How $1.5 Billion Worth of Ethereum Was Stolen from Bybit?

Crypto Exchange Bybit said on Friday, Feb 21st, an attacker gained control of an ETH wallet, and resulted in the loss of over $1.5 billion in Ethereum. This appears to be one of the biggest security breaches in crypto history.

Crypto Exchange Bybit said on Friday, Feb 21st, an attacker gained control of an ETH wallet, and resulted in the loss of over $1.5 billion in Ethereum. This appears to be one of the biggest security breaches in crypto history.

Bybit has put extra security measures in place, such as 3-of-3 Multi-sig and cold wallets, meaning the withdrawal needed the approval of all three signatures, and the private keys were stored offline. Still how did this hack happen? while the investigation is still ongoing and more details are yet to be disclosed, I can safely say the hack has linked to Social Engineering. It’s likely the hacker gained access to all three computers used by the signers, installed a malware to launch a “Trojan Horse” style attack, specifically targeting multi-signature wallet transactions. They could have intercepted transaction data at the front-end, manipulating it to appear as normal multi-sig transactions on the signer’s screen. Because the hardware wallets use “blind signing” for Safe multi-sig transactions (showing only a limited summary), the signing members were unaware of the malicious intent hidden within the transaction data. This could lead the hardware wallet unknowingly signing a withdrawal transaction, transferring the cryptos to the hacker’s wallet address.

This can be learned from past security breaches in crypto history. On October 16, 2023, a cross-chain lending protocol Radiant Capital had experienced a hack with $50 million loss. The investigation revealed it was from a North Karean Hacker attack.

Hacker Strategy Breakdown:

1. Disguise and Social Engineering:
   • The hackers impersonated a former contractor of Radiant Capital, contacting a developer via Telegram.
   • They requested help reviewing a “smart contract audit report” for a new job, attaching a compressed file as the report.
   • To build trust, they used a fake website with a domain name very similar to a real personal website, mimicking a genuine professional.
   • This tactic exploited the common practice of sharing PDF documents in the crypto remote work environment.
2. Malware Injection:
   • The compressed file, disguised as a PDF, actually contained a macOS executable malware called INLETDRIFT (*.app file).
   • When the developer downloaded and opened it, INLETDRIFT silently installed a backdoor into the macOS system.
   • This backdoor established communication with a North Korean hacker server (“atokyonews[.]com”).
   • The malware was further spread within the development team as the infected developer shared the file for feedback.
3. Precise Man-in-the-Middle Attack & Blind Signing Exploit:
   • Once the malware was in place, hackers launched a “Trojan Horse” style attack, specifically targeting Gnosis Safe multi-signature wallet transactions.
   • They intercepted transaction data at the front-end, manipulating it to appear as normal multi-sig transactions on the developer’s screen.
   • However, when the transaction was sent to the Ledger hardware wallet for signing, the malware replaced the transaction request behind the scenes.
   • Because Ledger hardware wallets use “blind signing” for Safe multi-sig transactions (showing only a limited summary), the team members were unaware of the malicious intent hidden within the transaction data.
   • This led to the hardware wallet unknowingly signing a transferOwnership() transaction, giving control of the lending pool to the hackers.
   • The hackers then used this control to steal user funds authorized to the contract.
4. Rapid Retreat and Trace Removal:
   • After the successful theft, the hackers quickly “cleaned up,” removing the backdoor and browser extensions within just 3 minutes.
   • This swift action was aimed at eliminating traces and hindering identification.

Although the final investigation hasn’t been concluded, the incident in Radiant Capital shows that even with Multi-sig in place, there are ways to explore and hack the system.

Lesson learned:

Key takeaways include:

• Extreme Caution with File Downloads: Users and teams must be incredibly wary of downloading and opening files, especially from unknown sources or via compressed files. Online document collaboration tools should be prioritized to reduce file sharing risks.
• Front-End Security is Critical: Relying solely on front-end interfaces for transaction verification is dangerous, as hackers can easily manipulate this layer. Supply chain attacks on front-end dependencies are also a major concern.
• Blind Signing Risks: Blind signing mechanisms in hardware wallets pose a risk as they don’t fully reveal transaction details, making users vulnerable to manipulated transaction requests. Hardware wallet manufacturers should improve blind signing security.
• Strengthen DeFi Risk Control Mechanisms: Projects managing large funds should implement time-locks and robust governance processes for fund-related protocols. Time-locks provide a crucial delay period for security firms and users to detect and react to suspicious activity.
• Project Teams Need Stronger Contract Permission Management: Radiant Capital’s vulnerability was also linked to the project’s contract upgrade permissions, which the hackers exploited. Projects need to carefully manage and limit these permissions.