GuShiio.com Chain analyst ZachXBT provided conclusive evidence that Bybit’s $1.5 billion hacking attack was carried out by the North Korean-backed hacking group Lazarus Group.
author| Wu said blockchain
On the evening of February 21, Beijing time, online detective ZachXBT first disclosed that it had monitored the outflow of more than US$1.46 billion in suspicious funds from Bybit, and mETH and stETH were currently being exchanged for ETH on DEX. It can be determined that this has become the largest theft incident in the history of cryptocurrency (based on the amount at the time).
Coinbase director Conor Grogan said North Korea’s attack on Bybit was the largest hacker theft in history (higher than the Central Bank of Iraq theft and worth about US$1 billion) and was about 10 times the amount of the 2016 DAO hack (but the percentage of supply was much higher). Some calls for Ethereum to fork are expected here. (The amount here is calculated based on the value at the time of theft)
Arkham tweeted that online analyst ZachXBT provided conclusive evidence that Bybit’s $1.5 billion hacking attack was carried out by the North Korea-backed hacking group Lazarus Group. His submission included a detailed analysis of test transactions, associated wallets, forensic charts and temporal analysis. Relevant information has been shared with Bybit to assist its investigation.
Bybit CEO BEN tweeted that about an hour ago, Bybit ETH multi-signature cold wallet had just transferred money to our hot wallet. It appears that the transaction was forged and all signers saw the forged UI showing the correct address and the URL from SAFE. However, the signature information is to change the smart contract logic of our ETH cold wallet. This led to the hacker taking control of the specific ETH cold wallet we signed and transferring all ETH in the cold wallet to this unidentified address. Please rest assured that all other cold wallets are safe. All withdrawals are normal. I will keep you informed of more progress, and if there is any team that can help us track the stolen funds, we will be overwhelmed. Bybit hot wallets, warm wallets and all other cold wallets are fine. The only cold wallet hacked is ETH cold wallet. All withdrawals are normal.
Bybit’s official Twitter stated that Bybit detected unauthorized activity involving one of our ETH cold wallets. When the incident occurred, our ETH multi-signature cold wallet performed a transfer to our hot wallet. Unfortunately, the transaction was manipulated through a sophisticated attack that disguised the signature interface, displayed the correct address, while changing the underlying smart contract logic. As a result, the attacker was able to control the affected ETH cold wallet and transfer its assets to an unidentified address. Our security team is actively investigating this incident with leading blockchain forensics experts and partners. Any team with expertise in blockchain analysis and financial recovery that can assist in tracking these assets is welcome to work with us. We want to reassure our users and partners that all other Bybit cold wallets are completely secure. All customer funds are safe and our operations continue as usual without interruption. Transparency and security remain our top priorities, and we will provide updates as soon as possible.
Bybit said all other Bybit cold wallets are safe, customer funds are not affected and remain safe. We understand that the current situation has led to a surge in withdrawal requests. Although such a high amount may cause delays, all withdrawals are being processed normally. Bybit has enough assets to cover losses, has more than $20 billion in assets under management, and will use bridge loans when necessary to ensure the availability of user funds.
Conor Grogan, head of Coinbase, tweeted that Binance and Bitget have just deposited more than 50,000 ETH directly into Bybit’s cold wallet, with Bitget’s deposits particularly eye-catching, accounting for a quarter of all ETH on the exchange. By skipping deposit addresses, the funds were apparently coordinated by Bybit itself. Bybit CEO Ben Zhou said: Thank you to Bitget for extending a helping hand at this moment. We are communicating with Binance and several other partners. This fund has nothing to do with Binance officials.
Bitget CEO Gracy said that Bybit is a respectable competitor and partner. Although the loss this time is huge, it is only their profit for a year. I believe that customer funds are 100% safe and there is no need to panic or run. In addition, Gracy said that what it lent to Bybit was Bitget’s own assets, not users ‘assets.
The Slow Fog team issued a post to add some details. The attacker deployed a malicious implementation contract. Then the attacker signed the transaction through three owners, replacing Safe’s implementation contract with a malicious contract, and using the backdoor functions sweepETH and sweepERC20 in the malicious contract to clear the hot wallet funds.
Dilation Effect analysis pointed out that compared with previous similar incidents, in the Bybit incident, only one signer was needed to complete the attack, because the attacker used a “social worker” technique. Analyzing the transactions on the chain, we can see that the attacker executes the transfer function of a malicious contract through delegatecall. The transfer code uses the SSTORE instruction to modify the value of slot0, thereby changing the implementation address of the Bybit cold wallet multi-signed contract to the attacker address. Only need to deal with the person/equipment who initiated the multi-signature transaction, and when several reviewers later see the transfer, they will greatly lower their vigilance. Because normal people see a transfer and think it is a transfer, but who knows it is actually a contract change?
Chainlink data shows that after the Bybit security incident was disclosed, USDe once flashed to $0.965 and then pulled back to $0.99. Bybit integrates USDe’s perpetual contracts that can be used as collateral to trade all assets in the exchange’s UTA. Ethena_labs issued a statement saying that they have paid attention to what is happening in Bybit and will continue to monitor progress. All USDe-enabled spot assets are housed in off-site custody solutions, including a partnership with Bybit via Copper Clearloop. Currently, no spot assets are deposited on any exchange. The total unrealized PNL associated with Bybit’s hedged positions was less than $30 million, less than half of the reserve fund. USDe currently remains more than fully mortgaged and will provide updates based on the latest information.
Binance co-founder CZ responded that this was not an easy situation to handle and might recommend suspending all withdrawals as a standard security precaution and providing any assistance if needed. He Yi expressed his willingness to help.
Safe’s security team responded that it was working closely with Bybit on an ongoing investigation. No evidence has been found that the official Safe front-end has been breached, but due to caution, Safe Wallet has temporarily suspended certain functions. Slow Fog Cosine said that similar to the previous Radiant Capital case, it may also have been stolen by North Korean hackers. Radiant Capital said it encountered a $50 million attack in October related to a North Korean hacker group that involved complex identity forgery and multi-level phishing attacks. The attacker pretended to be a former contractor and used social engineering to obtain sensitive credentials, thereby invading the protocol system to carry out the attack.
Security analysts believe that this is similar to WazirX and Radiant, where the signer’s computer or intermediate interface was hacked. The possible reasons for this hacking are as follows: The hacker implanted a virus in the signer’s computer/browser, replacing the transaction with a malicious transaction, which is then sent to the hardware wallet. This virus could be located in any part of the stack (e.g., malicious extensions, wallet communications…)-the secure interface was hacked, it showed one transaction, but sent another transaction to the wallet and the end result was that the signer saw an innocent transaction in the secure interface, but in fact the malicious transaction was sent to their wallet, which we can’t be sure until a full post-mortem analysis comes out.
OneKey said that there is a high probability that the hacker has confirmed that Bybit’s three-digit multi-signed computer has been hacked, is qualified for attack, and is waiting for them to operate. Next, when the multi-signing staff performed signature operations such as daily transfers, the hacker replaced the signature content. The staff looked on the website and thought it was a normal transaction such as a transfer-but they did not know that it had been changed to a transaction that “upgraded the safe contract to a previously deployed malicious contract.” Thus, the tragedy occurred. With malicious contracts with backdoors, all funds were easily withdrawn by hackers.
Bybit said it would not buy ETH immediately, but would rely on partners to provide bridge loans. It will be ensured that all users can withdraw cash, but since the traffic is 100 times that of usual, it will take some time to process, and some risk confirmation for large withdrawals is required.
Dilation Effect pointed out that the mechanism of ordinary hardware wallets combined with Safe multi-signing has long been unable to meet the security management needs of large funds. If the attacker is patient enough to deal with multiple signers, there will be no other measures to further ensure security during the entire operation. The security management of large funds must use an institutional custody solution.
According to DeFiLlama data, Bybit’s total outflow in the past 24 hours, including hacked funds, was US$2.399 billion. Currently, verifiable assets on the platform chain exceed US$14 billion, of which Bitcoin and USDT account for nearly 70%. Bybit announced that it had reported the case to relevant authorities and would provide updates when more information was obtained. In addition, cooperation with on-chain analytics providers has helped identify and isolate relevant addresses, aiming to reduce the ability of malicious actors to dispose of ETH through legal markets.
This incident may spark discussion about Ethereum’s fork. Conor Grogan said that although he believed calls for fork were too radical, he expected a real debate on the issue. Arthur Hayes said that as an investor with a large stake in Ethereum, he believes Ethereum has no longer been a “currency” since the 2016 DAO hacking hard fork. He said that if the community decided to roll back again, he would support the decision because the community had voted against immutability in 2016, so why not do it again?
