Trend
More

文章详情

BSC

$--
0
download dymatic logo
image source head

Bybit was stolen about $1.5 billion in the biggest theft in crypto history. How did North Korean hackers do it?

trendx logo

Reprinted from panewslab

02/22/2025·2M

Author | Wu Shuo Blockchain

On the evening of February 21, Beijing time, on-chain detective ZachXBT first disclosed that it monitored that Bybit had suspicious funds outflows of more than US$1.46 billion, and mETH and stETH are currently being exchanged for ETH on DEX. It is certain that this has become the largest stolen incident in the history of cryptocurrency (by the amount at that time).

Conor Grogan, director of Coinbase, said North Korea's hacking of Bybit was the largest hacker theft ever (above the Iraqi Central Bank burglary, worth about $1 billion) and was about 10 times the amount of DAO hackers in 2016 (but supply The percentage of volume is much higher) Some calls for Ethereum fork are expected to appear here. (The amount here is calculated based on the value when it was stolen)

Arkham tweeted that on-chain analyst ZachXBT provided solid evidence that Bybit’s $1.5 billion hacking was carried out by North Korea-backed hacker group Lazarus Group. His submissions include detailed analysis of test transactions, associated wallets, forensic charts and time analysis. Relevant information has been shared with Bybit to assist its investigation.

Bybit CEO BEN tweeted that about 1 hour ago, Bybit ETH Multi-Signature Cold Wallet just transferred money to our hot wallet. It seems that the transaction is forged, and all signers see the forged UI, which shows the correct address and the URL comes from SAFE. However, the signature information is to change the smart contract logic of our ETH cold wallet. This causes the hacker to control the specific ETH cold wallet we signed and transfer all ETH in the cold wallet to this unidentified address. Please rest assured that all other cold wallets are safe. All withdrawals are normal. I will keep you updated with more progress and if any team can help us track stolen funds, we will be out of reach. Bybit hot wallets, warm wallets and all other cold wallets are great. The only cold wallet that has been hacked is the ETH cold wallet. All withdrawals are normal.

Bybit official Twitter said Bybit detected unauthorized activity involving one of our ETH cold wallets. At the time of the incident, our ETH multi-signature cold wallet performed a transfer to our hot wallet. Unfortunately, the deal is manipulated by a complex attack that masks the signature interface, displays the correct address, and changes the underlying smart contract logic. As a result, an attacker can control the affected ETH cold wallet and transfer its assets to an unidentified address. Our security team joins leading blockchain forensics experts and partners to actively investigate this incident. Any team that has expertise in blockchain analytics and fund recovery and can assist in tracking these assets is welcome to work with us. We want to assure our users and partners that all other Bybit cold wallets are completely secure. All customer funds are safe and our operations will continue as usual without interruption. Transparency and security remain our top priority and we will provide updates as soon as possible.

Bybit says all other Bybit cold wallets are secure, and customer funds are unaffected and remain secure. We understand that the current situation has led to a surge in withdrawal requests. While such a high amount may result in delays, all withdrawals are being processed normally. Bybit has enough assets to cover losses, with assets under management of over $20 billion and will use bridge loans when necessary to ensure the availability of user funds.

Coinbase director Conor Grogan tweeted that Binance and Bitget just deposited more than 50,000 ETH directly into Bybit's cold wallet, with Bitget's deposits being particularly eye-catching, accounting for one-quarter of all ETH on the exchange. As the deposit address was skipped, the funds were obviously coordinated by Bybit. Bybit CEO Ben Zhou said: Thank you Bitget for lending a helping hand at this moment. We are communicating with several other partners. This fund has nothing to do with Binance.

Bitget CEO Gracy said that Bybit is a respected competitor and partner. Although the loss this time is huge, it is their profit for a year. I believe that the customer funds are 100% safe, and there is no need to panic or run. In addition, Gracy said that the assets lent to Bybit were Bitget's own assets, not users' assets.

The Slow Mist Team issued a post to supplement some details. The attacker deployed a malicious implementation contract. The attacker then signed a transaction through three owners, replacing the Safe implementation contract with a malicious contract, and using the backdoor functions in the malicious contract to clear it. Hot wallet funds.

Dilation Effect analysis pointed out that compared with the previous similar incidents, the Bybit incident only needs to get a signature to complete the attack, because the attacker used a "social worker" skill. By analyzing the on-chain transaction, we can see that the attacker executes a transfer function of a malicious contract through delegatecall. The transfer code uses the SSTORE instruction to modify the value of slot 0, thereby changing the implementation address of the Bybit cold wallet multi-sign contract to the attacker's address. You only need to deal with the person/equipment that initiates this multi-sign transaction. When the reviewers see this transfer, they will greatly reduce their vigilance. Because normal people think it is a transfer when they see the transfer, but who knows that it is actually changing the contract.

Chainlink data shows that after the Bybit security incident was disclosed, USDe once crashed to $0.965 and then pulled back to $0.99. Bybit integrates USDe as collateral assets to trade perpetual contracts for all assets in the exchange UTA. ethena_labs posted that they have been following what is happening on Bybit and will continue to monitor progress. All USDe-enabled spot assets are stored in off-site custody solutions, including partnerships with Bybit through Copper Clearloop. Currently, no spot assets are stored on any exchange. The unrealized PNL associated with Bybit hedging positions totaled less than $30 million, less than half of the reserve fund. USDe currently remains over full collateral and will provide updates based on the latest information.

Binance co-founder CZ replied that this is not an easy situation and it may be recommended to suspend all withdrawals as standard security precautions and will provide any assistance if needed. He Yi expressed his willingness to provide help.

Safe's security team responded that it is working closely with Bybit to conduct an ongoing investigation. No evidence of the official Safe front-end being compromised has been found, but out of caution, Safe Wallet temporarily suspends certain features. Slow Fog Cosine said that similar to the previous Radiant Capital case, it may have been stolen by North Korean hackers. Radiant Capital said a $50 million attack it encountered in October was linked to North Korean hackers that involved complex identity forgery and multi-level phishing attacks. The attacker pretends to be a former contractor and obtains sensitive credentials through social engineering means, thereby invading the protocol system to carry out the attack.

Security analysts believe that this is similar to WazirX and Radiant. The signer's computer or intermediate interface was hacked. The possible reasons for this hacker attack are as follows: The hacker implants a virus in the signer's computer/browser and replaces the transaction. For malicious transactions, then send them to the hardware wallet. This virus may be located in any part of the stack (e.g., malicious expansion, wallet communication...)

  • The security interface was hacked and it showed a transaction but sent another transaction to the wallet. The end result was that the signer was in security. An innocent transaction was seen in the interface, but the malicious transaction was actually sent to their wallet, and we could not confirm until the complete post-event analysis was released.

OneKey said that the hacker is likely to have confirmed that Bybit’s three multi-signature computers have been hacked and have the conditions for attack, and are waiting for them to operate. Next, when the multi-signing staff performs signature operations such as daily transfers, the hacker replaces the signature content. The staff looked at the web page and thought it was a normal transaction such as transfer - but they didn't know that it was changed to a transaction that "upgrades the safe contract with a malicious contract that was previously deployed." So, the tragedy happened. A malicious contract with a backdoor easily withdraws all funds by hackers.

Bybit said that he would not buy ETH immediately, but instead rely on partners to provide bridge loans. It will ensure that all users can withdraw cash, but since the traffic is 100 times that of normal, it will take some time to process it, and some risk confirmation of large withdrawals is required.

Dilation Effect pointed out that the mechanism of ordinary hardware wallets combined with Safe multi-signal mechanism can no longer meet the security management needs of large funds. If the attacker is patient enough to handle multiple signature parties, there is no other measure to further ensure security during the entire operation. The security management of large funds must use an institution-level custody program.

According to DeFiLlama data, Bybit's total outflow in the past 24 hours was $2.399 billion, including funds hacked. Currently, the platform's verified assets are more than US$14 billion, of which Bitcoin and USDT account for nearly 70%. Bybit's announcement stated that the case has been reported to the relevant authorities and will provide updates after more information is obtained. In addition, collaboration with on-chain analytics providers helped identify and separate relevant addresses, aiming to reduce the ability of malicious actors to dispose of ETH through legal markets.

This event may spark discussion about the Ethereum fork. Conor Grogan said that while he believes the call fork is too radical, there is expected a real debate on the issue. Arthur Hayes said that as an investor holding a large number of Ethereum, he believes Ethereum has no longer been a "currency" since the 2016 DAO hacking incident. He said he would support the decision if the community decides to roll back again, because in 2016 the community had voted against immutability, so why not do it again?

more

One hour ago, the 15,000 cmETH unstaking application from Bybit hacker was returned feature image

trendx logopanewslab2M

One hour ago, the 15,000 cmETH unstaking application from Bybit hacker was returned

Selected week | After Libra harvested $100 million, the dark side of the scenes floated to the surface; Berachain and Sonic bloomed feature image

trendx logopanewslab2M

Selected week | After Libra harvested $100 million, the dark side of the scenes floated to the surface; Berachain and Sonic bloomed

CZ: Binance does not deliver liquidity to Bybit, which may be some whale behavior feature image

trendx logopanewslab2M

CZ: Binance does not deliver liquidity to Bybit, which may be some whale behavior

Data: 39,998 ETH transfer from BitGet to Bybit feature image

trendx logopanewslab2M

Data: 39,998 ETH transfer from BitGet to Bybit