Lazarus appears to compromise Safe developer machine in lead up to $1.5 billion Bybit hack: report

Bybit, the victim of the largest single-day hack to date, has released an "interim investigation” report disclosing what the exchange knows so far as it continues to track the $1.5 billion in funds drained by North Korean hacking collective Lazarus Group on Friday. 

As previously reported, the attack occurred during a relatively benign operation , where Bybit multi-sig holders coordinated to rotate funds from a cold wallet to a “warm wallet” using a Safe(Wallet) interface when “a threat actor intervened and manipulated the transaction.”

“The threat actor managed to gain control of the affected cold wallet and transferred its holdings to a wallet under their control,” Tel Aviv-based crypto cybersecurity firm Sygnia writes in a report. 

According to its forensic investigation of the modified systems and web archives meant “to identify the source and scope of the compromise,” Sygnia found that Lazarus was seemingly able to take control of a Safe developer's computer to inject malware that was designed specifically to target Bybit's signers. 

This confirms some research speedily conducted by the Ethereum security community in the hours after the exploit — though not everything. While it appears Lazarus used an increasingly popular strategy of infecting the signing devices used to move funds and “blind signatures” to trick signers into unknowingly interacting with an unfamiliar address controlled by the attackers by masking the UI, as The Block previously reported , it is now clearer that Bybit's devices were not directly implicated. 

However, Syngia’s research does help to understand better how Lazarus was able to take control of the Bybit multisig holder’s signing operation.

Not Bybit's infrastructure

“The highlighted initial findings suggest the attack originated from Safe(Wallet)'s AWS infrastructure,” Syngia reports. “Thus far, the forensics investigation did not identify any compromise of Bybit's infrastructure.”

The findings suggest that the unauthorized activity stemmed from a targeted attack on Safe(Wallet)’s cloud-based system, namely its Amazon Web Services (AWS) S3 bucket, a flexible system typically used for storing and retrieving static files (like scripts or HTML code) for web applications. The signers’ browsers then loaded the compromised JavaScript from the S3 bucket (cached locally, as found in Chrome artifacts reviewed by Sygnia), which then executed an altered transaction when Bybit went to move its funds. Moreover, Sygnia found this code on all the multisig hosts used to initiate and sign the compromised transaction

For its part, Safe — a team spun out of Gnosis — confirmed that the attack “was achieved through a compromised Safe{Wallet} developer machine resulting in the proposal of a disguised malicious transaction” but did not compromise Safe’s frontend, source code or smart contracts.

Others at risk?

That said, it’s unclear how that dev machine was breached or whether other Safe users are at risk. Lazarus could have gained the ability to modify files in Safe{Wallet}’s AWS S3 bucket either by compromising credentials — like stealing an employee’s or third party’s AWS access keys via phishing or malware — or a more sophisticated exploit.

Either way, once inside, the attacker was able to upload or alter files — like injecting malicious code that gave them control over a critical piece of Bybit’s security system.  

"This update from Safe is not that great. It uses vague language to brush over the issues. I have more questions than answers after reading it," Changpeng Zhao, former Binance CEO, said in response to Safe's public statement. "What does 'compromising a Safe {Wallet} developer machine' mean? How did they hack this particular machine? Was it social engineering, a virus, etc? how did a developer machine have access to 'an account operated by Bybit'?"

CZ also raised questions about how the injected code was able to affect Bybit, and why its $1.5 billion Ethereum address was targeted in particular. "How did they fool the Ledger verification step at multiple signers? Was it blind signing? or did the signers not verify properly?" he asked.

Safe noted it has “fully rebuilt, reconfigured all infrastructure, and rotated all credentials, ensuring the attack vector is fully eliminated,” though it still expresses caution when signing transactions. 

Sygnia found the code was highly targeted because it would activate “only when the transaction source matched one of two contract addresses: Bybit's contract address and an unidentified contract address, likely associated with the threat actor.” Moreover, it appears Lazarus cached the file two days before the attack.

Two minutes after the malicious transaction was executed, Lazarus uploaded new, unadulterated versions of the Javascript resources to Safe(Wallet)'s AWS S3 bucket to cover their tracks.

Public communications

For its part, Bybit has been working hard to keep the public informed as it looks to retrieve its funds. In the days following the exploit, the exchange told users they would not be impacted as it had secured a bridge loan to close a shortfall in reserves . It also launched bug bounty programs — offering 10% to anyone who can retrieve the funds and 5% to exchanges and mixers that work to freeze them. 

Some Ethereum researchers estimate the exchange has been able to recover upwards of $100 million so far, including $43 million mETH.

"The investigation is still ongoing to further confirm the findings," Sygnia writes. 

Update: Adds statement by Changpeng Zhao.