Jainish Kotadia Uncategorized

Decoding Major Web3 Attacks of 2025

2025 has been a record-breaking year for crypto thefts, with hackers walking away with a massive $3.4 billion. To put that in perspective, it’s one of the most expensive years in history for the digital crypto world. The biggest Crypto robbery happened in February, when Bybit lost $1.5 billion. Other major hits followed, like Cetus...

Decoding Major Web3 Attacks of 2025

2025 has been a record-breaking year for crypto thefts, with hackers walking away with a massive $3.4 billion. To put that in perspective, it’s one of the most expensive years in history for the digital crypto world. The biggest Crypto robbery happened in February, when Bybit lost $1.5 billion. Other major hits followed, like Cetus Protocol ($223 million) and Upbit ($36.8 million). The most common villain was a group from North Korea called Lazarus. They were behind 76% of the big hits. Their favorite trick wasn’t just using complicated code; instead, they acted like “fake recruiters” on sites like LinkedIn. They would offer people fake jobs just to trick them into opening a file that let the hackers inside the company.

We also saw a strange, political attack on an exchange called Nobitex. A group stole $90 million, but instead of keeping it, they burned it – meaning they destroyed the money so no one could ever use it again. These stories show that while crypto is growing fast, the groups attacking it have become very patient and professional. They aren’t just looking for bugs in the system anymore; they are looking for ways to trick the people running them.

This shift is exactly why leading Web3 organizations are moving away from reactive security models. Today, many of the world’s top crypto exchanges, protocols, wallet platforms, gaming ecosystems, and NFT platforms operate under 24×7×365 managed cybersecurity, with continuous monitoring, threat hunting, and incident response embedded into daily operations. Security is no longer an audit function—it is a live operational capability.


Bybit: The 1.5 Billion Dollar Theft

Founded in 2018 and headquartered in Dubai, Bybit is currently the world’s second-largest cryptocurrency exchange by trading volume after Binance. It serves over 78 million users globally, providing a professional platform for spot trading, futures, and decentralized Web3 services. Known as “The Crypto Ark,” the exchange is a major player in the industry, focusing on high-speed transactions and advanced tools for both beginner and professional traders.

The Bybit Attack 

  • The Attack: This was a “fake screen” trick – overlaying existing wallet screens with attacker controlled content. The hackers managed to break into a Wallet that Bybit used to manage its money. They injected malicious code into the software. When Bybit employees went to move money to a safe account, their screen showed everything was fine, but the hidden code changed the destination. In the background, the money was actually being sent to the hackers’ wallets.
  • Total Loss: $1.5 Billion. Even though this was a massive amount of money, Bybit told its customers not to worry. The company used its own emergency savings to replace every dollar stolen, so no regular users lost their money.
  • A well-known team of professional hackers from North Korea called the Lazarus Group. Government experts found that these hackers steal crypto to help fund their country’s programs.

Here is exactly how the Lazarus Group pulled off this $1.5 billion heist in February 2025, broken down step-by-step.

Technical Deep Dive: The Safe Wallet  UI Injection 

The attack on Bybit’s Cold Wallet (0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4) was a masterclass in Social Engineering at Scale and Supply Chain Manipulation. The attackers did not exploit the blockchain or the smart contract code; they exploited the human-to-machine interface (Wallet).

1. Initial Access: The AWS Session Token Hijack

The Lazarus Group initiated the attack by targeting a lead developer at Safe Wallet– (formerly Gnosis Safe).

  • The hackers tricked the developer into downloading a malicious Python-based Stock Simulator which was a Trojan Infected Application. This was a spear-phishing campaign, launched by the Lazarus group specifically targeting the developers and publicly known figures in the industry.
  • This malware contained a Remote Access Trojan (RAT) that successfully exfiltrated active AWS Session Tokens from the developer’s browser.
  • This allowed the attackers to bypass Multi-Factor Authentication (MFA) and gain direct access to Safe’s Amazon S3 buckets, which host the files for the wallet’s web interface.
2. Malicious Payload: JavaScript Injection

Once inside the S3 environment, the attackers modified a core JavaScript (JS) resource.

  • They injected a snippet of code designed to remain dormant unless a specific condition was met: the connection of a Bybit-affiliated hardware wallet.
  • This is known as a Targeted UI Injection. To every other user of Safe Wallet, the platform worked perfectly. But for Bybit employees, the interface was now “weaponized.”
3. The UI Deception

On February 21, 2025, Bybit employees initiated a routine maintenance transfer of 401,347 ETH from cold storage to a warm wallet.

  • While the employees saw the correct destination address on their browser screen, the malicious JavaScript had intercepted the Transaction in the background.
  • It replaced the “to” field with a Malicious Contract Address after the user clicked on the Send button (0xbDd077f651EBe7f7b3cE16fe5F2b025BE2969516).
  • Because the interface still displayed the correct address, the signers proceeded with the Hardware Wallet Signature.
4. The “Blind Signing” Vulnerability

The transaction used a delegatecall, which allowed one smart contract to execute the logic of another. At the time, the hardware wallets being used could not properly display or decode the complex, nested smart-contract data involved in this transaction (a known limitation of EIP-712 then). As a result, employees had no clear visibility into what they were approving and had to blind sign the transaction Once the required third signature was added, the transaction was broadcast to the network. What appeared to be a routine transfer was actually something far more dangerous. The signed transaction authorized a proxy contract upgrade, silently handing full control of the cold wallet’s logic to the Lazarus Group. Within moments, the attackers used this control to drain all funds to their own externally owned address (EOA).

The Attack on SwissBorg Through Supply Chain 

SwissBorg is a premier crypto wealth management app designed to make professional investing accessible to everyone. Since its launch, the platform has grown into a trusted ecosystem for over 1 million users, blending the security of traditional Swiss banking with the innovation of decentralized finance.

Unlike a regular exchange that only shows its own prices, SwissBorg uses a  Smart Engine. This acts like a travel website (like Expedia) but for crypto- it searches many different exchanges at once to find you the absolute cheapest price for your coins.

Attack Scenario

SwissBorg has a partner company called Kiln that helps manage user rewards. Hackers stole the Github Access Token from one of Kiln’s employees. They used it to sneak into the system and set up a “skeleton key” rule. This trap sat quietly for days, waiting for a normal transaction to happen. When it did, the hidden code instantly swapped the “owner” of the funds from SwissBorg to the hackers.

  • Total Loss: $41.5 Million The total loss amounted to $41.5 million, a figure that represented only approximately 2% of the total assets managed by the platform This immediate intervention ensured that no individual users suffered a loss and all customer accounts remained fully intact.
  • The Lazarus Group. These are professional hackers from North Korea. Security experts (like ZachXBT) proved it was them by tracking the stolen money to digital wallets this group has used for other big robberies.
  • The Result: SwissBorg acted fast and caught the theft almost immediately. Because the company is financially strong, they used their own savings to pay back every single user. No customers lost their money.

Here is the deep dive into how the Lazarus Group executed the SwissBorg hack in September 2025.

Technical Deep Dive: The Kiln API Exploit

The attack on SwissBorg’s SOL Earn Program was not a breach of SwissBorg itself, but a sophisticated Supply Chain Attack targeting their infrastructure partner, Kiln.

1. Initial Access: Compromised Developer Credentials

The attack began with the theft of a GitHub Access Token belonging to a Kiln infrastructure engineer. This token provided the attackers with unauthorized entry into Kiln’s internal development repository environments.

2. Malicious Payload Injection (The “API Hook”)

Using the stolen token, the Lazarus Group injected a malicious payload into the Kiln Connect API.

  • The attackers modified the API logic by injecting malicious code.
  • They created a  sleeper() function that would only trigger when a high-value transaction (specifically over 150,000 SOL) was initiated by a client like SwissBorg.
3. The “Setup Transaction” (Authority Manipulation)

On August 31, 2025, the attackers executed a Setup Transaction. While it appeared to be a standard “unstaking” request, it contained eight hidden authorization instructions.

  • These instructions silently reassigned the Staker Role (the authority to manage the funds) from SwissBorg’s controlled accounts to the attackers’ Externally Owned Accounts (EOAs).
  • Because the Withdrawer Role (the actual movement of funds) wasn’t immediately changed, the on-chain monitoring tools, which usually prioritize withdrawal events, failed to flag the change in staking authority.
4. The “Skeleton Key” Activation

After a four-day “dwell time” (waiting to ensure the authority change wasn’t detected), the attackers activated what security researchers called a “Skeleton Key” setup.

  • On September 8, they used their newly acquired authority to initiate a bulk unstaking and withdrawal process.
  • Because they now held the “Staker” rights on-chain, the Kiln API viewed the request as legitimate and authorized the transfer of 192,600 SOL to the attacker’s wallet.

The DNS Attack on Aerodrome Finance

Aerodrome Finance is the premier decentralized exchange (DEX) and the primary liquidity engine for the Base network, an Ethereum Layer-2 blockchain incubated by Coinbase. As a next-generation Automated Market Maker (AMM), it utilizes a sophisticated ve(3,3) governance model to align incentives between traders and liquidity providers. It currently stands as the largest protocol on Base, managing hundreds of millions in assets and facilitating the majority of the network’s trading volume. By offering deep liquidity and high-efficiency token swaps, Aerodrome serves as the foundational infrastructure for the entire Base ecosystem.

Attack Scenario 

  • This was a “DNS Hijacking” incident. On November 22, 2025, hackers compromised the domain registrar (NameSilo) used by Aerodrome and its sister protocol, Velodrome. By gaining control of the account, the attackers redirected the official web addresses (.finance and .box) to a fake website that looked identical to the real one..
  • Net Loss: $700,000 USD. While significant for the individual users affected, Aerodrome’s core smart contracts were never touched. The $400 million in the protocol remained safe.
  • The attack was linked to a professional drainer group using a tool known as “Eleven Drainer.” The root cause was an insider compromise at the domain registrar itself, which allowed the hackers to bypass security and take control of the website’s destination.

Technical Deep Dive: The DNS Hijacking & Redirection

The attack did not target Aerodrome’s blockchain code (Smart Contracts). Instead, it targeted the DNS (Domain Name System), which is the system that tells your browser which server to talk to when you type in a website name.

1. The Breach: Social Engineering at the Registrar

The Lazarus Group targeted the third-party domain registrar, NameSilo, which managed Aerodrome’s .finance and .box domains.

  • Using Social Engineering tactics, the attackers tricked the registrar’s support staff into believing they were the rightful owners of the Aerodrome account.
  • They bypassed Multi-Factor Authentication (MFA) and gained full administrative access to the domain management panel.
2. Disabling the Shield: DNSSEC Removal

Once inside the control panel, the attackers performed a critical technical move: they removed DNSSEC (Domain Name System Security Extensions).

DNSSEC is like a digital seal on a letter. It proves the DNS records haven’t been tampered with. By removing it, the hackers could change where the website pointed without triggering “untrusted site” warnings in many browsers.

3. The Redirection: IP Swapping

The hackers updated the A Record.  They redirected all traffic from the real Aerodrome server to a malicious server (87.121.79.44) hosted in a data center.

  • This server hosted a Phishing Clone; a perfect visual replica of Aerodrome’s frontend, but loaded with Eleven Drainer malware on backend.
4. The “Two-Stage” Wallet Drain

When users visited the hijacked site, the Eleven Drainer script executed a two-step attack:

  • Stage 1 (The Hook): The site asked users to sign a message that appeared to be a simple login or connection request. Technically, this was an off-chain signature used to verify the user’s wallet address and assets.
  • Stage 2 (The Drain): Once the address was known, the script instantly generated Unlimited Approval requests. If a user signed these, they were technically calling the increaseAllowance() or setApprovalForAll() functions. This gave the attacker’s wallet permission to move the user’s ETH, USDC, and NFTs at any time.

BitoPro: The 11.5 Million Dollar Theft 

BitoPro is the leading cryptocurrency exchange in Taiwan and the flagship platform of the BitoGroup, which has dominated the regional market since 2014. As a fully regulated and compliant exchange, it provides a secure gateway for over 1 million users to trade digital assets using the New Taiwan Dollar (TWD). BitoPro is renowned for its deep integration with local infrastructure, famously allowing users to convert convenience store loyalty points into Bitcoin. By combining institutional-grade security with user-friendly financial products like BitoDebt, it serves as the primary bridge between traditional banking and the digital economy in Asia.

 

Attack Scenario 

  • This was a “Cloud Infrastructure Hijack.” Hackers didn’t attack the blockchain directly; they tricked a BitoPro employee into installing malware. This gave the hackers access to the company’s AWS (Amazon Web Services) cloud account. They waited for a scheduled wallet system upgrade on May 9th, then used the confusion of the upgrade to sneak in and trigger unauthorized withdrawals.
  • The hackers drained assets across several different networks, including Ethereum, Solana, Polygon, and Tron, resulting in Net Loss of $11.5 Million.
  • BitoPro’s investigation confirmed the attack used the same “social engineering” and “session hijacking” tactics that the Lazarus Group used in the $1.5 billion Bybit heist.

 

Technical Deep Dive: The AWS Infrastructure Hijack

The attack did not target the blockchain’s security; instead, it targeted the Cloud Management Plane.

1. Initial Access: The Social Engineering “Backdoor”

The attack began weeks before the theft. A BitoPro employee in the Cloud Operations department was targeted via a sophisticated “Social Engineering” campaign – likely a fake job offer or a technical document.

  • The employee was tricked into downloading a file that contained a Remote Access Trojan (RAT).
  • This malware was designed to bypass Endpoint Detection and Response (EDR) systems by running entirely in the computer’s memory (fileless malware), making it invisible to standard antivirus scans.
2. The Hijack: AWS Session Token Exfiltration

Once inside the employee’s workstation, the hackers didn’t look for passwords. Instead, they stole AWS Session Tokens.

  • Session tokens allow hackers to directly login inside the developer accounts over AWS bypassing password, MFA, OTP and all other login security mechanisms. Attackers can directly supply a valid session token to the browser and access a user’s account.
3. The “Dwell Time” and C2 Stealth

The hackers stayed silent  for several days. They connected the compromised system to a Command and Control (C2) Server.

  • From this server, they quietly uploaded Malicious Scripts directly onto the Hot Wallet Host (the server that was responsible for signing and sending crypto transactions).
  • They monitored the staff’s internal communications to identify the exact timing of a scheduled Wallet System Upgrade.
4. Execution: The Maintenance Window Exploit

On May 9, 2025, at 1:00 AM, BitoPro began a planned upgrade. The hackers used this “noise” to hide their activity.

  • The pre-planted scripts were activated. These scripts did not look like a “hack”; they were programmed to simulate legitimate wallet maintenance behaviors.
  • While the engineers were moving funds for the upgrade, the script snuck in unauthorized withdrawal requests for $11.5 Million across Ethereum, Solana, Polygon, and Tron.
  • Because the system was already in “maintenance mode,” many automated security alerts were likely set to a lower sensitivity, allowing the theft to go unnoticed for the first few minutes.

How Securze can help?
Cybersecurity today is not just about finding issues once a year , it’s about staying protected every day. At Securze, we help organizations secure their technology, data, and operations through a complete, end-to-end cybersecurity approach.

We offer 24×7×365 Managed Cybersecurity, where our security team continuously monitors your systems, detects threats in real time, and responds before incidents turn into business disruptions. You don’t just get alerts - you get active protection.

Our Red Team services help identify real-world security gaps through vulnerability assessments, penetration testing, red teaming, Web3 security, cloud and application testing, wireless and physical security testing, and secure code reviews.

Our Blue Team services focus on defense - setting up and managing SOC operations, SIEM and log monitoring, incident response, threat hunting, firewall and endpoint security, infrastructure hardening, and secure configuration reviews.

Through Purple Team exercises, we help your teams learn and improve by running realistic attack simulations such as phishing, social engineering, DOS attacks, insider threats, and breach scenarios - turning security into a continuous learning process.

We also support Governance, Risk, and Compliance (GRC) requirements, including DPDPA, ISO 27001, SOC 2, GDPR, NIST 2.0, PCI DSS, HIPAA, and third-party risk management - helping you meet regulatory expectations with clarity and confidence.

Our network security services cover end-to-end implementation and management. We design, deploy, and secure enterprise networks using industry-leading technologies. As certified partners with Fortinet, SonicWall, Jamf, Elastic (SIEM & SOC) and Proofpoint (Email Security), we help organizations implement firewalls, secure gateways, endpoint protection, email security, logging, and monitoring - built for performance, visibility, and resilience.

Whether you are a startup or an enterprise, Securze works as an extended security team, helping you stay secure, compliant, and prepared - without complexity.

Want to know how this fits your environment?

Reach out to us for a conversation.

  • Website: https://securze.com
  • Email: info@securze.com
  • Call Us: +91–8451073938
  • Learn DPDPA: https://dpdpaedu.org

Leave a Reply

Your email address will not be published. Required fields are marked *