Nearly $1.5 billion stolen from Bybit, are North Korean hackers putting the brakes on the bull market?

avatar
PANews
02-22
This article is machine translated
Show original

Author: BitpushNews Mary Liu

As the crypto community is still debating the direction of the bull market, on February 21, a sudden black swan event "struck" the market. The veteran crypto exchange Bybit was hacked, with nearly $1.5 billion in assets stolen, mainly ETH, about 401,347 ETH, worth about $1.12 billion.

Bybit loses nearly $1.5 billion, is the North Korean hacker the one who hit the brakes on the bull market?

After the news broke, Bitcoin plunged, briefly falling below the $95,000 mark; the already weak Ethereum plummeted 5% to $2,615, and had risen to $2,666 as of the time of writing.

Bybit loses nearly $1.5 billion, is the North Korean hacker the one who hit the brakes on the bull market?

The Bybit team reacted quickly, with CEO Ben Zhou going live to assure users that the platform would not close the withdrawal channel. He said that even if the funds cannot be fully recovered, Bybit has the ability to fully compensate users for their losses.

According to data from 10x Research, the $1.46 billion stolen from the Bybit exchange is the largest hacking incident in the history of crypto exchanges, with the second largest crypto theft being the $611 million from Poly Network in 2021. In addition, on-chain detective ZachXBT has submitted conclusive evidence confirming that the North Korean hacker group Lazarus Group is the mastermind behind this attack.

Bybit loses nearly $1.5 billion, is the North Korean hacker the one who hit the brakes on the bull market?

The movements of the hacker's addresses have become a focus of attention. On-chain data shows that the Bybit hacker's address has now become the 14th largest ETH holder globally, holding about 0.42% of the total Ethereum supply, surpassing Fidelity, Vitalik Buterin, and even more than twice the amount held by the Ethereum Foundation.

Bybit loses nearly $1.5 billion, is the North Korean hacker the one who hit the brakes on the bull market?

Industry Support: Bybit is Not FTX!

Coinbase executive Conor Grogan posted on social media to support Bybit: "Bybit's withdrawals seem to be working fine after the hack. They have over $20 billion in assets on the platform, and their cold wallets are unharmed. Given the isolated nature of the signature hack and Bybit's capital strength, I don't expect contagion."

Bybit loses nearly $1.5 billion, is the North Korean hacker the one who hit the brakes on the bull market?

Grogan also emphasized: "With FTX, it was clear they didn't have the funds to withdraw within a minute of the bank run. I know everyone has PTSD, but Bybit's situation is different from FTX, and if it were, I'd be shouting it from the rooftops. They'll be fine."

In the face of this incident, many industry participants have expressed their support for Bybit.

In the early morning of February 22, Beijing time, on-chain data showed that addresses from Binance and Bitget transferred 50,000 ETH to Bybit's cold wallet. Among them, Bitget's transfer volume accounted for a quarter of its total ETH, attracting attention. According to Conor Grogan, this transaction was directly coordinated by Bybit, bypassing the commonly used deposit addresses.

Bybit loses nearly $1.5 billion, is the North Korean hacker the one who hit the brakes on the bull market?

Ben Zhou responded, "Thank you Bitget for reaching out at this moment, we are in communication with Binance and a few other partners, and this fund has nothing to do with the official Binance."

TRON founder Justin Sun stated on social media that the TRON network is assisting in tracking the funds. OKX Chief Marketing Officer Haider Rafique also said that the exchange has deployed a security team to support Bybit's investigation.

Bybit loses nearly $1.5 billion, is the North Korean hacker the one who hit the brakes on the bull market?

Kucoin also emphasized that crypto "is a shared responsibility" and called for cross-exchange cooperation to combat cybercrime.

Safe Security Questioned

The core of this attack lies in a technique called "Blind Signing". Blind Signing refers to users approving transactions without fully understanding the contents of the smart contract, and this technique was exploited by hackers to bypass security verification.

Bybit CEO Ben Zhou pointed out in the live broadcast that the attackers used the "Musked" technique (i.e., obfuscating or deceiving the transaction payload) to forge the user interface (UI) of the Safe multi-signature wallet, causing the signers to unknowingly authorize the malicious transactions. Specifically, the attackers used the forged UI to display the correct address and URL, but the transaction payload had been tampered with, causing the signers to inadvertently approve the fund transfer.

Crypto security company Groom Lake further found that the Safe multi-signature wallets deployed on Ethereum in 2019 and on the Base Layer 2 in 2024 have the same transaction hash values, which is mathematically almost impossible.

Bybit loses nearly $1.5 billion, is the North Korean hacker the one who hit the brakes on the bull market?

Bybit loses nearly $1.5 billion, is the North Korean hacker the one who hit the brakes on the bull market?

Anonymous Groom Lake researcher Apollo said that if the same transaction hash appears on Ethereum and Base, it indicates that the attackers may have found a way to make a single transaction valid across multiple networks, or they may be able to reuse encrypted wallet signatures or transaction data across different networks.

However, the Safe team denied that this attack was related to vulnerabilities in their smart contracts, stating that the problematic transactions were deployments of singleton contracts and did not use EIP-155 (a security measure to prevent cross-chain transaction replay attacks) to support cross-chain deployment. EIP-155 was introduced in 2016, ensuring that transactions signed for Ethereum cannot be valid on other chains like Base. This means that even if the private keys are compromised, attackers cannot reuse old signed transactions on different chains.

Are Hardware Wallets Not Omnipotent?

However, Safe's explanation has not completely dispelled industry doubts. Blockaid CEO Ido Ben Natan pointed out that "blind signing" technology is rapidly becoming the favorite attack method of advanced threat actors (such as North Korean hackers). This attack is similar to the Radiant Capital intrusion in December 2023 and the WazirX incident in March 2024, which used the same attack type. Natan emphasized that even with the best key management solutions, the signing process still depends on the software interfaces for interacting with dApps, which opens the door for malicious manipulation of the signing process.

Security expert Odysseus pointed out that if the transactions were signed on a laptop or mobile phone connected to the internet, the role of the hardware wallet would be greatly diminished. He said, "These are highly targeted attacks, and generally speaking, if the device (computer or phone) is compromised, there is little that can be done other than signing transactions on an unconnected and uncompromised device."

Under the bull market sentiment, security issues are often overlooked. It's better late than never, and the community hopes to see Bybit properly resolve this crisis and minimize the losses. But this attack once again reminds us that in the crypto world, security is always the first line of defense. From the vulnerabilities of multi-signature wallets to the risks of cross-chain transactions, from user education to industry collaboration, every link should be re-examined.

Source
Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.
Like
Add to Favorites
Comments
Relevant content
Followin logo
No comment
avatar
Reply