North Korean hackers pulled off the biggest crypto heist ever, swiping $1.4 billion from Bybit by breaching a Safe{Wallet} developer’s Mac laptop through a fake stock investment project, Mandiant revealed in a report on March 6, 2025.
The attack, tied to the notorious TraderTraitor group, kicked off on February 4 when a developer—code-named Developer1—downloaded a malicious Docker project disguised as a “stock investment simulator.” That project pinged a shady domain, getstockprice[.]com, and installed malware, giving hackers a foothold. It’s not clear why Developer1 fell for it, but Mandiant noted similar social engineering tricks have worked for TraderTraitor before.
The hackers didn’t stop there—they used malware on Developer1’s laptop to steal AWS session tokens, bypassing Safe’s multi-factor authentication (MFA) and slipping into Amazon Web Services undetected. Mandiant’s findings show the attack came from IP addresses linked to VPNs and offensive hacking tools, proving how sophisticated this crew is. Safe{Wallet} responded by locking down its infrastructure, cutting external access, and teaming up with blockchain security firm Blockaid to spot shady transactions better. Safe says its smart contracts weren’t touched, but the damage was done—TraderTraitor had the keys to Bybit’s vault.
Bybit’s still reeling. CEO Ben Zhou posted on X earlier this month that nearly 20% of the $1.46 billion stolen—about $200 million—is now untraceable, lost to mixing services, while 77% remains trackable. The February 21 hack, now the largest in crypto history, has left Bybit scrambling, with North Korea’s Lazarus Group suspected behind it. Mandiant’s report paints a chilling picture of how TraderTraitor exploited a single laptop to trigger this mega-theft, using social engineering and AWS token hijacking. For Bybit and Safe, it’s a harsh lesson in tightening security—North Korea’s crypto-hacking game is next-level, and the fallout’s far from over.
