On Friday, February 21, the cryptocurrency world experienced one of the most critical moments in its history: Bybit, one of the largest platforms in the world, suffered an unprecedented hack.
Bybit attackers managed to steal over 401.000 ETH, worth an estimated $1.400 billion at the time of the theft. Cybersecurity experts have stressed that this attack combined social engineering, interface manipulation and exploitation of vulnerabilities in security systems.
The incident occurred during a routine transfer between a cold wallet Ethereum multisignature and a hot walletAlthough Bybit assured that customer funds are safe and that the platform can cover the loss, the attack has caused an earthquake in the crypto market, once again questioning the security of centralized platforms.
A sophisticated attack: How hackers bypassed Bybit's security system?
The Bybit hack was not a conventional attack. The attackers reportedly used a combination of advanced social engineering techniques and interface manipulation to infiltrate and trick the platform’s systems. Key to the attack was Ethereum’s multi-signature cold wallet, a system designed to offer maximum security as it requires multiple signatures to authorize a transaction.
However, the hackers managed to design a fake interface that perfectly replicated the secure wallet management platform used by Bybit. This interface displayed verified addresses and URLs, which made transactions seem legitimateHowever, behind this layer of authenticity, the attackers altered the logic of the underlying smart contract.
In this way, when the authorized signers approved the transaction, they believed they were performing a routine operation. However, the modified malicious code allowed hackers to divert funds to an unknown walletThis attack method, known as “masking,” was so effective that Bybit’s security systems failed to detect any anomalies until it was too late.
“Bybit’s ETH multisig cold wallet just made a transfer to our hot wallet about 1 hour ago. It seems that this specific transaction was manipulated, all signers saw the masked UI showing the correct address and the URL was from Safe,” reported Ben Zhou, CEO of the platform.
The affected wallet was a “Safe” wallet, a multi-signature system widely used by Web3 projects and DAOs due to its high security. The multi-signature design makes these wallets particularly resistant to attacks. Therefore, the success of the attack against Bybit is especially worrying.
BUY BITCOINThe fate of the stolen funds
Once the funds were transferred to the unknown wallet, the hackers acted quickly to remove the trail. Initial forensic analysis revealed that the attackers split the 401.000 ETH across multiple addresses, using decentralized networks and privacy protocols to hide their origin.
According to reports from firms such as Arkham Intelligence, the funds were quickly sold on decentralized exchanges (DEXs). In addition, the hackers used cryptocurrency mixing techniques to hide their origin.
Bybit has assured that it is working with blockchain security companies and authorities to track the movements of the funds, but so far, no significant progress has been reported in their recovery. Only Tether, the issuer of the stablecoin USDT, reported on the $181.000 in hacking-related assets frozenPaolo Ardoino, CEO of the company, said that although this figure was not that significant, considering the magnitude of the hack, everything possible was being done to recover the stolen funds.
Furthermore, Zhou assured that he has been receiving great support from the broader crypto community and reaffirmed that withdrawals have not paused. “Since the hack (10 hours ago), Bybit has experienced the highest amount of withdrawals we have ever seen. We have had a total number of over 350k withdrawal requests,” he reported, assuring that users have been able to withdraw any amount without experiencing any delays in their requests.
Lazarus Group behind the Bybit hack
The Bybit attack has been attributed to the Lazarus Group, a North Korean government-sponsored hacker group known for its advanced cyber espionage operations and financial attacks. Blockchain and cybersecurity analysis expert ZACHXBT has presented a detailed report pointing to this cybercriminal group as the ones responsible for the exchange attack, once again demonstrating their ability to execute highly sophisticated operations.
The Bybit hack has shaken the foundations of the cryptocurrency industry, surpassing the one suffered by the Mt Gox platform in 2014 in nominal value, and raising questions about the security of encryption systems, which are considered infallible under normal conditions. Although Bybit has guaranteed that customer funds were not compromised and that the platform can cover the loss, the incident has generated a wave of mass withdrawals and a crisis of confidence.
BUY BITCOINThe hack has also highlighted the growing sophistication of cybercriminals, who are exploiting vulnerabilities in signature systems and user interfaces. Security experts have warned that such attacks could be the new standard for hacking groups, especially those with state backing, such as the Lazarus Group, to which this incident has been linked.
Investing in cryptoassets is not fully regulated, may not be suitable for retail investors due to high volatility and there is a risk of losing all invested amounts.
