Last Friday, Bybit, a major cryptocurrency exchange, was the victim of a cyberattack. A hacker managed to steal $1.46 billion in Ether (ETH) belonging to the exchange's customers. In fact, three-quarters of the ethers deposited by users were stolen.
A record hack for crypto
It's the "largest crypto theft of all time", points out Tom Robinson of the security firm Elliptic. The previous record dates back to 2022, when cybercriminals stole $624 million from Ronin Network. As Bybit CEO Ben Zhou explains, the attackers managed to compromise a "multisig cold wallet" used by the company. Bybit was cautious and stored some of its funds in a cold wallet, precisely in the hope of protecting itself from hackers. The exchange had also set up a multi-signature system. Bybit accounts require the approval of several entities to validate a transaction. Cryptocurrencies can only be transferred if all parties agree. Unfortunately, the hackers managed to abuse a planned transfer between the cold wallet, which is not connected to the Internet, and another wallet under the control of the exchange.
The individuals supposed to sign the transaction were manipulated. The Bybit team believed they were validating a simple transfer between their wallets. In reality, they were signing a transaction that modified the cold wallet’s smart contract, allowing the hacker to take control and empty the funds. Ultimately, the funds were transferred to blockchain addresses held by the hackers. In detail, the hackers sent the money to nearly 50 different addresses, hoping to cover their tracks. This is what specialized researcher ZachXBT discovered by consulting the blockchain. Bybit specifies that its internal systems were not compromised. The hack only affected the wallet storing its ethers.
Wave of withdrawals on Bybit
Despite this major hack, Bybit remains able to reimburse all its users. The group's boss indicates that Bybit remains "solvent even if this loss due to the hack is not recovered, all customer assets are guaranteed at a ratio of 1:1, and we are able to absorb this loss". Several blockchain experts were able to confirm that the exchange did indeed have the funds to cover the loss.
Nevertheless, Bybit announced the temporary suspension of ether deposits. Withdrawals, however, remained open throughout the incident. Unsurprisingly, the exchange saw an explosion in withdrawal requests in the wake of the hack. Many investors, fearing for their assets, attempted to withdraw their cryptocurrencies. The platform saw a hundred times higher transaction volume than normal, which slowed down the processing of requests, especially for large withdrawals. However, enhanced security checks will be put in place. According to Ben Zhou, “Bybit has seen a record number of withdrawals, with over 350,000 requests in total”. As of today, “there are about 2,100 left to process”. In total, "99.994% of withdrawals have already been made". Shortly after, all requests were processed, Ben Zhou rejoices:
In this complicated context, Bybit received help from several other cryptocurrency giants, starting with Binance. Several industry giants offered a myriad of crypto loans to Bybit in order to quickly compensate for the loss of crypto. Thanks to these loans, Bybit was able to fill the gaping hole left by cybercriminals over the weekend.
A Lazarus hit
It soon became clear that the attack was orchestrated by Lazarus, a gang of hackers funded by North Korea. For years, cybercriminals have been stealing mountains of crypto assets on the orders of the North Korean government. They are notably behind the hack of the Ronin Network, mentioned a little earlier. According to blockchain researchers at Arkham Intelligence, there is irrefutable evidence that the theft was indeed perpetrated by Lazarus, who has become an expert in the field. In one year, the gang generally steals more than a billion dollars in cryptocurrencies.
Throughout the weekend, Lazarus cybercriminals worked hard to launder the stolen funds and disappear from the radar. First, “the stolen funds were sent to a master wallet, which then redistributed them to over 40 wallets,” Nansen told CoinDesk. The attackers “converted all stETH, cmETH, and mETH into ETH, then transferred the ETH in $27 million increments to over 10 other wallets.” The Lazarus hackers have a wealth of expertise in laundering their loot. Over the years, they have developed several tactics to cover their tracks and outrun authorities. They use several mixing services, which will mix assets together so that they are difficult to track. The latest news is that the hackers still have $500 million to transfer.
0 Comments