The Biggest Exchange Hack in History! Is Your Bitcoin Safe?

We’re guessing you probably heard the news that major cryptocurrency exchange Bybit suffered a significant hack last week which saw them lose an eye watering $1.4 Billion dollars’ worth of Ethereum.

What’s surprising about this story is that the hackers managed to trick the founders of Bybit themselves into signing a fraudulent transaction that would result in them gaining access to one of Bybit’s wallets.

Talk about a bad day at the office….

Despite its size, this hack hasn’t made major headlines like the FTX collapse did. And that’s because for now at least, it hasn’t caused contagion across other exchanges and caused a market-wide meltdown. But don’t let that make you think that this hack is insignificant. At a total value of over $1.4 billion stolen, it has taken the top spot as the largest exchange hack on record.

What should be clear by now is that failures and hacks at exchanges will continue to happen, and as Bitcoin becomes more mainstream and more valuable, the size of these thefts will continue to rise.

Thankfully, for the time being, users seem able to withdraw their funds from the exchange as usual, and Bybit founder Ben Zhou has publicly stated that the exchange remains solvent and can cover any losses.

If you have any funds on Bybit then this is certainly welcome news. But we would always err on the side of caution. This wouldn’t be the first time we’ve heard from an exchange founder that everything was fine, when in reality, quite the opposite was true. If you currently have any funds on Bybit and you can still withdraw them, then we would suggest doing so is a sensible course of action.

For prudent Bitcoiners who learn the skills to self-custody their Bitcoin, the constant calamities that befall third party institutions are of little concern. When you have zero counterparty risk, you’re immune to any mismanagement, fraud, or accidents that might take place at a third-party institution.

Despite this, millions of people still leave their Bitcoin in the hands of third parties. So this week, let’s pick apart Bybit’s $1.4 billion dollar ‘whoopsie’ in a bit more detail, to once again make the case that leaving your Bitcoin on an exchange is an incredibly risky thing to do.

‍

The Bybit Hack – What Happened?

The Bybit hack was sophisticated. Accessing the funds was no mean feat because it meant gaining access to a multi-signature wallet where the private keys were distributed and held by multiple individuals. Stealing these funds took patience, careful planning, and multiple techniques.

The infrastructure for the hack was set out well in advance. The attackers first exploited Bybit’s wallet provider, Safe Wallet, which ironically claims to be ‘the most trusted smart account wallet onEthereum with over $100B secured’.

They managed this by compromising the machine used by one of Safe Wallet’s developers, likely by ‘phishing’ them, which gave them access to Safe Wallet’s Amazon Web Services account. With access to AWS, the attackers could then deploy and distribute malicious JavaScript directly from SAFE’s servers.

And this is where things get interesting. The malicious JavaScript the attackers deployed was designed solely to target the Bybit contract address that was drained. The attackers weren’t casting a wide net, they knew exactly who their target was. With their malicious JavaScript now in place on Safe Wallet’s servers, the attackers now just had to watch and wait for the right opportunity to strike.

That opportunity would eventually present itself when the Bybit founders undertook what they thought was just another routine operation -A transfer of funds from their ETH cold wallet into another Bybit ‘warm’ wallet. This time however, the operation would be anything but routine. This transaction would be hijacked by the hackers.

When each of the key holders to Bybit’s multi-sig wallet went to sign the transaction, they saw what looked like a legitimate user interface (UI) from Safe showing the ‘correct’ transaction just as they expected. What they didn’t realise is that the hackers’ malicious JavaScript was laying in wait ready to change the contents of the transaction during the signing process.

Once signed, the malicious transaction would change the logic of Bybit’s cold wallet giving the hackers full control of it.

And that’s exactly what happened. The signers all took the bait, didn’t do enough due diligence on what they were signing, and processed the fake transaction because to them, nothing looked amiss.

As you’d expect, once the hackers controlled the wallet, it was promptly drained, and the stolen ETH was scattered to the wind as they turned their attention to laundering their ill-gotten gains.

Bybit Hack – The Postmortem…

As you might expect, this hack was not performed by a group of teenagers working from their Mum’s basement.

By tracking the stolen funds, renowned on-chain analyst @ZachXBT was quickly able to identify that funds from this Bybit hack were being comingled with funds from previous exchange hacks at the likes of Phemex, Poloniex and BingX.

By identifying that these hacks are linked, it provides almost certain evidence that the perpetrator of this attack was none other than the infamous Lazarus Group, an organisation of professional hackers allegedly run and sponsored by the North Korean government.

That the North Korean government would find itself in the middle of several high-profile exchange hacks should come as no surprise. Before Russia invaded Ukraine, they were the most sanctioned countryin the world due to their nuclear weapons programme. For North Korea, stealing cryptocurrency is a very effective way to raise illicit revenue outside of the traditional finance system.

In response, Bybit have gone on the offensive by launching a bounty website at www.lazarusbounty.com. They are offering rewards for anyone who either helps track or freeze the stolen funds. Bounty hunters can receive 5% of the funds they successfully track and 5% of funds that get frozen at co-operative exchanges.

So far, they’ve managed to freeze 3% of the funds (around $42m) and are awaiting responses from third parties on a further 7% of the funds that have the potential to be frozen.

To what extent these efforts yield results is yet to be seen, but this approach of ‘crowdfunding’ the hunt for their stolen funds is a fairly novel idea. They have even been so bold as to use the site to publicly name and shame any exchanges that are not co-operative or actively help Lazarus launder the stolen funds.

In the meantime, while still pursuing their stolen ETH, Bybit has been swift to reassure customers that their funds are safe and accounted for. Since the hack, Bybit has replenished their depleted ETH holdings through either direct ETH purchases, or by taking on loans from other exchanges and whales. So far there have been no reports of users having any problems withdrawing any of their funds.

‍

The Moral of The Story – Self Custody Your Bitcoin

The Bybit hack is a crazy story with lots of moving parts. But where were the main failures and what are the pertinent takeaways from an incident like this?

Well, there’s a good handful of them so let’s break down some of the major ones:

First let’s address the failings at Safe Wallet. The hackers were able to access their Amazon Web Services account and plant malicious code by hacking just one of their developers’ machines. That’s astonishing. They were able to deploy code without any sort of review process or sign off from other employees. How on earth can Safe, a service that apparently secures over $100 billion in value, be managed so carelessly!? And how many other services rely on their infrastructure? The mind boggles….

But it would be unfair to let Bybit off the hook here and place all the blame on Safe Wallet. There are plenty of unforgiveable mistakes that were made by Bybit as well.

First, why on earth would you outsource critical wallet infrastructure to a 3^rd party provider like this? All of the infrastructure was running on centralised Amazon servers? This setup is the antithesis of sovereign and the attack surface is needlessly large. Bybit should be running their own infrastructure and setting up their own multi-sig wallets, not relying on centralised third parties.

The next fatal mistake the Bybit founders made was a total lack of diligence. Founder Ben Zhou signed the malicious transaction on a Ledger hardware wallet, the trouble is, with only a small screen, it can’t display the complex details of an ETH smart contract. What this means is that the Bybit founders signed the transaction without knowing exactly what it was. Blind signing a transaction from a wallet containing $1.4 billion is almost comedically cavalier!

Ultimately what this story demonstrates more than anything is that despite the image these exchanges might project, they are anything but sophisticated and secure operations. When you get a glimpse behind the curtain, you realise that they are operated by regular, fallible people, who don’treally know what it means to secure critical data.

You can buy better hardware wallets than the one Ben Zhou used for less than a couple hundred bucks, and you can definitely make better choices around which software you run. It would take less than 24 hours to design and implement a more robust custody setup. For a company charged with securing 100’s of billions of dollars, this was a masterclass in mediocrity.

But what would you expect from shitcoiners who play around with rubbish like Ethereum?

The moral of the story here is that leaving your money in a casino that’s more focused on launching memecoins than it is on securing your funds is a risk that you simply cannot afford to take.

‍

Protect Yourself The Bitcoin Way

By now it should be painfully obvious that the only way to secure your wealth is to take full self-custody of your Bitcoin. Bybit is the biggest exchange hack to date, but it won’t hold that title for long.

But fear not. Learning the skills to self-custody your Bitcoin is easier than you think. You don’t need to trust these clowns to look after your money, instead, learn to trust yourself. With our training we can make you far more secure, more sovereign, and more knowledgeable than even the senior management team at a major crypto exchange.

And it won’t take us long.

You owe it to yourself to master the skills to become truly self-sovereign. When you’re done leaving things to chance, and you’re ready to take matters into your own hands, all you need to do is schedule a free 30 minute consultation  with one of our experts.