Dissecting the Bybit Cryptocurrency Exchange Malicious UI Spoofing Javascript

Based on the recently released Bybit Investigation documents I was able to obtain the malicious javascript in question and I decided to dig a little bit deeper into its inner workings and try to provide actionable intelligence on the topic and who the malicious attackers might be.

Javascript MD5: be9397a0b6f01d21e15c70c4b37487fe

What I did was the following. I managed to partly reproduce the campaign and while looking for clues I managed to obtain an actual copy of the Bybit cryptocurrency exchange malicious UI spoofing javascript.

What I did next as the script was logically not obfuscated was to look for additional clues such as for instance phone back URLs or Ethereum addresses which I did with a lot of success which I decided to share with everyone.

Full list of URLs found in the malicious Bybit cryptocurrency exchange malicious UI spoofing javascript:

hxxp://fb.me/use-check-prop-types
hxxp://hxxp://example.com
hxxp://hxxp://w3.org/2000/svg
hxxp://12cd7127f9cfb1cddab1f354252074b7@o4507209696739328.ingest.de.sentry.io/4507215200256080
hxxp://abitype.dev
hxxp://api.arbiscan.io
hxxp://api.basescan.org
hxxp://api.bscscan.com
hxxp://api.etherscan.io
hxxp://api.polygonscan.com
hxxp://api.spindl.xyz/v1
hxxp://api-amoy.polygonscan.com
hxxp://api-goerli.arbiscan.io
hxxp://api-goerli.etherscan.io
hxxp://api-goerli-optimistic.etherscan.io
hxxp://api-holesky.etherscan.io
hxxp://api-optimistic.etherscan.io
hxxp://api-sepolia.basescan.org
hxxp://api-sepolia.etherscan.io
hxxp://api-testnet.bscscan.com
hxxp://api-testnet.polygonscan.com
hxxp://app.getbeamer.com/js/beamer-embed.js
hxxp://app.safe.global/images/social-share.png
hxxp://beaconcha.in
hxxp://bit.ly/3cXEKWf
hxxp://chat.safe.global
hxxp://client.blockaid.io
hxxp://cloudflare-eth.com/
hxxp://community.safe.global
hxxp://developer.mozilla.org/en-US/docs/Web/API/File_System_Access_API
hxxp://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
hxxp://docs.ethers.org/api-keys/
hxxp://docs.soliditylang.org/en/latest/cheatsheet.html
hxxp://fcmregistrations.googleapis.com/v1/projects/
hxxp://firebaseinstallations.googleapis.com/v1/projects/
hxxp://gasstation.polygon.technology/v2
hxxp://gasstation-testnet.polygon.technology/v2
hxxp://gateway.ipfs.io/ipfs/
hxxp://github.com/5afe/safe-cli
hxxp://github.com/date-fns/date-fns/blob/master/docs/unicodeTokens.md
hxxp://github.com/date-fns/date-fns/blob/master/docs/upgradeGuide.md#string-arguments
hxxp://github.com/ethers-io/ethers.js/issues/4537
hxxp://github.com/safe-global/safe-wallet-web
hxxp://help.safe.global
hxxp://help.safe.global/en/articles/145503-how-to-create-a-safe-app-with-safe-apps-sdk-and-list-it
hxxp://holesky.beaconcha.in
hxxp://links.ethers.org/v5-errors-
hxxp://mui.com/production-error/?code=
hxxp://nextjs.org/docs/app/api-reference/functions/unstable_cache
hxxp://nextjs.org/docs/app/api-reference/functions/use-search-params#updating-searchparams
hxxp://nextjs.org/docs/app/building-your-application/rendering/static-and-dynamic#dynamic-rendering
hxxp://nextjs.org/docs/messages/dynamic-server-error
hxxp://nextjs.org/docs/messages/next-dynamic-api-wrong-context
hxxp://nextjs.org/docs/messages/next-prerender-missing-suspense
hxxp://nextjs.org/docs/messages/next-request-in-use-cache
hxxp://nextjs.org/docs/messages/ppr-caught-error
hxxp://noteforms.com/forms/safe-feedback-form-hk16ds?notionforms=1&utm_source=notionforms
hxxp://npms.io/search?q=ponyfill
hxxp://polygon-rpc.com/
hxxp://redux.js.org/Errors?code=
hxxp://redux-toolkit.js.org/Errors?code=
hxxp://relay.gelato.digital/tasks/status
hxxp://rpc-amoy.polygon.technology/
hxxp://rsms.me/inter/font-files/InterVariable.woff2
hxxp://safe.mirror.xyz/rInLWZwD_sf7enjoFerj6FIzCYmVMGrrV8Nhg4THdwI
hxxp://safe.widget.kiln.fi/overview
hxxp://safe.widget.testnet.kiln.fi/overview
hxxp://safe-claiming-app-data.safe.global/allocations/
hxxp://safe-claiming-app-data.staging.5afe.dev/allocations/
hxxp://safe-client.safe.global
hxxp://safe-client.staging.5afe.dev
hxxp://safe-dao-governance.dev.5afe.dev
hxxp://safe-firebase-mainnet.firebaseio.com
hxxp://sentry.io
hxxp://simulation.safe.global
hxxp://spindl.link
hxxp://ssl.google-analytics.com
hxxp://status.safe.global
hxxp://third-party-cookies-check.gnosis-safe.com
hxxp://viem.sh
hxxp://hxxp://google-analytics.com
hxxp://hxxp://googletagmanager.com
hxxp://hxxp://googletagmanager.com/gtm.js?id=

Sample Ethereum addresses found in the malicious Bybit cryptocurrency exchange malicious UI spoofing javascript:

0x0100004124426fb9ebb25e27d670c068e52f9ba6
0x017062a1dE2FE6b99BE3d9d37841FeD19F573804
0x017e9a83d5513f503fb85274f4d1ad1811040d7c
0x0208282bd262360d0320862c5ac70f375f5ed3b9
0x03e69f7ce809e81687c69b19a7d7cca45b6d551f
0x064ddbf252714bcd4cb79f679e8c12df96d998ce
0x0a7CB434f96f65972D46A5c1A64a9654dC9959b2
0x0dFcccB95225ffB03c6FBB2559B530C2B7C8A912
0x0e4f7fc66550a322d1e7688e181b75e217e662a4
0x0f0bb9c13be3b595d6f0fde841d5247a96f7e315
0x12302fE9c02ff50939BaAaaf415fc226C078613C
0x1727c2c531cf966f902E5927b98490fDFb3b2b70
0x18c486b76cb76981360e96ca4f90fc745fde6a85
0x19c6876e978d9f128147439ac4cd9ea2582cd141
0x1Fb403834C911eB98d56E74F5182b0d64C3b3b4D
0x1d31F259eE307358a26dFb23EB365939E8641195
0x1db92e2eebc8e0c075a02bea49a2935bcd2dfcf4
0x1fe2df852ba3299d6534ef416eefa406e56ced99
0x2020dba91b30cc0006188af794c2fb30dd8520db
0x21842597390c4c6e3c1239e434a682b054bd9548
0x29a6194691f91a73715209ef6512e576722830a2
0x29fcB43b46531BcA003ddC8FCB67FFE91900C762
0x2ae2d1231f0d754a7fa4f5e5d0e5554085e1b500
0x2b3060c55fcb8275653e99ad511a71f67ba76934
0x2dd68b007B46fBe91B9A7c3EDa5A7a1063cB5b47
0x2f25df28caf984366ee584e13241707e85dcd5a6
0x2f55e8b20D0B9FEFA187AA7d00B6Cbe563605bF5
0x2f684bda12f684bda12f684bda12f684bda12f68
0x2f870a80647BbC554F3a0EBD093f11B4d2a7492A
0x337d7f54be11b6ed55fef7b667ea5488db53db83
0x34CfAC646f301356fAa8B21e94227e3583Fe3F5F
0x357147caf9C0cCa67DfA0CF5369318d8193c8407
0x38869bf66a61cF6bDB996A6aE40D5853Fd43B526
0x3E5c63644E683549055b9Be8653de26E0B4CD36E
0x3ac65dea3cc9dd0d7b7b800f834e3d73415b4e94
0x3c8acc1e7b08d8e76f9fda015ef48dc8c710a73c
0x3d4BA2E0884aa488718476ca2FB8Efc291A46199
0x3f8731abdd661adca08a5558f0f5d272e953d363
0x40A2aCCbd92BCA938b02010E17A5b8929b49130D
0x40c57923924b5c5c5455c48d93317139addac8fb
0x41675C099F32341bf84BFc5382aF534df5C7461a
0x4191E2e12E8BC5002424CE0c51f9947b02675a44
0x445a0683e494ea0c5AF3E83c5159fBE47Cf9e765
0x4Aa5Bf7D840aC607cb5BD3249e6Af6FC86C04897
0x4a204f620c8c5ccdca3fd54d003badd85ba50043
0x4bda12f684bda12f684bda12f684bda12f684bda
0x4e1DCf7AD4e460CfD30791CCC4F9c8a4f820ec67
0x50c3cdc4074750a7a974204a716c999edd37482f
0x525c754a46b79e05543a59bb61e8de3c9eee0d95
0x526643F69b81B008F46d95CD5ced5eC0edFFDaC6
0x534c328d23f234e6e2a413deca25caece4506144
0x551b7fdfd2dbcec4f785059e1ef6e0b40ca2e44d
0x55daa5d390d283edbc5fa835bd53befce45179c7
0x56b8be58b5ad629a621593a2e5e5e8e9a28408dc
0x59AD6735bCd8152B84860Cb256dD9e96b85F69Da
0x5aFE3855358E112B5647B952709E6165e1c1eEEe
0x60806040523480156200001157600080fd5b5060
0x63695Eee2c3141BDE314C5a6f89B98E62808d716
0x6484aa716545ca2cf3a70c3fa8fe337e0a3d2116
0x66712e1d9161706f826d8d74a3cc03db0289b253
0x6851D6fDFAfD08c0295C392436245E5bc78B0185
0x69f4D1788e39c87893C980c06EdF4b7f686e2938
0x6c9a6c4a39284e37ed1cf53d337577d14212a487
0x727a77a074D1E6c4530e814F89E618a3298FC044
0x75cf11467937ce3F2f357CE24ffc3DBF8fD5c226
0x76E2cFc1F5Fa8F6a5b3fC4c8F4788F0116861F9B
0x7a06534bb8bdb49fd5e9e6632722c2989467c1bf
0x7ae96a2b657c07106e64479eac3434e99cf04975
0x7c1091cf6f36b0140d5e2faf18c3be29fee42d97
0x7c6007a5d711cea8dfd5d91f5940ec29c7f200fe
0x7cbB62EaA69F79e6873cD1ecB2392971036cFAa4
0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0
0x8155d988823a4f6f1bcbc76a64af8e510c4ce688
0x81db0e4afdf5178583537b58c5ad403bd47a4ac7
0x828424517f9f04015db02169f4026d57b2b07229
0x84a375ad96ab395850d46cd601ed6354d3cf3fb6
0x8D29bE29923b68abfDD21e541b9374737B49cdAD
0x8EcD4ec46D4D2a6B64fE960B3D64e8B94B2234eb
0x8e38e38e38e38e38e38e38e38e38e38e38e38e38
0x919a9f5dd111a01f7a8e4b1f5c6a972bb2d1441c
0x91f82615581fc73b190b83d72e883608b25e392f
0x94a4F6affBd8975951142c3999aEAB7ecee555c2
0x96221423681a6d52e184d440a8efcebb105c7242
0x9641d764fc13c8B624c04430C7356C1C7C8102e2
0x98095337deb9718f4e5ccb1b25a53be5f5e00935
0x98FFBBF51bb33A056B08ddf711f289936AafF717
0x998739BFdAAdde7C933B942a68053933098f9EDa
0x9b35Af71d77eaf8d7e40252370304687390A1A52
0x9da86f7e32ef976bd442a8eeb353e16d683b53e3
0xA1dabEF33b3B82c7814B6D82A79e50F4AC44102B
0xA238CBeb142c10Ef7Ad8442C6D1f9E89e07e7761
0xA65387F16B013cf2Af4605Ad8aA5ec25a2cbA3a2
0xA86e0054C51E4894D88762a017ECc5E5235f5DBA
0xAA46724893dedD72658219405185Fb0Fc91e091C
0xB00ce5CCcdEf57e539ddcEd01DF43a13855d9910
0xB19D6FFc2182150F8Eb585b79D4ABcd7C5640A9d
0xBD89A1CE4DDe368FFAB0eC35506eEcE0b1fFdc54
0xC22834581EbC8527d974F8a1c97E1bEA4EF910BC
0xCFbFaC74C26F8647cBDb8c5caf80BB5b32E43134
0xDAec33641865E4651fB43181C6DB6f7232Ee91c2
0xF7488fFbe67327ac9f37D5F722d83Fc900852Fbf
0xa581c4A4DB7175302464fF3C06380BC3270b4037
0xa6B71E26C5e0845f74c812102Ca7114b6a896AB2
0xa83e7be2fa20c96dc9575e3937239d552f3831ea
0xa9865ac2d9c7a1591619b188c4d88167b50df6cc
0xb1073742015cbcf5a3a4d9d1ae33ecf619439710
0xb161ccb96b9b817F9bDf0048F212725128779DE9
0xb1f926978a0f44a2c0ec8fe822418ae969bd8c3f
0xb3fb9763869f2c09a2ac5a425d2dd6060bf7ef46
0xb6029EA3B2c51D09a50B53CA8012FeEB05bDa35A
0xbba688fbdb21ad2bb58bc320638b43d94e7d100f
0xc00d7921460cd5a05393e7772e634bd7d212f356
0xc2b78104907F722DABAc4C69f826a522B2754De4
0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046
0xcB8e5E438c5c2b45FbE17B02Ca9aF91509a8ad56
0xd16d9C09d13E9Cf77615771eADC5d51a1Ae92a26
0xd35771193d94918a9ca34ccbb7b640dd86cd4095
0xd53cd0aB83D845Ac265BE939c57F53AD838012c9
0xd5D82B6aDDc9027B22dCA772Aa68D5d74cdBdF44
0xd9Db270c1B5E3Bd161E8c8503c55cEABeE709552
0xd9aa004a59b3738a108e747e578ae409b84e9f3f
0xe1f1593df76e69abc2d692792c80f329457551d5
0xe2ca068330339d608367d83a0b25545efe39e619
0xe4e9b4d4c1e3ff06cd51afe0b51eb1b22c0bab51
0xecd5bd14a08c5d2122379900b2f272bdf107a7e9
0xedadc6f64383dc1df7c4b2d51b54225406d36b64
0xf220D3b4DFb23C4ade8C88E526C1353AbAcbC38F
0xf48f2B2d2a534e402487b3ee7C18c33Aec0Fe5e4
0xfF501B324DC6d78dC9F983f140B9211c3EdB4dc7
0xfF83F6335d8930cBad1c0D439A841f01888D9f69
0xfb1bffC9d739B8D520DaF37dF666da4C687191EA
0xfd0732Dc9E303f09fCEf3a7388Ad10A83459Ec99