In late February 2025, attackers stole around $1.5 billion worth of cryptocurrency from crypto exchange ByBit - believed to be the largest crypto heist in history. Since the theft, the attackers have taken sophisticated laundering steps to convert a decent amount of the stolen assets into cash.The FBI, as well as blockchain monitoring firms and researchers, have accused the North Korean government of being behind the attack.
The attackers used multiple methods to conduct the attack, but the initial breach occurred because of the exploitation of a popular open source library. Attacks like this are almost impossible to detect using traditional methods. What’s needed are granular, real-time approaches that can monitor how code behavior spawns malicious processes as they are happening - and stop them at the first step in the kill chain at the application layer.
Attacker methods
Following a month-long investigation, blockchain security firm SlowMist posted a detailed analysis of the attackers’ tactics and intrusion paths. Below is the overview of the technical methods the attackers deployed, pulled from SlowMist’s findings:
Initial Intrusion
The attacker employed social engineering tactics to trick employees into executing seemingly legitimate code on their local devices or within Docker environments. During our investigation, we identified that the attacker used malicious software such as StockInvestSimulator-main.zip and MonteCarloStockInvestSimulator-main.zip. These files were disguised as legitimate Python projects but were, in fact, remote access trojans. The attacker leveraged pyyaml for remote code execution (RCE) to deploy and execute malicious code, effectively bypassing most antivirus detection mechanisms.
Privilege Escalation
The attacker gained local control over the employee’s device through the deployed malware. They then tricked the employee into setting privileged: true in the docker-compose.yaml configuration. With this privileged setting enabled, the attacker further escalated their access, ultimately gaining full control over the target device.
Internal Reconnaissance and Lateral Movement
Using the compromised employee’s computer, the attacker conducted internal network scanning. They exploited vulnerabilities in internal services and applications to infiltrate enterprise servers further. The attacker stole SSH keys from critical servers and leveraged whitelisted trust relationships between servers to move laterally into the wallet server.
Cryptocurrency Transfer
Once the attacker gained control over the wallet, they illicitly transferred a large amount of cryptocurrency to their own controlled addresses.
Covering Tracks
The attacker used legitimate enterprise tools, applications, and infrastructure as proxies to obscure the true origin of their malicious activities. They also deleted or tampered with log data and sample evidence to erase traces of their intrusion.
Why this matters
The attackers leveraged pyyaml for RCE to deploy and execute malicious code, and ultimately, gain control of ByBit’s infrastructure. Due to a vulnerability in a commonly-used open-source library, the attackers were able to gain complete control over Bybit’s infrastructure, elevate their privileges, and move laterally into the wallet server, where they pulled off the largest heist in history.
This is significant because open-source components are the foundation of the majority of applications that power modern business, especially cryptocurrency platforms. When an application runs any vulnerable open-source library, such as pyyaml in the case of the Bybit attack, attackers have free reign to exploit those vulnerable components to compromise apps and gain a foothold into company infrastructure. The majority of organizations have no way to detect and prevent malicious behavior at the application-level and have to rely on post-exploit indicators to know an attack is happening in the first place.
Oligo ADR Detection and Prevention
At Oligo, our Application Detection and Response (ADR) solution uses Deep Application Inspection (DAI) to profile library behavior in real-time to detect and prevent deviations from their normal behavior, just like the exploit of pyyaml that led to the ByBit crypto theft.
Pyyaml is an open-source library that is used to deserialize data - allowing an app to configure settings, store data, or exchange information between different systems. Our ADR consistently monitors and profiles the normal behavior of libraries like this to alert our customers if an unintended action takes place. Pyyaml should never execute code on the host level - like it did in the ByBit hack. If it does, Oligo generates an alert at that first exploit attempt to enable you to stop the attempt in its tracks.
The path forward
Modern organizations increasingly rely on applications to power their businesses - applications that are made of open-source, first-party, and third-party code. Traditional application security solutions focus on protecting organizations exclusively against CVEs, with no real way to detect and respond to attacks in progress.
With the power of Oligo’s DAI at the heart of our ADR solution, we empower organizations to understand how all of the different application components in their environment should behave and prevent and block functions that a given library should never execute. At Oligo, we are making real-time security a reality – by protecting applications against known and unknown attack vectors where it matters most: at runtime.
This same technology enabled us to identify the first known active attack campaign targeting AI workloads last spring (ShadowRay), where we uncovered a previously unknown vulnerability being actively exploited in the popular open-source AI framework Ray, based on abnormal application behavior.
Get in touch
Interested in learning more about how Oligo protects the applications that power modern businesses?
- Book a demo: https://www.oligo.security/demo
- Dive into what makes our tech unique: https://www.oligo.security/company/whyoligo
- Learn how we our technology empowers one of the largest crypto exchanges in the world: https://www.oligo.security/case-studies/cryptocurrency-exchange
