$1.4 Billion in Crypto Stolen
#176 - Bybit, A UAE based crypto exchange falls prey to 'advanced' attack
It’s probably the world’s biggest money heist
North Korean Lazarus group is the prime suspect for this breach
On the 21st of February, ByBit, a Crypto Exchange based in Dubai, UAE, reported ‘unauthorized activity’ involving one of their cold wallets. This eventually turned out to be a $1.4 billion heist. Here is their post on X. This is what Bybit wrote:
Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address. Our security team, alongside leading blockchain forensic experts and partners, is actively investigating the incident. Any teams with expertise in blockchain analytics and fund recovery who can assist in tracing these assets are welcome to collaborate with us. We want to assure our users and partners that all other Bybit cold wallets remain fully secure. All client funds are safe, and our operations continue as usual without any disruption. Transparency and security remain our top priorities, and we will provide updates asap
There is a lot to unravel here.
Bybit’s ETH multisig cold wallet was breached.
What’s an ETH multisig cold wallet?
ETH - This stands for ‘Ether’, the cryptocurrency of the Ethereum blockchain.
Wallet - A place where all cryptocurrency is stored.
Now that the easy part is done…
Cold - A cold wallet is an offline wallet. Technically, a wallet is nothing but a place to store your private key. This can be printed on a piece of paper or it can be stored on your cloud service provider or it can be a hardware token. The key point is that this data is available offline.
multisig - Geek talk for “multiple signature”. This means it requires multiple signatures or multiple private keys to open the wallet.
Armed with that knowledge, if we try to figure out what Bybit said, it would be this:
Bybit was transferring ETH from their cold wallet to their warm wallet and during that transfer, hackers were able to “mask the signing interface” (display a 🎣 phishing page 😏). This “masking of the signing interface” displayed the output that was expected, while stealing crypto at the backed.
What happened after was even more intriguing. In financial terms it’s called a ‘run on the bank’ 💸, where people lose confidence in a bank and start withdrawing all their money together. Since the bank never keeps all its money together, it is not able to return it as fast as people are expecting and that causes more loss of confidence. A similar run happened on Bybit. However, withdrawals were slow. To Bybit’s credit, they were able to restore withdrawals to normal in a day’s time.
Bybit has promised a detailed incident report in the next few days. I will be keeping an eye out for it.
▶️ Take Action:
There are a few learnings here:
✅ Security is always people + process + technology. Miss one of these and you are likely to suffer the consequences. Having a 'cold multisig wallet does not ensure that your crypto is safe. Having a cold multisig wallet + ensuring there is a clearly defined process for moving crypto from one wallet to another + ensuring that the people who do it are trained and aware of the enormity of their task and the targeted nature of their role, ensures that your crypto is safe. And this applies to all of cybersecurity. We have all come across complex Zero Trust Network Architecture implementations where, due to the lack of user access reviews, breaches have occurred.
✅ Responding to incidents is not just fixing breach going back to your “last known good configuration”. There are various business consequences that should be identified and analyzed. Bybit did a good job with their incident response. You should check if your business has the right incident response planned? It’s also popularly known as “Cyber Crisis Management Planning” or CCMP.