- Cold wallets: These are offline secure storage devices designed to protect cryptocurrencies from online threats. Since cold wallets are disconnected from the Internet, until they are connected to a computer for a wire, they are considered much safer for long -term storage of digital assets.
- Warm wallets: These portfolios are online and actively used for daily transactions. They allow users to deposit, remove or exchange cryptocurrencies quickly. However, because they are connected to the Internet, they are intrinsically more vulnerable to cyber attacks.
The breach occurred during a transfer of assets of the bybit cold portfolio to its hot wallet. During this process, the attackers – who would be part of the North Korean group Lazarus – managed to intercept the transaction and relaunch funds from their own portfolios, stealing 400,000 Ethereum (ETH), worth around 1.5 billion dollars at the time. More specifically, the system used the “blind signature”, which means that the transaction was signed without fully revealing the details of the transaction to the part that signed it. This lack of visibility has enabled attackers to inject malicious transaction data, diverting funds without the signature process detecting any anomaly. Once the details of the transaction have been blind, no other multi-signature approval layer was in place to catch irregularities. It was critical security surveillance.
What cloud safety experts can learn
The violation of Bybit, although it is in the specificities of cryptocurrency exchanges, exposes significant vulnerabilities that we can apply to any organization managing digital assets, in particular those who take advantage of the cloud infrastructure. Several factors have contributed to violation, so here is a list of precious lessons for cloud safety experts and security managers to learn from what was wrong:
- Signature of transactions without security and lack of multi-signature approval: At the heart of the statement incident, there was a lack of blind signature during the transfer process between cold and hot wallets. The blind signaling occurs when the details of the transaction are not entirely visible for the part authorizing the transaction, which allows attackers to manipulate the process more easily. In the case of Bybit, this lack of transparency allowed hackers to inject fraudulent transaction data without detection. Security practitioners should recognize that the visibility of transactions is essential to maintain the integrity of any financial transaction, in particular in an environment where large sums are involved. To mitigate risks like this, it is essential to implement multi-signating (multi-SIG) protocols. Multi-SIG guarantees that more than a part or a system must approve a transaction before its execution, which considerably reduces the risk of unauthorized transfers.
- Lack of secondary verification for high value transactions: In addition to the blind signature vulnerability, Bybit has not implemented a secondary verification process for high value transfers. Once the transaction has been signed, no other verification layer was in place to prevent falsification. This surveillance allowed the attackers to carry out their program without triggering red flags. For cloud safety engineers, this is a clear warning. Secondary authentication, in particular for high -value transactions, is not negotiable. Just like many cloud environments use multi-factor authentication (MFA) to secure access, high value transfers must trigger additional approval or verification layers. Whether by SMS, confirmations by e-mail or even manual surveillance, we must have a secondary approval process to ensure the integrity of the transaction.
- Insufficient monitoring and incident detection: The breach was only discovered after emptying the cold wallet, highlighting a major gap in the internal monitoring and detection systems of Bybit. An event of this magnitude should have been reported in real time by an effective monitoring system. Without continuous monitoring and the capacity to quickly identify abnormal activities, it is far too easy for malicious actors to operate unteashed. Security leaders must prioritize in real time monitoring for any high -risk activity. The alerts for significant transactions, missed connection attempts and unusual access models can offer an early alert system for suspicious activities. Automated tools and artificial intelligence can play an essential role in identifying models that could otherwise go unnoticed.
- Low access control and lack of segmentation: It seems that the attackers had access to the internal systems of Bybit, whether by phishing, stolen identification information or the exploitation of software vulnerabilities. Once inside, they handled the portfolio transfer process. This suggests inadequate access controls and perhaps a lack of network segmentation, which should have sensitive systems isolated from less critical systems. Cloud safety practices should focus on access control based on roles and identity management and access to limit access to data and systems sensitive to those that absolutely need it. It is essential to implement solid and context -based authentication for administrative roles. In addition, network segmentation can guarantee that even if an attacker has access to part of the system, he cannot move freely throughout the infrastructure.
- The role of cloud infrastructure in the attack: Although the attack was not directly caused by Bybit’s cloud infrastructure defects, it highlights the importance of securing cloud environments that manage digital assets. The exchange was probably based on the services hosted by the Cloud for the management of portfolios, the processing of transactions and the integration of the API. Without appropriate cloud safety practices, attackers can easily compromise these systems. The teams must also encrypt sensitive data, such as private keys and portfolio information, and secure transaction data at rest and transit.
- Planning the response to incidents and coordination: Finally, it is essential to have a response plan to incidents well defined in place. Bybit’s response was rapid, but the damage could have been attenuated if the security protocols had been stronger. Cloud security teams should work with internal and external partners to provide a coordinated response in the event of a violation, including communication plans, mitigation strategies and correction processes.
The appeal incident serves as alarm to anyone operating in the cloud, in particular those managing large quantities of digital assets. While cryptocurrency exchanges have unique safety challenges, the lessons learned from this violation are universally applicable to any cloud safety environment. By implementing solid multi-signating protocols, improving access control, improving real-time surveillance and ensuring a secure transaction signature, cloud security managers can build stronger defenses and reduce the probability that similar incidents occur within their own organizations.Shira Shamban, Vice-President of the Cloud, CyeThe SC Media Perspectives columns are written by a community of confidence of experts in cybersecurity in the SC media. Each contribution aims to provide a unique voice to important cybersecurity subjects. The content strives to be of the highest quality, objective and non -commercial.
