You know it’s a big hack when even mainstream media are running it on the front page. And they don’t get much bigger than the $1.5B of ETH illicitly withdrawn from Bybit on February 21 in a heist that has been attributed to Lazarus Group, the cryptosphere’s regular bete noire. As the dust began to settle, and onchain sleuths attempted to piece together the sequence of events, a few things became immediately clear.
First, as Bybit had quickly stated, this was a genuinely “sophisticated” hack rather than, say, some hapless staffer getting phished. Secondly, given the size of the theft, there was clear consensus among other exchanges that they must do their utmost to mitigate the damage while reassuring the public that funds, as the saying goes, are “safu.”
Exchanges Step Up in to Cover the Shortfall
When crypto exchanges get hacked, they’re generally on their own in terms of dealing with the fallout. What’s marked the Bybit hack out as different isn’t the amount that was stolen, but rather the response from other exchanges that would normally be regarded as competitors. Within 24 hours of the incident, exchanges and market makers had provided Bybit with over $400M in ETH to enable it to continue processing withdrawals.
You didn’t see that occurring when FTX was in the hole for over $400M. Of course, there are good reasons for the difference between that incident and this. While Bybit has been the victim of a record hack, it’s a responsibly run exchange that provides clear attestation of its assets on hand. Despite the size of the $1.5B heist, it accounted for less than 10% of the exchange’s current reserves.
In addition to willingly loaning Bybit the funds to replenish its ETH, exchanges have vocally pledged their support for it, with KuCoin noting that “Crypto security is a shared responsibility” and stressing its commitment “to assisting in monitoring fund movements and freezing any suspicious assets to help mitigate the impact.” It also took the opportunity to emphasize the robust risk controls, multi-layer protection, and 24/7 monitoring it has in place on its own exchange to safeguard user assets.
How the Hack Went Down
Even in an age of blockchain analysts and onchain readers, it takes time for the full facts to emerge from incidents such as these. However, the facts of the case can be stated as thus: the attack targeted a multisig wallet transfer process. Hackers are believed to have exploited a user interface spoofing vulnerability, tricking Bybit’s team into approving a transfer they believed was routine – moving funds to a warm wallet for operational use.
Instead, the assets were redirected to an address controlled by the attackers, who then set about peeling it into 10,000 ETH chunks and sending to fresh wallets in readiness for mixing. The funds are currently being converted into BTC, where they will be further mixed to obfuscate their origins. Given the extremely high level of security exchanges have in place nowadays for cold storage, particularly when making transactions of such high value, it’s clear that this was a hack only a handful of experts would be capable of pulling off – with Lazarus Group the prime suspects.
Bybit has at least emerged from a bad day at the office with its credibility, if not its ETH reserves, intact. Its prompt communication and frankness about the scope of the problem has demonstrated strong leadership and a determination to set things right.
As part of its ongoing investigation and recovery efforts, Bybit has promised that 10% of funds recovered will be awarded to ethical security experts who play their part in facilitating this process. Bybit has also thanked the partners who’ve helped them out, including a number of exchanges that provided funding, concluding: “Your trust, quick action, and solidarity mean everything. We’re moving forward, stronger and more determined than ever.”
