- A hacker used malware to alter a smart contract and steal ETH from Bybit’s cold wallet.
- Binance and Bitget sent ETH directly to Bybit’s wallets to prevent further losses.
- Experts tied the hack to the Lazarus Group, which used social skills to breach security.
In the late hours of Friday, a hacker compromised an Ethereum cold wallet on the Bybit exchange, stealing over $1.4 billion in liquid-staked ETH and ERC-20 tokens. Blockchain security analyst ZachXBT uncovered the breach shortly after it occurred, identifying stolen assets, including Staked Ether (stETH) and Mantle Staked ETH (mETH). The attack exploited a vulnerability in Bybit’s multisignature wallet system, allowing the perpetrators to redirect funds.
A Coordinated Attack on Bybit’s Security
Bybit CEO Ben Zhou confirmed the breach, revealing that the attacker executed a transfer from the exchange’s multisignature wallet to a warm wallet just before the breach was detected. The transaction, which was considered to be legitimate, contained malicious malware, enabling the criminals to alter the smart contract’s logic. The CEO reassured users that an investigation was underway to assess the extent of the attack and balance further risks.
Following the attack, the organization experienced a reduction in withdrawal requests, with over 350,000 initiated within hours. Ben stated that 99.994% of these transactions were successfully processed. Despite the security malfunction, the platform maintained operational stability, with all features remaining accessible to users. The response demonstrated its commitment to addressing customer concerns during the crisis.
After 12 hours after the hack had taken place, Zhou updated the community, stating that all withdrawals had been processed and the system had returned to normalcy. He expressed regret for the breach and thanked users for their patience. Bybit plans to release a full incident report and security measures in the coming days. Further, Zhou assured more updates and acknowledged the support from clients, partners, and friends, emphasizing that the real work to strengthen security had just begun.
Lazarus Group Linked to the Bybit Hack
Blockchain investigator ZachXBT attributed the hack to the North Korean Lazarus Group, citing evidences, including test transactions and a few wallet connections. Further, data from Arkham Intel confirmed these findings and offered a 50,000 ARKM token bounty for additional information on the perpetrators.
Also, Web3 security firm Dilation Effect provided further analysis, noting that the attack required only one signer due to a sophisticated social engineering exploit. The hacker manipulated the Bybit cold wallet’s multisignature contract by executing a malicious transfer function via delegate call. This method altered the contract’s logic, redirecting funds to the attacker’s address.
Related: Bybit Pay Enables PIX-Integrated Crypto Payments to Brazil
Binance and Bitget Step In With Emergency Support
In response to the security breach, Binance and Bitget transferred over 50,000 ETH to Bybit’s cold wallets, bypassing standard deposit addresses. The direct deposits indicated a coordinated effort to stabilize Bybit’s reserves. On-chain analyst Conor Grogan highlighted Bitget’s support as particularly striking, noting that its 39,999 ETH deposit accounted for nearly 25% of its total holdings.
Bitget’s Proof-of-Reserve report from January 9 showed that the exchange contributed over half of its surplus ETH holdings to aid Bybit. Grogan compared the response to the FTX collapse in 2022, emphasizing that Binance had not acted as swiftly in that instance. The strategic deposits underscored the urgency of the situation and the collaboration among major exchanges to prevent further market destabilization.
In a nutshell, the breach’s magnitude and execution highlighted vulnerabilities in exchange security protocols. As Bybit and blockchain analysts continue investigations, the incident raises critical questions: How can exchanges strengthen cold wallet security to prevent such attacks in the future?
