Feb 2025 - ByBit Multi-Sig Cold Wallet Not Cold Or Multi-Sig - $1.436173b (Global)
Bybit is a popular cryptocurrency exchange platform that offers a wide range of trading services, including spot trading, futures contracts, and derivatives. It caters to both individual and institutional traders with features like copy trading, automated trading bots, and the innovative Bybit Earn program for asset growth. Bybit also embraces Web3 technology, promising industry-leading security and reliability. The platform supports over 1,700 cryptocurrencies and is available in more than 160 countries. It offers a seamless experience across web and mobile apps, with advanced tools like AI-driven insights through TradeGPT, staking opportunities, and a variety of bonuses and rewards for new users. Bybit is committed to providing accessible and secure trading solutions for crypto enthusiasts globally.
While ByBit's wallet was technically cold, their transaction displaying front-ends were connected to networked devices and vulnerable to exploitation. Furthermore, even their cold wallet signing itself was subject to displaying manipulated information. These two factors made their wallets effectively hot.
While ByBit technically implemented a multi-signature requirement, multiple aspects of their system failed to be independent. For example, all signing devices operated on the same network, using the same wallet hardware and software. Using identical processes circumvented the multi-sig security benefits by creating a single-point of failure.
Therefore, ByBit's wallet failed on a fundamental level to be both multi-sig and cold. Due to their security implementation, it was not fundamentally different from the hot wallets which are typically associated with large-scale breaches.
"SEAL's advisory on the DPRK threat pulls no punches. TraderTraitor (Lazarus Group's alias) begins their attacks with sophisticated social engineering, creating fake recruiter personas and reaching out over LinkedIn, Telegram, or Twitter.
They spend months performing reconnaissance, deploying malware like malicious Chrome extensions to modify trusted websites.
The Lazarus Group's playbook is ruthlessly efficient.
They first find targeted employees through social engineering, add private GitHub repository access to the victims through live chat tools, and trick users into running code containing backdoors."
"The keys backing the multisig were held on hardware wallets, controlled by distinct parties within each organization."
"The attackers may have had persistent access to ByBit's internal systems, monitoring operations and communications until the perfect moment arrived.
The most disturbing aspect? The attack succeeded because as soon as Ben Zhou signed, the attackers immediately executed the transaction themselves - not waiting for ByBit's systems to process it normally."
"Sophisticated hackers orchestrated a precision strike on the exchange, siphoning away 401,346 ETH ($1.11B), 90,375 stETH ($250.8M), 15,000 cmETH ($44M) and 8,000 mETH ($23.5M) in a matter of minutes."
"just hours after the hack, ZachXBT cracked the case wide open, solving Arkham Intel's bounty by linking the attack to the LAZARUS GROUP, North Korea's infamous state-sponsored hacking organization.
ZachXBT's submission was a masterpiece - analyzing test transactions, connected wallets, and timing analyses, and solving the bounty in a blistering four hours."
"the Lazarus Group isn't waiting around - they've already started moving the funds.
The next day, they transferred 5,000 ETH to a new address and began laundering it through eXch (a centralized mixer) while bridging funds to Bitcoin via Chainflip.
Some platforms like Tether managed to freeze 181,000 USDT, but it's a drop in the ocean of stolen assets."
ByBit has created a $140m bounty for the recovery of the funds. It is unclear whether funds will be recoverable, given that the attacker is state-sponsored by North Korea.
Further Analysis
Bybit is a popular cryptocurrency exchange offering services like spot trading, futures contracts, and derivatives. The platform supports over 1,700 cryptocurrencies and operates in 160+ countries, emphasizing Web3 technology and robust security. Bybit's security failed when sophisticated hackers from the Lazarus Group exploited vulnerabilities in their cold wallet setup, which was effectively a hot wallet due to improper multi-signature implementation. The attack resulted in the theft of $1.43B worth of Ethereum, with the hackers quickly laundering the funds. The hunt for any possible asset recovery is ongoing. ByBit has covered all losses for their customers.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Infini Money Anonymous Developer Backdoor Vault Theft > > < < Cardex Wallets Drained Compromised Private Session Key
Sources/Further Reading
ByBit Rekt Article (Dec 31)
etherthefttransaction (Dec 31)
Ben Zhou - "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss." - Twitter/X (Dec 31)
BitMEX Research - "Seems that around 75% of @Bybit_Official ETH user deposits have been stolen" - Twitter/X (Dec 31)
ZachXBT Investigation On Telegram (Dec 31)
Wallet Address Of Exploiter - Etherscan (Dec 31)
The Compromised ByBit Wallet - Etherscan (Dec 31)
Ben Zhou - "Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe....ter/X (Dec 31)
ZachXBT - "At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP." - Twitter/X (Dec 31)
MissionGains - "I submitted the information first, and even replied in your comments" - Twitter/X (Dec 31)
Rekt - Not So Safe (Dec 31)
https://x.com/SlowMist_Team/status/1892963250385592345 (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|