Bit ByBit - emulation of the DPRK's largest cryptocurrency heist

This Elastic research emulates a real-world supply-chain intrusion attributed to DPRK operators that compromised a Safe{Wallet} developer macOS host via a malicious Python application exploiting PyYAML deserialization, deployed a loader and Poseidon-based payloads to harvest AWS session tokens, pivoted to an S3-hosted Next.js frontend to inject JavaScript that redirected a ByBit multisig transaction, and resulted in the theft of ~400,000 ETH; the report includes detailed malware behavior, cloud attack chain, detections, and hardening recommendations.