5 posts tagged with "Cybersecurity"

On Christmas Eve 2025, while most of the crypto world was on holiday, attackers pushed a malicious update to Trust Wallet's Chrome extension. Within 48 hours, $8.5 million vanished from 2,520 wallets. The seed phrases of thousands of users had been silently harvested, disguised as routine telemetry data. But this wasn't an isolated incident—it was the culmination of a supply chain attack that had been spreading through the crypto development ecosystem for weeks.

The Shai-Hulud campaign, named after the sandworms of Dune, represents the most aggressive npm supply chain attack of 2025. It compromised over 700 npm packages, infected 27,000 GitHub repositories, and exposed approximately 14,000 developer secrets across 487 organizations. The total damage: over $58 million in stolen cryptocurrency, making it one of the most costly developer-targeted attacks in crypto history.

The Anatomy of a Supply Chain Worm​

Unlike typical malware that requires users to download malicious software, supply chain attacks poison the tools developers already trust. The Shai-Hulud campaign weaponized npm, the package manager that powers most JavaScript development—including nearly every crypto wallet, DeFi frontend, and Web3 application.

The attack began in September 2025 with the first wave, resulting in approximately $50 million in cryptocurrency theft. But it was "The Second Coming" in November that demonstrated the true sophistication of the operation. Between November 21-23, attackers compromised the development infrastructure of major projects including Zapier, ENS Domains, AsyncAPI, PostHog, Browserbase, and Postman.

The propagation mechanism was elegant and terrifying. When Shai-Hulud infects a legitimate npm package, it injects two malicious files—setup_bun.js and bun_environment.js—triggered by a preinstall script. Unlike traditional malware that activates after installation, this payload runs before installation completes and even when installation fails. By the time developers realize something is wrong, their credentials are already stolen.

The worm identifies other packages maintained by compromised developers, automatically injects malicious code, and publishes new compromised versions to the npm registry. This automated propagation allowed the malware to spread exponentially without direct attacker intervention.

From Developer Secrets to User Wallets​

The connection between compromised npm packages and the Trust Wallet hack reveals how supply chain attacks cascade from developers to end users.

Trust Wallet's investigation revealed that their developer GitHub secrets were exposed during the November Shai-Hulud outbreak. This exposure gave attackers access to the browser extension source code and, critically, the Chrome Web Store API key. Armed with these credentials, attackers bypassed Trust Wallet's internal release process entirely.

On December 24, 2025, version 2.68 of the Trust Wallet Chrome extension appeared in the Chrome Web Store—published by attackers, not Trust Wallet developers. The malicious code was designed to iterate through all wallets stored in the extension and trigger a mnemonic phrase request for each wallet. Whether users authenticated with a password or biometrics, their seed phrases were silently exfiltrated to attacker-controlled servers, disguised as legitimate analytics data.

The stolen funds broke down as follows: approximately $3 million in Bitcoin, over $3 million in Ethereum, and smaller amounts in Solana and other tokens. Within days, the attackers began laundering funds through centralized exchanges—$3.3 million to ChangeNOW, $340,000 to FixedFloat, and $447,000 to KuCoin.

The Dead Man's Switch​

Perhaps most disturbing is the Shai-Hulud malware's "dead man's switch" mechanism. If the worm cannot authenticate with GitHub or npm—if its propagation and exfiltration channels are severed—it will wipe all files in the user's home directory.

This destructive feature serves multiple purposes. It punishes detection attempts, creates chaos that masks the attackers' tracks, and provides leverage if defenders try to cut off command-and-control infrastructure. For developers who haven't maintained proper backups, a failed cleanup attempt could result in catastrophic data loss on top of credential theft.

The attackers also demonstrated psychological sophistication. When Trust Wallet announced the breach, the same attackers launched a phishing campaign exploiting the ensuing panic, creating fake Trust Wallet-branded websites asking users to enter their recovery seed phrases for "wallet verification." Some victims were compromised twice.

The Insider Question​

Binance co-founder Changpeng Zhao (CZ) hinted that the Trust Wallet exploit was "most likely" carried out by an insider or someone with prior access to deployment permissions. Trust Wallet's own analysis suggests attackers may have gained control of developer devices or obtained deployment permissions before December 8, 2025.

Security researchers have noted patterns suggesting possible nation-state involvement. The timing—Christmas Eve—follows a common advanced persistent threat (APT) playbook: attack during holidays when security teams are understaffed. The technical sophistication and scale of the Shai-Hulud campaign, combined with the rapid laundering of funds, suggests resources beyond typical criminal operations.

Why Browser Extensions Are Uniquely Vulnerable​

The Trust Wallet incident highlights a fundamental vulnerability in the crypto security model. Browser extensions operate with extraordinary privileges—they can read and modify web pages, access local storage, and in the case of crypto wallets, hold the keys to millions of dollars.

The attack surface is massive:

• Update mechanisms: Extensions auto-update, and a single compromised update reaches all users
• API key security: Chrome Web Store API keys, if leaked, allow anyone to publish updates
• Trust assumptions: Users assume updates from official stores are safe
• Holiday timing: Reduced security monitoring during holidays enables longer dwell time

This isn't the first browser extension attack on crypto users. Previous incidents include the GlassWorm campaign targeting VS Code extensions and the FoxyWallet Firefox extension fraud. But the Trust Wallet breach was the largest in dollar terms and demonstrated how supply chain compromises amplify the impact of extension attacks.

Binance's Response and the SAFU Precedent​

Binance confirmed that affected Trust Wallet users would be fully reimbursed through its Secure Asset Fund for Users (SAFU). This fund, established after a 2018 exchange hack, holds a portion of trading fees in reserve specifically to cover user losses from security incidents.

The decision to reimburse sets an important precedent—and creates an interesting question about responsibility allocation. Trust Wallet was compromised through no direct fault of users who simply opened their wallets during the affected window. But the root cause was a supply chain attack that compromised developer infrastructure, which in turn was enabled by broader ecosystem vulnerabilities in npm.

Trust Wallet's immediate response included expiring all release APIs to block new version releases for two weeks, reporting the malicious exfiltration domain to its registrar (resulting in prompt suspension), and pushing a clean version 2.69. Users were advised to migrate funds to fresh wallets immediately if they had unlocked the extension between December 24-26.

Lessons for the Crypto Ecosystem​

The Shai-Hulud campaign exposes systemic vulnerabilities that extend far beyond Trust Wallet:

For Developers​

Pin dependencies explicitly. The preinstall script exploitation works because npm installs can run arbitrary code. Pinning to known clean versions prevents automatic updates from introducing compromised packages.

Treat secrets as compromised. Any project that pulled npm packages between November 21 and December 2025 should assume credential exposure. This means revoking and regenerating npm tokens, GitHub PATs, SSH keys, and cloud provider credentials.

Implement proper secret management. API keys for critical infrastructure like app store publishing should never be stored in version control, even in private repositories. Use hardware security modules or dedicated secret management services.

Enforce phishing-resistant MFA. Standard two-factor authentication can be bypassed by sophisticated attackers. Hardware keys like YubiKeys provide stronger protection for developer and CI/CD accounts.

For Users​

Diversify wallet infrastructure. Don't keep all funds in browser extensions. Hardware wallets provide isolation from software vulnerabilities—they can sign transactions without ever exposing seed phrases to potentially compromised browsers.

Assume updates can be malicious. The auto-update model that makes software convenient also makes it vulnerable. Consider disabling auto-updates for security-critical extensions and manually verifying new versions.

Monitor wallet activity. Services that alert on unusual transactions can provide early warning of compromise, potentially limiting losses before attackers drain entire wallets.

For the Industry​

Strengthen the npm ecosystem. The npm registry is critical infrastructure for Web3 development, yet it lacks many security features that would prevent worm-like propagation. Mandatory code signing, reproducible builds, and anomaly detection for package updates could significantly raise the bar for attackers.

Rethink browser extension security. The current model—where extensions auto-update and have broad permissions—is fundamentally incompatible with security requirements for holding significant assets. Sandboxed execution environments, delayed updates with user review, and reduced permissions could help.

Coordinate incident response. The Shai-Hulud campaign affected hundreds of projects across the crypto ecosystem. Better information sharing and coordinated response could have limited the damage as compromised packages were identified.

The Future of Supply Chain Security in Crypto​

The cryptocurrency industry has historically focused security efforts on smart contract audits, exchange cold storage, and user-facing phishing protection. The Shai-Hulud campaign demonstrates that the most dangerous attacks may come from compromised developer tooling—infrastructure that crypto users never directly interact with but that underlies every application they use.

As Web3 applications become more complex, their dependency graphs grow larger. Each npm package, each GitHub action, each CI/CD integration represents a potential attack vector. The industry's response to Shai-Hulud will determine whether this becomes a one-time wake-up call or the beginning of an era of supply chain attacks on crypto infrastructure.

For now, the attackers remain unidentified. Approximately $2.8 million of stolen Trust Wallet funds remain in attacker wallets, while the rest has been laundered through centralized exchanges and cross-chain bridges. The broader Shai-Hulud campaign's $50+ million in earlier thefts has largely disappeared into the blockchain's pseudonymous depths.

The sandworm has burrowed deep into crypto's foundations. Rooting it out will require rethinking security assumptions that the industry has taken for granted since its earliest days.

---

Building secure Web3 applications requires robust infrastructure. BlockEden.xyz provides enterprise-grade RPC nodes and APIs with built-in monitoring and anomaly detection, helping developers identify unusual activity before it impacts users. Explore our API marketplace to build on security-focused foundations.

Individual wallet compromises surged to 158,000 incidents affecting 80,000 unique victims in 2025, resulting in $713 million stolen from personal wallets alone. That's not an exchange hack or a protocol exploit—that's everyday crypto users losing their savings to attackers who have evolved far beyond simple phishing emails. Personal wallet compromises now account for 37% of all stolen crypto value, up from just 7.3% in 2022. The message is clear: if you hold crypto, you are a target, and the protection strategies of yesterday are no longer enough.

In the first half of 2025 alone, attackers drained over $2.3 billion from crypto protocols—more than all of 2024 combined. Access control vulnerabilities alone accounted for $1.6 billion of that carnage. The Bybit hack in February 2025, a $1.4 billion supply chain attack, demonstrated that even the largest exchanges remain vulnerable. As we enter 2026, the smart contract audit industry faces its most critical moment: evolve or watch billions more disappear into attackers' wallets.

On February 21, 2025, North Korean hackers stole $1.5 billion in cryptocurrency from Dubai-based exchange Bybit in approximately 30 minutes. It wasn't just the largest crypto heist in history—if Bybit were a bank, it would rank as the largest bank robbery ever recorded by Guinness World Records.

The attack didn't exploit a smart contract bug or brute-force a private key. Instead, hackers compromised a single developer's laptop at a third-party wallet provider, waited patiently for weeks, and struck when Bybit employees were approving what looked like a routine internal transfer. By the time anyone realized something was wrong, 500,000 ETH had vanished into a labyrinth of wallets controlled by North Korea's Lazarus Group.

This is the story of how it happened, why it matters, and what it reveals about the state of crypto security in 2025.

The Attack: A Masterclass in Patience and Precision​

The Bybit hack wasn't a smash-and-grab. It was a surgical operation that unfolded over weeks.

Phase 1: Compromising the Developer​

On February 4, 2025, a developer at Safe{Wallet}—a widely-used multi-signature wallet platform that Bybit relied on for securing large transfers—downloaded what appeared to be a legitimate Docker project called "MC-Based-Stock-Invest-Simulator-main." The file likely arrived via a social engineering attack, possibly disguised as a job opportunity or investment tool.

The malicious Docker container immediately established a connection to an attacker-controlled server. From there, the hackers extracted AWS session tokens from the developer's workstation—the temporary credentials that grant access to Safe{Wallet}'s cloud infrastructure.

With these tokens, the attackers bypassed multi-factor authentication entirely. They now had the keys to Safe{Wallet}'s kingdom.

Phase 2: The Dormant Code​

Rather than act immediately, the attackers injected subtle JavaScript code into Safe{Wallet}'s web interface. This code was specifically designed for Bybit—it would lie dormant until detecting that a Bybit employee had opened their Safe account and was about to authorize a transaction.

The sophistication here is remarkable. The entire Safe{Wallet} application functioned normally for every other user. Only Bybit was targeted.

Phase 3: The Heist​

On February 21, 2025, Bybit employees initiated what should have been a routine transfer from a cold wallet (secure, offline storage) to a warm wallet (for active trading). This required multiple signatures from authorized personnel—a standard security practice called multisig.

When the signers opened Safe{Wallet} to approve the transaction, the interface displayed what appeared to be the correct destination address. But the malicious code had already swapped in a different command. The employees unknowingly approved a transaction that drained Bybit's entire cold wallet.

Within minutes, 500,000 ETH—worth approximately $1.5 billion—flowed to addresses controlled by the attackers.

The Technical Exploit: Delegatecall​

The key vulnerability was Ethereum's delegatecall function, which allows a smart contract to execute another contract's code within its own storage context. The attackers tricked Bybit's signers into changing their wallet's contract logic to a malicious version, effectively granting full control to the hackers.

This wasn't a bug in Ethereum or in Safe{Wallet}'s core protocol. It was an attack on the human layer—the moment when trusted employees verify and approve transactions.

North Korea's Lazarus Group: The World's Most Profitable Hackers​

Within 24 hours of the attack, blockchain investigator ZachXBT submitted evidence to Arkham Intelligence definitively connecting the hack to North Korea's Lazarus Group. The FBI confirmed this attribution on February 26, 2025.

Lazarus Group—also known as TraderTraitor and APT38—operates under North Korea's Reconnaissance General Bureau. It's not a criminal gang seeking profit for personal enrichment. It's a state-sponsored operation whose proceeds fund North Korea's nuclear weapons and ballistic missile programs.

The numbers are staggering:

• 2025 alone: North Korean hackers stole $2.02 billion in cryptocurrency
• Bybit's share: $1.5 billion (74% of North Korea's 2025 haul from a single attack)
• Since 2017: North Korea has stolen over $6.75 billion in crypto assets
• 2025 vs 2024: 51% year-over-year increase in stolen value

North Korea accounted for 59% of all cryptocurrency stolen globally in 2025 and 76% of all exchange compromises. No other threat actor comes close.

The Industrialization of Crypto Theft​

What makes North Korea different isn't just the scale—it's the sophistication of their operation.

Social Engineering Over Technical Exploits​

The majority of 2025's major hacks were perpetrated through social engineering rather than technical vulnerabilities. This represents a fundamental shift. Hackers are no longer primarily hunting for smart contract bugs or cryptographic weaknesses. They're targeting people.

Lazarus Group operatives have embedded themselves as IT workers inside crypto companies. They've impersonated executives. They've sent job offers containing malware to developers. The Bybit attack began with a developer downloading a fake stock trading simulator—a classic social engineering vector.

The Chinese Laundromat​

Stealing crypto is only half the challenge. Converting it to usable funds without getting caught is equally complex.

Rather than cash out directly, North Korea has outsourced money laundering to what investigators call the "Chinese Laundromat"—a sprawling network of underground bankers, OTC brokers, and trade-based laundering intermediaries. These actors wash stolen assets across chains, jurisdictions, and payment rails.

By March 20, 2025—less than a month after the Bybit hack—CEO Ben Zhou reported that hackers had already converted 86.29% of the stolen ETH to Bitcoin through multiple intermediary wallets, decentralized exchanges, and cross-chain bridges. The 45-day laundering cycle following major thefts has become a predictable pattern.

Despite these efforts, Zhou noted that 88.87% of the stolen assets remained traceable. But "traceable" doesn't mean "recoverable." The funds flow through jurisdictions with no cooperative relationship with U.S. or international law enforcement.

Bybit's Response: Crisis Management Under Fire​

Within 30 minutes of discovering the breach, CEO Ben Zhou took command and began providing real-time updates on X (formerly Twitter). His message was blunt: "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss."

The exchange processed over 350,000 withdrawal requests within 12 hours—a signal to users that despite the catastrophic loss, operations would continue normally.

Emergency Funding​

Within 72 hours, Bybit had replenished its reserves by securing 447,000 ETH through emergency funding from partners including Galaxy Digital, FalconX, and Wintermute. Bitget loaned 40,000 ETH to ensure withdrawals continued uninterrupted—a loan Bybit repaid within three days.

Cybersecurity firm Hacken conducted a proof-of-reserves audit confirming that Bybit's major assets were backed by more than 100% collateral. The transparency was unprecedented for a crisis of this magnitude.

The Bounty Program​

Zhou declared "war against Lazarus" and launched a global bounty program offering up to 10% rewards for information leading to frozen assets. By year's end, Bybit had paid $2.18 million in USDT to contributors who helped trace or recover funds.

The Market's Verdict​

By the end of 2025, Bybit had crossed 80 million users globally, recorded $7.1 billion in daily trading volume, and ranked 5th among cryptocurrency spot exchanges. The crisis response had become a case study in how to survive a catastrophic hack.

2025: The Year Crypto Theft Hit $3.4 Billion​

The Bybit hack dominated headlines, but it was part of a broader pattern. Total cryptocurrency theft reached $3.4 billion in 2025—a new record and the third consecutive year of increases.

Key statistics:

• 2023: $2 billion stolen
• 2024: $2.2 billion stolen
• 2025: $3.4 billion stolen

North Korea's share grew from roughly half to nearly 60% of all crypto theft. The DPRK achieved larger thefts with fewer incidents, demonstrating increasing efficiency and sophistication.

Lessons Learned: Where Security Failed​

The Bybit hack exposed critical vulnerabilities that extend far beyond a single exchange.

Third-Party Risk Is Existential​

Bybit didn't have a security failure. Safe{Wallet} did. But Bybit suffered the consequences.

The crypto industry has built complex dependency chains where exchanges rely on wallet providers, wallet providers rely on cloud infrastructure, and cloud infrastructure relies on individual developer workstations. A compromise anywhere in this chain can cascade catastrophically.

Cold Storage Isn't Enough​

The industry has long treated cold wallets as the gold standard of security. But Bybit's funds were in cold storage when they were stolen. The vulnerability was in the process of moving them—the human approval step that multisig was designed to protect.

When transfers become routine, signers develop a false sense of security, treating approvals as formalities rather than critical security decisions. The Bybit attack exploited exactly this behavioral pattern.

The UI Is a Single Point of Failure​

Multisig security assumes that signers can verify what they're approving. But if the interface displaying transaction details is compromised, verification becomes meaningless. The attackers showed signers one thing while executing another.

Pre-signing simulations—allowing employees to preview the actual destination of a transaction before approval—could have prevented this attack. So could delays for large withdrawals, giving time for additional review.

Social Engineering Beats Technical Security​

You can have the most sophisticated cryptographic security in the world, and a single employee downloading the wrong file can bypass all of it. The weak point in cryptocurrency security is increasingly human, not technical.

Regulatory and Industry Implications​

The Bybit hack is already reshaping the regulatory landscape.

Expect mandatory requirements for:

• Hardware security modules (HSMs) for key management
• Real-time transaction monitoring and anomaly detection
• Regular third-party security audits
• Enhanced AML frameworks and transaction delays for large transfers

Security and compliance are becoming thresholds for market access. Projects that cannot demonstrate strong key management, permission design, and credible security frameworks will find themselves cut off from banking partners and institutional users.

What This Means for the Industry​

The Bybit hack reveals an uncomfortable truth: crypto's security model is only as strong as its weakest operational link.

The industry has invested heavily in cryptographic security—zero-knowledge proofs, threshold signatures, secure enclaves. But the most sophisticated cryptography is irrelevant if an attacker can trick a human into approving a malicious transaction.

For exchanges, the message is clear: security innovation must extend beyond technology to encompass operational processes, third-party risk management, and continuous employee training. Regular audits, collaborative threat intelligence sharing, and incident response planning are no longer optional.

For users, the lesson is equally stark: even the largest exchanges with the most sophisticated security can be compromised. Self-custody, hardware wallets, and distributed asset storage remain the safest long-term strategies—even if they're less convenient.

Conclusion​

North Korea's Lazarus Group has industrialized cryptocurrency theft. They've stolen over $6.75 billion since 2017, with 2025 marking their most successful year yet. The Bybit hack alone—$1.5 billion in a single operation—demonstrates capabilities that would make any intelligence agency envious.

The crypto industry is in an arms race with state-sponsored hackers who have unlimited patience, sophisticated technical capabilities, and no fear of consequences. The Bybit attack succeeded not because of any novel exploit but because attackers understood that humans, not code, are the weakest link.

Until the industry treats operational security with the same rigor it applies to cryptographic security, these attacks will continue. The question isn't whether another billion-dollar hack will happen—it's when, and whether the target will respond as effectively as Bybit did.

---

This article is for educational purposes only and should not be considered financial advice. Always conduct your own research and prioritize security when interacting with cryptocurrency exchanges and wallets.

In one of the most sophisticated cyber attacks of 2023, Radiant Capital, a decentralized cross-chain lending protocol built on LayerZero, lost approximately $50 million to hackers. The complexity and precision of this attack revealed the advanced capabilities of state-sponsored North Korean hackers, pushing the boundaries of what many thought possible in crypto security breaches.

The Perfect Social Engineering Attack​

On September 11, 2023, a Radiant Capital developer received what seemed like an innocent Telegram message. The sender posed as a former contractor, claiming they had switched careers to smart contract auditing and wanted feedback on a project report. This type of request is commonplace in the remote-work culture of crypto development, making it particularly effective as a social engineering tactic.

The attackers went the extra mile by creating a fake website that closely mimicked the supposed contractor's legitimate domain, adding another layer of authenticity to their deception.

The Trojan Horse​

When the developer downloaded and unzipped the file, it appeared to be a standard PDF document. However, the file was actually a malicious executable called INLETDRIFT disguised with a PDF icon. Once opened, it silently installed a backdoor on the macOS system and established communication with the attackers' command server (atokyonews[.]com).

The situation worsened when the infected developer, seeking feedback, shared the malicious file with other team members, inadvertently spreading the malware within the organization.

The Sophisticated Man-in-the-Middle Attack​

With the malware in place, the hackers executed a precisely targeted "bait-and-switch" attack. They intercepted transaction data when team members were operating their Gnosis Safe multi-signature wallet. While the transaction appeared normal on the web interface, the malware replaced the transaction content when it reached the Ledger hardware wallet for signing.

Due to the blind signing mechanism used in Safe multi-sig transactions, team members couldn't detect that they were actually signing a transferOwnership() function call, which handed control of the lending pools to the attackers. This allowed the hackers to drain user funds that had been authorized to the protocol's contracts.

The Swift Cleanup​

Following the theft, the attackers demonstrated remarkable operational security. Within just three minutes, they removed all traces of the backdoor and browser extensions, effectively covering their tracks.

Key Lessons for the Industry​

1. Never Trust File Downloads: Teams should standardize on online document tools like Google Docs or Notion instead of downloading files. For example, OneKey's recruitment process only accepts Google Docs links, explicitly refusing to open any other files or links.

2. Frontend Security is Critical: The incident highlights how easily attackers can spoof transaction information on the frontend, making users unknowingly sign malicious transactions.

3. Blind Signing Risks: Hardware wallets often display oversimplified transaction summaries, making it difficult to verify the true nature of complex smart contract interactions.

4. DeFi Protocol Safety: Projects handling large amounts of capital should implement timelock mechanisms and robust governance processes. This creates a buffer period for detecting and responding to suspicious activities before funds can be moved.

The Radiant Capital hack serves as a sobering reminder that even with hardware wallets, transaction simulation tools, and industry best practices, sophisticated attackers can still find ways to compromise security. It underscores the need for constant vigilance and evolution in crypto security measures.

As the industry matures, we must learn from these incidents to build more robust security frameworks that can withstand increasingly sophisticated attack vectors. The future of DeFi depends on it.