Multi-signature wallet Safe: North Korean hacker group TraderTraitor is behind previous hacker attacks

The multi-signature wallet Safe announced on the X platform that a security investigation conducted in conjunction with Mandiant (now owned by Google Cloud) has made crucial progress and confirmed that the attack on February 21 was carried out by the North Korean hacker group TraderTraitor (UNC4899), which has previously launched multiple attacks on the cryptocurrency industry. The hackers gained critical access by infiltrating the computer of Safe{Wallet} developers and hijacking AWS session tokens to bypass multi-factor authentication (MFA). Safe stated that although the attack had some impact, the smart contracts were not compromised, the system has been fully reset, and tighter security measures have been implemented, including:

- Infrastructure reset: regenerate all credentials, reset clusters, update keys and confidential information, and redeploy container images.

- External access restriction: temporarily block external access to transaction services, only allowing internal communication, and strengthen firewall rules.

- Malicious transaction detection upgrade: collaborate with Blockaid to strengthen transaction monitoring, increase risk markers for Safe account control upgrades.

- Enhanced real-time monitoring: improve logging and threat detection capabilities for faster response to security incidents.

- Pending transaction cleanup: clear all pending transactions from the database to prevent potential security risks.

- UI and security verification tool optimization: introduce Safe Utils as a third-party transaction verification tool and plan to provide a fully IPFS-hosted version of Safe{Wallet}.