Here's the sequence of events, from a preliminary report and a blockchain analysis:

• Feb 2, 2025: attackers registered getstockprice[.]com via Namecheap
• Feb 4, 2025 (08:55:45 UTC): a Safe{Wallet} developer's macOS workstation compromised via "MC-Based-Stock-Invest-Simulator-main" Docker project located in ~/Downloads/, which established C2 communication with getstockprice[.]com
• Feb 5, 2025 (08:36:51 UTC): initial access to Safe{Wallet} AWS environment using hijacked session tokens from developer
• Feb 5, 2025 (14:06:25 UTC): attackers ⛔️unsuccessfully⛔️ attempted to register their own MFA device to maintain persistent access
• Feb 5-17, 2025: extensive reconnaissance conducted in AWS environment, from ExpressVPN IP addresses with User-Agent strings containing "distrib#kali.2024"
• Feb 17, 2025 (03:22:44 UTC): C2 activity established in AWS environment using the Mythic Poseidon Golang agent
• Feb 19, 2025 (15:29:25 UTC): malicious JavaScript code injected into Safe{Wallet}'s AWS S3 bucket, designed to hijack transaction signing processes.
• Feb 21, 2025 (14:13:35 UTC): Bybit exploit transaction executed during a routine ETH cold wallet transfer, redirecting 401,347 ETH ($1.4B) and some other cryptocurrency tokens
• Feb 21, 2025 (14:15:13 UTC): malicious JS code removed from the website to hide evidence
• Feb 21, 2025 (14:16:11 UTC): 58 seconds later, heist completed with funds exfiltrated from Bybit
• Feb 23, 2025: $160M laundered (mostly via THORchain) 💸
• Feb 26, 2025: over $400M laundered (total) 💸
• Mar 3, 2025: $1.4B laundered 💸, with only $40M recovered by freezing known accounts

Lessons learned so far: