? Registering their own MFA device. Shocker - it failed.

Did Kim's hackers pack up and go home? Hell no. These aren't script kiddies - they're state-sponsored professionals with nuclear missiles and nothing better to do.

Plan B was way slicker: hijack Developer1's active AWS session tokens directly from the infected MacBook.

And here's the chef's kiss - they synced their work schedule with the dev's, ensuring they only operated while legitimate sessions were hot. Work-life balance, Pyongyang style.

February 5-17, 2025: For twelve goddamn days, these digital ghosts ran reconnaissance in Safe's AWS playground.

Picture the world's most dangerous hackers rummaging through your infrastructure while your security team is circle-jerking about blockchain immutability.

Safe's intrusion detection might as well have been a sleeping guard dog farting in its dreams.

Then came the digital Pearl Harbor…

February 19, 2025: D-Day minus two. Malicious JavaScript slipped into Safe's website quicker than a rug pull at a DeFi launch.

The Wayback Machine caught it red-handed - digital evidence that would later twist the knife in Safe's bleeding reputation.

February 21, 2025, 14:13:35 UTC: Boom time. Bybit's signers waltz right into the trap, signing what they think is boring routine shit while actually handing over the keys to the $1.4B kingdom.

February 21, 2025, 14:15:13 UTC: Just 98 seconds later - poof! - evidence gone like cocaine at a dev conference afterparty. Clean as a whistle.

If the Wayback Machine hadn't been creeping on Safe's site like your ex on Instagram, this smoking gun would've vanished into the digital ether.

The cherry on this shit sundae? The whole catastrophe stemmed from a vulnerability so basic it makes zero-days look like quantum computing.

The humble yaml.load function - crypto's equivalent of leaving your house keys under the doormat while you go on vacation.

The function was originally designed to handle YAML data, but without proper safeguards, it would deserialize untrusted data, allowing attackers to run arbitrary code.

"You are one yaml.load away from losing everything," blockchain dev Banteg warned after the fact.

Too late for Safe, which just cemented its place in crypto history - not as the gold standard of custody, but as the cautionary tale of how even the most battle-tested security can crumble from a vulnerability that's been known and warned about for years.

If North Korea can walk away with $1.4 billion by recycling an ancient PyYAML exploit, how many other well-documented vulnerabilities are still out there waiting to be cashed in?

$1.4 billion vaporized because a developer ran a sketchy Docker project.

Not due to complex cryptography failures, zero-day exploits, or quantum computer breakthroughs.

Just garden-variety phishing targeting the wetware – the human – with access to the keys behind the keys.

This entire industry, built on revolutionary cryptographic innovations, just discovered its Achilles' heel: a vulnerability that’s been exploitable for years and could be triggered by simple misconfigurations.

Safe's decade-long reputation as Fort Knox 2.0 disintegrated when North Korea proved you don't need to breach the smart contract when you can just compromise the pixels displaying it.

The technical autopsy reveals even more damning details. The attackers' JavaScript specifically targeted Bybit's cold wallet address, lying dormant until the perfect moment.

When Bybit's signers initiated what they thought was a standard transaction, the code silently transformed it from a normal call to a delegatecall, essentially giving the attacker's contract god-mode permissions. Game over.

Multisigs, hardware wallets, and cold storage mean nothing when your front-end is feeding you digital hallucinations authored by Kim Jong Un's hacker army.

Self-custody zealots can preach key management till they're blue in the face, but when a single yaml.load execution can bypass $1.4 billion worth of security measures, maybe it's time to admit we've been measuring the wrong metrics all along.

And just hours ago, dev Banteg dropped a PyYAML pull request that rips out the insecure "Loader" alias that TraderTraitor weaponized against Bybit, finally killing the attack vector that powered history's largest crypto heist.

The specific exploit? A simple line of code: data = yaml.load(response.text, Loader=yaml.Loader).

Might be too little too late, but it is refreshing to see at least one backdoor slammed shut.

While Safe announced today that their "entire stack - including all networks, and the Safe API - is now fully restored and ready for use."

While the investigation continues, many of us still want to know: exactly how did Safe's employee get played?

That mystery is still being unraveled.

As security researcher Andrew Mohawk wryly noted, "Never let a good crisis go to waste. If you couldn't get security tickets prioritized, now is the time!"

When the next billion-dollar hack drops, will we still be pretending the problem is users not being careful enough?

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.