Skip to main content

A Brief Overview on Recent Cyberattacks

· 5 min read

In the first months of 2025, several high-impact cyberattacks made headlines - targeting everything from crypto exchanges and streaming platforms to core infrastructure components. This post takes a brief look at two selected incidents: How they worked, what security objectives were compromised, and what they reveal about the evolving threat landscape.

We begin with a list of notable incidents:

  • Bybit Hack
    In February 2025, the cryptocurrency exchange Bybit1 became the victim of a hack in which over $1.5 billion were stolen by North Korean hackers2.

  • Storm-0408
    In March 2025, Microsoft reported a malware campaign3 targeting users via (illegal) streaming websites. Malicious advertisements embedded in these websites installed information-stealing malware on users' devices.

  • DDoS Attack on X.com
    In March 2025, Wired.com4 reported a Distributed Denial-of-Service (DDoS) attack targeting X.com (formerly twitter.com).

  • Fortinet Zero-Day Exploit
    In January 2025, the German Federal Office for Information Security (BSI)5 published a warning regarding a zero-day vulnerability in FortiOS and FortiProxy. Attackers could exploit the flaw to obtain super-admin privileges.

  • Security Risk from End-of-Life MS Exchange Versions
    In March 2025, the BSI6 warned of security vulnerabilities in versions of Microsoft Exchange Server that have reached end-of-life status but are still in use by various institutions.

DDoS Attack on X.com

  • Affected security objectives: Availability (Mitigation measures: Including decoupling, scalable infrastructure, and IPS7)

X.com relies on the services of Cloudflare8 to protect itself against DDoS attacks9. DDoS attacks (Distributed Denial of Service) aim to flood a service with excessive requests until the system's technical resources are exhausted and no further requests can be handled (cf. [📖Eck23, p. 120 ff.], [📖SL05, p. 533 ff.]). A major challenge lies in distinguishing legitimate from malicious requests, as the traffic is distributed across various IP networks. It is therefore difficult to attribute the attack to a single source.

As a result, many organizations rely on service providers with the technical capabilities to operate large-scale server infrastructures that are specifically designed to mitigate such attacks. For institutions to implement such defenses on their own would typically require considerable staffing and technical resources.

Wired.com quotes Kevin Beaumont10, who describes the botnet used in this case as being composed of cameras and DVRs - in other words, IoT devices that are often insufficiently protected from a security standpoint, as also noted by Münch and Schaumüller-Bichl ([📖ITS2, p. 36]).

In this instance, the vulnerability seems to have been exacerbated by the fact that some of X.com's services were not protected by Cloudflare's infrastructure:

“[…] some X origin servers, which respond to web requests, weren't properly secured behind the company's Cloudflare DDoS protection and were publicly visible.”

Bybit Hack

  • Affected security objectives: Authenticity, Integrity, Confidentiality (Mitigation measures: Diverse and not reducible to a few isolated mechanisms.)

Nearly USD 1.5 billion in the cryptocurrency Ethereum were stolen in the attack. The North Korean hacker group Lazarus11 was identified as responsible.

The theft was likely enabled by exploiting vulnerabilities in the underlying key infrastructure. In multisignature wallets12, several users must provide their private keys to authorize a transaction. Owners of crypto assets using wallets protected by a single private key are often targets of phishing attacks aiming to drain their funds. To counter this, multisig wallets - where multiple private keys are required - serve as a preventive security measure.

In this case, both social engineering and infrastructural weaknesses at Safe{Wallet}13, a third-party multisig provider, were exploited. The attackers first performed test transactions with smaller amounts to verify the vulnerability, before eventually stealing large sums.

The hackers used a compromised laptop belonging to a Safe{Wallet} developer and obtained AWS tokens to bypass multi-factor authentication (MFA). This enabled them to install malware on a server14.

“All signers saw the masked UI which showed the correct address and the URL was from @safe [Note: Safe{Wallet}]. However, the signing message was to change the smart contract logic of our ETH cold wallet.”

The theft was carried out through a manipulated multisig wallet user interface. Victims unknowingly signed transactions that compromised their cold wallet16 (offline wallet including private keys). These offline wallets were then used to legally initiate transfers to shadow wallets - without the users’ intent.

The affected security objective confidentiality likely resulted from human error, ultimately exploited via social engineering.

This incident highlights fundamental security challenges in cryptocurrency trading. As noted in the closing remarks of The Hacker News article:

“Verifying that the transaction you are signing will result in the intended outcome remains one of the biggest security challenges in Web3, and this is not just a user and education problem - it is an industry-wide issue that demands collective action.”

Footnotes

  1. Bybit Incident Report, reported by Telepolis and Spiegel.de (retrieved 23.03.2025)

  2. Determined by, among others, the FBI: IC3 PSA (26 Feb 2025) (retrieved 23.03.2025)

  3. Microsoft Security Blog (retrieved 23.03.2025)

  4. Wired.com on X.com DDoS Attack (retrieved 23.03.2025)

  5. BSI Warning on Fortinet (retrieved 23.03.2025)

  6. BSI Warning on MS Exchange EOL (retrieved 23.03.2025)

  7. Intrusion Prevention System - a system that analyzes network traffic using Network Behavior Analysis (NBA) to detect various forms of attack.

  8. https://cloudflare.com (retrieved 23.03.2025)

  9. As noted in the article cited above; further evidence includes DNS requests showing A-records pointing to Cloudflare IP addresses such as 172.66.0.227 (retrieved 23.03.2025)

  10. https://doublepulsar.com/ (retrieved 23.03.2025)

  11. Lazarus Group – Wikipedia

  12. See Binance Academy – What is a Multisig Wallet? (retrieved 23.03.2025)

  13. Safe{Wallet} (retrieved 23.03.2025)

  14. The Hacker News – Safe{Wallet} confirms North Korean hacking (retrieved 23.03.2025)

  15. retrieved 23.03.2025

  16. A cold wallet refers to an offline crypto wallet that stores private keys.

References

  1. [Eck23]: Eckert, Claudia: IT-sicherheit: Konzepte -- Verfahren -- Protokolle (2023), De Gruyter Oldenbourg, 10.1515/9783110985115 [BibTeX]
  2. [SL05]: Skoudis, Edward and Liston, Tom: Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition) (2005), Prentice Hall PTR [BibTeX]
  3. [ITS2]: Münch, Isabel and Schaumüller-Bichl, Ingrid: ITS2 - Sicherheitsmanagement (2022), Trier University of Applied Sciences [BibTeX]