Bybit’s $1.5B Crypto Fumble, Lazarus' Perfect Heist & Cybersecurity Madness
Last week, we covered the rather unfortunate event where the CEO of Bybit accidentally sent $1.5 billion worth of Ethereum straight into the hands of North Korean backed hackers, Lazarus. At the time, we called it a whoopsie daisy, which, in hindsight, was a bit too generous. Because as more details have emerged, it turns out this wasn’t just a clumsy mis-click.
Here’s how it all went down:
Bybit Fintech Limited was using a multi-signature wallet service called Safe. The attackers first compromised a developer account, which gave them access to an Amazon Web Services (AWS) account hosting the Safe website. From there, they injected malicious JavaScript into the site, the very page the Bybit CEO used to move crypto from cold storage to hot storage.
And this is where it gets really sneaky. The CEO thought he was sending funds to the correct address because, on his screen, it looked perfectly normal. But behind the scenes, the injected code swapped out the address, rerouting a casual billion-dollar transaction straight to Lazarus.
This wasn’t a random, smash and grab job, either. The hackers waited patiently, watching the CEO’s weekly or biweekly transactions, resisting the urge to grab smaller amounts. Then, when the timing was just right, boom, payday.
Losing $1.5 billion to North Korean hackers tends to put someone in a bad mood. So, understandably, the Bybit CEO has now declared all-out war on the gang.
Enter lazarusBounty.com, a new website designed to track the stolen funds in real time. The site features an interactive GUI that shows where pieces of the hacked funds are ending up, including deposits into various crypto exchanges.
So far, about $40 million has been seized by exchanges, but there’s one outlier: eXch exchange. While six different platforms have helped freeze Lazarus’ assets, eXch is refusing to play ball.
Their official stance?
"Anyone claiming we laundered the funds is just spreading fear, uncertainty, and doubt."
Which, to be fair, sounds a lot like something a company laundering funds would say. However, they did admit to processing an "insignificant portion" of the stolen money. Which raises the question: At what dollar amount does stolen money stop being "insignificant"?
So, to sum it up:
The crypto world never fails to entertain.
VULNERABILITY CHAT
Commvault has swiftly patched a webserver vulnerability that allowed attackers to create and execute malicious webshells, potentially compromising entire systems. In a stark warning, the company’s advisory explicitly states that "Webservers can be compromised through bad actors creating and executing webshells."
Meanwhile, the Indian Computer Emergency Response Team (CERT-In) has flagged multiple security flaws in Google Chrome browsers and ChromeOS for PCs. These vulnerabilities open the door for threat actors to seize control of targeted systems, steal sensitive data, and execute Denial of Service (DoS) attacks that render computers inoperable.
A critical authentication bypass vulnerability has been uncovered in Perforce Software , posing a serious risk to organisations worldwide. This flaw allows attackers to gain full administrative access without authentication. The company’s official statement describes it as a “severe risk,” highlighting the potential for unauthorised entry into critical systems.
VMware customers have been put on high alert as three zero-day vulnerabilities are being actively exploited in the wild. Previously, notorious ransomware groups such as Helldown and Play have been observed leveraging VMware environments to gain initial access to crucial business systems and sensitive data.
In another alarming discovery, a vulnerability in the Python JSON Logger library has left an estimated 43 million installations exposed to potential remote code execution (RCE) attacks. Security researcher Omnigodz identified a dependency chain flaw that could have enabled attackers to execute arbitrary code on systems using affected versions of this widely-used logging utility.
The Apache Software Foundation has disclosed multiple vulnerabilities in its Traffic Server software, which could allow malicious actors to exploit malformed requests and manipulate access control list (ACL) issues, raising concerns about data security and system stability.
Elastic has taken swift action to patch a critical flaw in Kibana, the data visualisation dashboard for Elasticsearch. The company warns that "Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests," exposing systems to severe security risks.
谷歌 has also rolled out crucial updates to fix 43 vulnerabilities in Android , including two zero-days currently being exploited in targeted attacks. Among these, a particularly severe Android framework privilege escalation vulnerability enables attackers to elevate their privileges locally without additional execution permissions, though it does require user interaction for exploitation.
9 Common Vulnerability and Exposure (CVEs) were added to the Cybersecurity and Infrastructure Security Agency 's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including:
See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
National Institute of Standards and Technology (NIST) 's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 907 vulnerabilities last week, making the 2025 total 8,997. For more information visit https://nvd.nist.gov/vuln/search/
INFORMATION PRIVACY HEADLINES
谷歌 has issued a crucial reminder via email, stating, “You need to choose new settings to avoid losing Timeline data.” Users who fail to select the appropriate privacy settings and update their Google Maps app risk having all saved visit and route data permanently deleted. Emphasising the significance of this feature, Google explained, “With Timeline, your visits and routes are automatically saved to a map on each of your devices.”
In a proactive move against cyber threats, Google has also introduced AI-powered scam protection for calls and messages on Android smartphones. These advanced security measures are specifically designed to combat phishing attempts and what are commonly referred to as conversational scams, offering users an added layer of defence against deception.
Signal Messenger President Meredith Whittaker has raised concerns about the implications of agentic AI on user privacy. Reflecting on discussions during a panel, she pointed to the AI industry's foundation on mass data collection, warning of potential risks. She criticised the prevailing “bigger is better AI paradigm,” where the relentless pursuit of vast data sets may lead to consequences she believes are far from beneficial.
Meanwhile, 苹果 is locked in a legal battle with the GOV.UK government over demands to access its customers' private data when required. According to the BBC , the US tech giant has taken its case to the Investigatory Powers Tribunal, an independent court responsible for examining claims against the Security Service. The outcome of this legal challenge could have significant implications for digital privacy rights.
The American Psychological Association has taken a decisive step in protecting individuals' neural, cognitive, and psychological data. Through its newly adopted Resolution on the Protection of Neural and Cognitive Data, the association highlights the ethical collection, storage, and use of information obtained from direct-to-consumer software and wearable devices.
Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan
Financial Advisor, Managing Director at Ameriprise Financial Services, LLC
1 周BreachAware? the hits keep coming.