CyberWire Daily - Bybit’s $1.4B breach. [Research Saturday]
Episode Date: April 5, 2025Zach Edwards from Silent Push is discussing their work on "New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks." Silent Push analysts uncovered sign...ificant infrastructure used by the Lazarus APT Group, linking them to the $1.4 billion Bybit crypto heist through the domain bybit-assessment[.]com registered just hours before the attack. The investigation revealed a pattern of test entries, VPN usage, and fake job interview scams targeting crypto users, with malware deployment tied to North Korean threat actor groups like TraderTraitor and Contagious Interview. The team also identified numerous companies being impersonated in these scams, including major crypto platforms like Coinbase, Binance, and Kraken, to alert potential victims. The research can be found here: Silent Push Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Is your AppSec program actually reducing risk?
Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real risk.
Why?
Traditional tools use generic prioritization and lack the ability to filter real threats
from noise.
High impact threats slip through and surface in production, costing 10 times more to fix.
Ox Security helps you focus on the 5% of issues that truly matter before they reach the cloud.
Find out what risks deserve your attention in 2025.
Download the Application Security Benchmark from OxSecurity.
Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
This report that we did really came on the heels of the $1.4 billion buy-bit hack.
And our team, of course, when we saw this news,
along with every other researcher in the industry, we
immediately said, my goodness, that's the largest heist that's ever existed in crypto.
Is there anything that we can see within this hack to figure out additional details or pivot
into other parts of their infrastructure?
That's Zach Edwards, a researcher at Silent Push.
The research we're discussing today is titled New Lazarus Group Infrastructure
Acquires Sensitive Intel Related to $1.4 billion
Bybit hack and past attacks.
And so we essentially started to immediately just look for
any domains that mentioned Bybit that were registered recently.
And so our process was rather elementary at the start of it, but almost immediately we had a hit that there was a domain,
Bybit-Assessment.com, that was registered just hours before the attack supposedly occurred.
And so our team started looking into this domain and immediately in the WhoIs records,
there was an email address exposed which actually had been used in other Lazarus North Korean
hacker attacks in the past. And so our team immediately started to wonder, is this domain, which is registered by a threat
actor associated to this North Korean group, was this actually the domain that was used
in the heist?
And what was quite interesting about our early findings was that this domain was actually
being used by a different North Korean threat actor, not the North Korean threat actor who
did the heist against Bybit.
Just to simplify this a little bit, North Korea has a number of hacking groups.
They're all classified under this Lazarus name.
And then under Lazarus, there are subgroups.
And the group that did the billion dollar heist is an organization known as Trader,
Trader, which is a mouthful.
But essentially, this group is going after large crypto organizations.
They're doing these complicated hacks, supply chain breaches, and they've been behind similar
crypto heists in the past.
But this domain that we had found that was registered just hours before the Bybit hack
was actually a separate group called contagious interview.
And so what's particularly interesting about this is that across these different North
Korean hacker groups, they're targeting the same companies.
And so as we started to get into more details about what contagious interview infrastructure
we were looking at, we realized that this
was actually going to create an opportunity for us to understand other North Korean threat
actors as well.
So not just the contagious interview subgroup, but potentially the other attackers and campaigns
that they may be launching. And so in short, our team was looking into this new domain that was registered by a contagious
interview Lazarus subgroup.
And we found a few pivots where this domain was connected into a couple of others through
server and who is commonalities.
And one of the domains that we pivoted into was wide open.
They'd left all of their code, all their infrastructure, just waiting for anyone to download it.
And so our team immediately grabbed those resources and we were essentially able to
get logs of these North Korean threat actors testing their own infrastructure and not
only exposing email addresses that they
use for this testing but IP addresses
that they're using to communicate to
basically communicate with this
infrastructure. And so this from one tiny
pivot or one little investigation into
can we find anything on the Bybit hack
eventually led us into can we find anything on the Bybit hack, eventually led
us into what we have now is the actual code from one of these North Korean threat actor
groups and their infrastructure logs.
Wow.
Well, I do want to dig into that, but before we do, can we just break down the attack itself?
I mean, how did Lazarus go about infiltrating Bybit?
Yeah, that's a great question.
So what we sort of know about this attack right now
is that an organization called SafeWallet was targeted.
And essentially the threat actors at Lazarus
and this subgroup, TraderTrader, set up some honeypots that they were targeting
safe wallet developers.
And through a somewhat murky process, we don't exactly know how that developer was targeted.
It's possible that there's maybe some sensitive details.
We don't exactly know why that developer interacted with that phishing experience.
We don't exactly know what type of malware they were given, but we do know that that
developer was compromised.
And as soon as they had sort of compromised that developer's device, they went out and
they essentially created a honey pod or a change to this code so that when a very
specific wallet ID was going to interact with the safe wallet, it would switch out the wallet
IDs from the known trusted Bybit wallet into an attacker's wallet.
And so Bybit was essentially just doing their normal course of business. They were doing
some process that they probably do every other day or every week. But in this instance, the code
was essentially poisoned. And so when they went to make their transfer, instead of the money going
into an internal wallet, it went external. And the threat actors suddenly had basically bybit transferred them all the
money and within minutes to hours they were laundering that money through numerous different
laundering services, sort of different exchanges.
A small portion of it has been seized, millions of dollars, but there's still hundreds of millions
that are unaccounted for, slash successfully laundered.
So right now, there's a lot of crypto investigators that are continuing to try and track that
money and whenever that money is transferred into a specific exchange that maybe has KYC policies, complies
with abuse complaints, they're attempting to freeze those funds.
So it's essentially a race to see how fast Lazarus can launder the money and if researchers
and exchanges can freeze that money before it's spread out
into so many wallets that it's essentially a fool's errand to try and track this.
The long and short of it is Lazarus has been extremely successful at laundering crypto
money and there's many researchers that have been successful at stopping some of it, but the reason why
we continue to have these ongoing campaigns where they're trying to basically rob crypto
banks, and then they also have these other schemes where they're trying to infect crypto
developers.
The reason why they're doing all of that is because this crypto is money, spends like
money in all the ways that North Korean laundering care about.
They're able to acquire this crypto, launder it through complex technical means, and then
on the back end, use various cash for crypto laundering networks that exist all over Asia and essentially
turn that crypto into currency.
What we know about North Korea, they're taking this currency and they're using it to fund
their nuclear program and their ballistic missile program.
Essentially, everyone out there that cares about a safer world, a world where North
Korea doesn't have the weapons to basically threaten allies and neighbors, needs to be
thinking about these types of crypto heists.
Because even if you're not in the crypto game yourself, not an investor, this is serious
money.
And then the other reality is that the United States now has a sovereign crypto fund.
So all us taxpayers in the US, we technically have skin in the crypto game.
And so it's a very complicated situation.
Well, Zach, help me understand here.
When Lazarus Group decided to turn the knob and start siphoning off all of this crypto from Bybit,
how much infrastructure would they have needed
behind the scenes to intake all of that?
Would they be able to handle that in an automated way
to start the distribution for the laundering,
or do you suppose they had to
have a team of folks standing by? That's a really good question. I think that it's
clear that there was a team of money launderers likely standing by and while
we don't have all the details about how North Korea and hackers structure their
own internal operations.
It's clear that they have operators, they have social engineers, they have developers,
and they have experts at crypto money laundering.
There's basically tornado cash, maybe a phrase that people are familiar with.
There have been other crypto laundering services that have gone
under the ire of the US government. Some have been deemed sort of illegal products and there's
various litigation going on around those. But there's essentially a large number of
quote crypto laundering services available. And so it would appear that these North Korean threat actors have their finger on the pulse
of a large number of these.
And this is basically one of those problems that's only going to get more complicated
over time.
And essentially, when they have hundreds of millions of dollars, they can just hand that over to
another team and then start using these tornado cash like laundering services.
And the way that this essentially works, let's say you transfer in $5 million in Bitcoin
or Ethereum into one of these mixers.
The mixers then will generate thousands of other wallets, and they're doing this for
all of their clients.
And so essentially the output from these mixers is they may take $5 million and split it up
into $10,000 chunks and then transmit those $10,000 chunks to each of the wallets that
are being spun up.
And so when you have hundreds of clients using the same service, all putting money into it,
the money starts to get blended and hidden away.
You can see the new wallets that are being created and the money that are being transferred
from that service into them, but you don't know who controls that wallet.
You don't know which pool of money was actually behind it.
Now fortunately for researchers, when you have hundreds of millions of dollars in crypto
and you're putting it into these mixing services, I think that the noise from that volume ends
up making it a little easier or at least somewhat possible to track some of this money
even when it does go into a thousand other wallets. And so that's part of what these crypto
investigators are really spending a lot of their time on is investigating where the money was sent
to and then when they see that money sort of disappear into a thousand other wallets, they need to
further track those thousand wallets and start to determine does that money then transfer even
further. And this is the way that these chains work. It's essentially passing money from one
wallet to the next. And it does take serious technical resources to track that in the crypto ecosystem.
We'll be right back.
Looking for a career where innovation meets impact?
Vanguard's technology team is shaping the future of financial services
by solving complex challenges with cutting-edge solutions.
Whether you're passionate about AI, cybersecurity, or cloud computing,
Vanguard offers a dynamic and collaborative environment
where your ideas drive change.
With career growth opportunities and a focus on work-life balance,
you'll have the flexibility to thrive both professionally and personally.
Explore open cybersecurity and technology roles today at VanguardJobs.com.
Cyber threats are evolving every second, and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today
to see how a default deny approach
can keep your company safe and compliant.
Can you share some insights?
I know for example, you and your colleagues at Silent Push, you have your own threat monitoring
tools, but there's also open source intelligence.
How do each of those play into detecting this sort of attack?
Yeah, that's a great point.
So Silent Push, we have our own proprietary data. We have
a community tool where anyone can sort of search our data for free, but we like to think
about it as it's all our own first-party data. This is both good and bad. Good in that we
can easily share it, make it available to other folks, but we may not have the visibility into certain niche threats. And so it's
essential for any researchers who use a specific tool set or use a specific
platform, you absolutely have to combine that with external research methodologies.
And so this type of threat, it would be impossible to track this type of threat
if there weren't hundreds of people at a diverse range of research and cybersecurity companies
looking into this and making their findings public about what they saw. And we basically made our
report public even though it was essentially an effort where
we were trying to investigate TraderTrader, and we pivoted into contagious interview,
two separate Lazarus subgroups.
But it's essential for everyone out there to know that these North Korean hackers are
targeting the same brands.
And so if you're a researcher investigating one Lazarus subgroup, you really need to try
and make that research public because what you found may actually impact other Lazarus
subgroups and may be a lead that someone tracking a totally separate actor or a totally separate
subgroup could use to find their next target.
And so when we think about sort of these Lazarus subgroups,
Contagious Interview is a group that is essentially targeting people
who are looking to work in the crypto industry.
And this subgroup basically has created honeypots where they may have job websites, they may
have totally fake corporate LinkedIn's, they're creating fake employees, and they're reaching
out to people who want to work in the crypto industry and saying, hey, we think you're
a great fit for this job, can you apply in this website?
And then people are going to these websites and this is impacting a large number of crypto
employees and people who want to work in the industry.
And as they go through this job hiring website, it looks legitimate, it looks real, they're
asking the right questions.
They always have this video interview portion or something to basically record your own
thoughts on a specific question that they're asking.
And in this process, when you click to initiate the video, a subtle error message pops up and says,
whoops, you're almost done with the job application, but unfortunately this video, we're having an error.
You just need to download this one thing real quick and it will fix it and you'll be done with this job interview and on your way.
And so they have these really convincing lures in this job application process, which eventually
deploys malware onto one of these crypto developers' computers.
And it's really important for everyone to appreciate that this type of threat actor that is able to
convince an individual to basically compromise their own computer and that individual may
currently work at a crypto company. And so they're applying to work at another crypto company,
but herein lies the rub. If a crypto threat actor gets access to a developer's
machine who already works at a crypto company, they could immediately get access to sensitive
credentials and sensitive details, which they could pass on to another one of the Lazarus
subgroups to essentially conduct a bank heist against that crypto company.
And so I think it's really important for people to appreciate that
Lazarus and this North Korean threat actor group,
they have different schemes.
Some of these high-level bank heist type schemes,
others are this kind of a little less sophisticated
targeting of individual developers.
But it all wraps up into this larger threat matrix where if
they get one thing from the contagious interview
process, they could pass it on to the other group
and suddenly someone who was applying for a job
could have their own company ransomware that they
currently work at. And so there's a lot of
complexity between researching these Lazarus groups, understanding
their shared targeting, and appreciating that we need to make details public whenever we
figure out that for one of these subgroups, because it could apply broadly to Lazarus. So given this group's resources,
their sophistication, their cleverness, their persistence,
what do companies do to protect their supply chains,
to protect their employees against these sorts of things?
Yeah, and really there's no silver bullet
for stopping these types of threats.
Education and training people that these threats are out there is really the first step.
Everyone who is in the crypto industry should hopefully be aware that this is occurring.
They should be very cautious when applying for jobs or when someone proactively reaches out to them offering them a job.
The other thing that defenders should really keep in mind is that North Korean threat actors have some consistent decisions they're making.
And one of them that we actually uncovered in our research was aligned to other past research that's been put out, North Korean threat actors
for whatever reason love a VPN called Astral VPN.
Now most people here probably aren't familiar with Astral VPN.
It's certainly not sponsoring podcasts and out there kind of with as much notoriety as some of the others, but it's still a
legitimate, relatively large VPN. But in the logs
that we acquired from this contagious interview,
operational failure that they had, we were seeing
all of their test logs as they were testing their
own infrastructure. And shockingly, we had the IP addresses in these logs. And so, our team was able to look at all
the IP addresses that they were using in this test submission
process, and 100% of them were Astral VPNs. And so, I think
it's very important for the vendors to know that. And our
team has spoken with quite a few other organizations
that have been directly targeted either with this contagious interview scheme or other variations.
There's a fake IT worker scheme that North Korea is also deploying where they essentially have
hundreds if not thousands of people spread out across Asia and they're
applying for jobs at Western companies and not just crypto companies.
And these people, once they get these jobs, they're essentially, many of them have multiple
jobs at the same time.
So they're sort of juggling multiple employments at the same
time and they're taking that money and they're funneling it to the same nuclear and ballistic
missile programs that these other crypto schemes are funneling money into.
And so there's a lot of major corporations.
Know Before is a popular security company.
They help with phishing tests.
They hired one of these fake North Korean workers, and they put out a really good blog
post explaining how they were tricked, how they caught it, what the threat actors were
trying to do.
It's really important for everyone to appreciate that these fake IT workers also use astral
VPN.
And so when we catch something like a contagious interview using an astral VPN and it aligns
with the fake IT workers using astral VPN and we see shared targeting across these groups,
these are the details which are really important to share
and to make public whenever possible. And so every defender out there, if you're trying to stop
all of these different types of North Korean threats from the crypto heists to the various
fake worker schemes and fake hiring schemes,
it's really important to track the IPs that are being used
in those connections into your infrastructure.
And ideally you would have a pool of astral VPNs
so that you could basically compare that
against those connections.
And if you see astral VPN connections in your infrastructure and those are connected
with suspicious behaviors, you should strongly consider classifying that as a potential North
Korean threat actor and try and make those details public.
Well, Zach, before we run out of time, I do want to dig into this unique view that you
and your colleagues had with this exposed server, I suppose we could call it, and everything
that was in it.
I'm trying to imagine the look on your face or your colleagues' faces, the wide eyes you
must have had when you realized what you had in front of you there.
That's exactly right.
And it's down now.
So it was only exposed for a very short period of time.
And our researchers at Silent Push, we always are looking for threat actors' mistakes.
And usually that's just maybe a consistency decision they're making, some type of hosting
or registrar or domain pattern that they keep on using.
But occasionally you do get lucky
where a threat actor,
they're spinning up many different servers,
maybe they forget to lock one down,
and suddenly they have an open directory
and all of their directory files are available,
immediately can download.
And this is the type of accident or mistake that really can shine the light
on these types of operations. Because not only do we
have all the code that they're using to orchestrate
on any one of these domains, we can see all these
test logs. And quite honestly, we can see the victims
they're targeting to. And so part of what we didn't make public is we obviously didn't list any of the victims that we saw.
It's been shared with law enforcement and we wish everyone the best in those mitigation processes.
But we do know the companies that they were targeting, where they were trying to pull these victims out of.
And so I could share you the list of 34 different brands that are being featured,
but really the simplest way to think about it is they're targeting the top 20 major crypto companies
and then there's a small grouping of smaller crypto companies that even our researchers weren't familiar with immediately.
And we've made that public on our website.
So anyone who's in the crypto industry, who
is in threat sharing circles in the crypto industry,
we've made the entire corporate victim list public.
So while you don't know individual names,
we're not certainly exposing email addresses that were targeted.
This will give you that high level view of this is who Lazarus is targeting and likely
multiple subgroups are targeting these crypto brands.
It ranges from Coinbase and Binance and Kraken to more sort of classic finance brands like Stripe and I think Stripe
and Robinhood and there's a few other sort of classic finance companies that also deal
in crypto.
And so I think it's important to highlight that Lazarus is not just going after crypto
companies, they're going after companies that deal in crypto.
So you may be a classic finance brand, but as soon as you dip your toes into crypto and have some
potential crypto tokens to be stolen, you will be added to their potential targeting list.
And it is something to keep in mind. And it seems as though there's there are no
signs that they're slowing down. I mean, they're very successful.
Yeah.
When you successfully steal $1.4 billion, you're not going to be slowing down unless
it's just to go to a vacation.
And these North Korean threat actors, they work for North Korea.
It is not like your classic cybercr crime group where these people are just going
to stop doing their business, move to a resort on the Black Sea and just retire at 25 years old.
These are basically soldiers in North Korea's army and so they've been extremely successful
in their recent attacks. They've been able to gather huge amounts of resources, almost unimaginable.
We should expect that North Korean leadership will continue to fund these efforts, will probably
double down on the resources that are sent to them. This is really the start of this type of problem.
The crypto industry is very young compared to how we're going to be
able to stop these. And we should expect for some significant period of time, North Korea will remain
the premier threat actor targeting crypto.
Our thanks to Zach Edwards from Silent Push for joining us. The research is titled New Lazarus Group Infrastructure Acquires Sensitive Intel Related to $1.4 Billion
Bybit Hack and Past Attacks.
We'll have a link in the show notes.
And that's Research Saturday brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire
at n2k.com. This episode was produced by Liz Stokes, we're mixed by Elliot Peltsman and
Trey Hester. Our executive producer is Jennifer Ibane, Peter Kilpey is our publisher, and I'm
Dave Bittner. Thanks for listening. We'll see you back here next time.