Incident Score: Analysis & Impact (MARBYBCRO1777746530)
The details regarding individual company incidents & reports gives you full view from every side.
Rankiteo Score Impact Analysis
Key Highlights From The Incident Analysis
- Timeline of Bybit's Cyber Attack and lateral movement inside company's environment.
- Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
- How Rankiteo’s incident engine converts technical details into a normalized incident score.
- How this cyber incident impacts Bybit Rankiteo cyber scoring and cyber rating.
- Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.
Full Incident Analysis Transcript
In this Rankiteo incident briefing, we review the Bybit breach identified under incident ID MARBYBCRO1777746530.
The analysis begins with a detailed overview of Bybit's information like the linkedin page: https://www.linkedin.com/company/bybitexchange, the number of followers: 478409, the industry type: Financial Services and the number of employees: 2768 employees
After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 692 and after the incident was 638 with a difference of -54 which is could be a good indicator of the severity and impact of the incident.
In the next step of the video, we will analyze in more details the incident and the impact it had on Bybit and their customers.
Marks & Spencer recently reported "AI-Powered Cyber Threats and Major Cyber Incidents (2025-2026)", a noteworthy cybersecurity incident.
The rapid adoption of artificial intelligence (AI) has escalated cyber threats, enabling more sophisticated, automated, and damaging attacks.
The disruption is felt across the environment, affecting 8.5 million Windows systems (CrowdStrike outage), Major operating systems and browsers (Claude Mythos vulnerabilities) and IT help desk systems (Marks & Spencer), and exposing Material data losses (66% of CISOs in 2025), Personally Identifiable Information (PII) and Corporate Credentials, plus an estimated financial loss of ['$10.5 trillion (global cybercrime costs in 2025)', '$15.6 trillion (projected by 2029)', '£300 million (Marks & Spencer lost profits)', '$1.5 billion (ByBit cryptocurrency theft)'].
In response, and began remediation that includes AI-driven vulnerability patching (Project Glasswing), Zero-trust architecture adoption and Supply chain scrutiny.
The case underscores how teams are taking away lessons such as AI lowers the barrier for cybercriminals, enabling faster and more automated attacks, Legitimate identity abuse and supply chain risks are critical vulnerabilities and Human error remains a persistent weak point in cybersecurity, and recommending next steps like Adopt zero-trust architecture and treat identity systems as critical infrastructure, Scrutinize supply chains with breach notifications, AI usage disclosures, and liability clauses in contracts and Leverage AI for vulnerability detection while maintaining human oversight.
Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.
The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.
MITRE ATT&CK® Correlation Analysis
Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing (T1566) with moderate to high confidence (80%), supported by evidence indicating exploited IT help desk workers through social engineering (Marks & Spencer), Exploit Public-Facing Application (T1190) with moderate to high confidence (70%), supported by evidence indicating 40% of initial breaches originated from internet-facing systems, and Supply Chain Compromise (T1195) with high confidence (90%), supported by evidence indicating byBit $1.5B theft via trojanized software; 30% of breaches involved third parties. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), supported by evidence indicating trojanized software distributed in ByBit supply-chain compromise and Command and Scripting Interpreter (T1059) with moderate confidence (60%), supported by evidence indicating aI-driven adversary activity increased 89% YoY (CrowdStrike). Under the Persistence tactic, the analysis identified Valid Accounts (T1078) with high confidence (90%), supported by evidence indicating 82% of intrusions involved no malware, relied on stolen credentials. Under the Privilege Escalation tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating legitimate identity abuse used to blend into normal activity. Under the Defense Evasion tactic, the analysis identified Valid Accounts (T1078) with high confidence (90%), supported by evidence indicating 82% of intrusions involved no malware, used trusted systems and Code Signing (T1553.002) with moderate to high confidence (70%), supported by evidence indicating trojanized software in supply-chain compromise (ByBit). Under the Credential Access tactic, the analysis identified Credentials In Files (T1552.001) with moderate to high confidence (70%), supported by evidence indicating stolen credentials used in 82% of intrusions (CrowdStrike) and Brute Force (T1110) with moderate confidence (60%), supported by evidence indicating aI-driven attacks automate credential abuse (CrowdStrike). Under the Discovery tactic, the analysis identified Account Discovery (T1087) with moderate to high confidence (70%), supported by evidence indicating aI-driven attacks enable faster reconnaissance (breakout time such as 29 mins). Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (70%), supported by evidence indicating legitimate credentials used to move laterally (82% of intrusions). Under the Collection tactic, the analysis identified Data from Local System (T1005) with moderate to high confidence (80%), supported by evidence indicating material data losses reported by 66% of CISOs (Proofpoint) and Data from Information Repositories (T1213) with moderate to high confidence (70%), supported by evidence indicating pII and corporate credentials compromised (Marks & Spencer). Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration achieved in as little as four minutes (CrowdStrike) and Transfer Data to Cloud Account (T1537) with moderate to high confidence (70%), supported by evidence indicating $1.5B cryptocurrency theft (ByBit). Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate confidence (60%), supported by evidence indicating ransomware median demand increased 368% to $60K (2026), Endpoint Denial of Service (T1499) with moderate to high confidence (80%), supported by evidence indicating crowdStrike outage affected 8.5M Windows systems globally, and Data Destruction (T1485) with moderate confidence (50%), supported by evidence indicating aI-driven attacks enable automated destructive payloads. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.
Sources & References
- Bybit Rankiteo Cyber Incident Details: https://www.rankiteo.com/company/bybitexchange/incident/MARBYBCRO1777746530
- Bybit CyberSecurity Rating page: https://www.rankiteo.com/company/bybitexchange
- Bybit Rankiteo Cyber Incident Blog Article: https://blog.rankiteo.com/marbybcro1777746530-bybit-crowdstrike-marks-spencer-cyber-attack-april-2026/
- Bybit CyberSecurity Score History: https://www.rankiteo.com/company/bybitexchange/history
- Bybit CyberSecurity Incident Source: https://www.ft.com/content/25471824-4c63-4644-9d29-0e548087ca05
- Rankiteo A.I CyberSecurity Rating methodology: https://www.rankiteo.com/Images/rankiteo_algo.pdf
- Rankiteo TPRM Scoring methodology: https://static.rankiteo.com/model/rankiteo_tprm_methodology.pdf