February 21 was a dark day for the cryptography market because it suffered the greatest breakage in its history. The attackers left with around 1.5 billion dollars in Bybit, the second largest crypto exchange in the world, the experts citing it as the largest flight – of all time. Although neither this loss nor the withdrawal of an additional $ 5 billion by panic investors were fatal for the bybt, the incident highlights the fundamental defects of the ecosystem of modern cryptography and serves precious lessons for regular users.
How was the Parbit was stolen
Like all major crypto exchanges, Bybit secures cryptocurrency stored with multilayer protection. Most funds are stored in cold wallets disconnected from online systems. When current assets must be completed, the required sum is moved manually from the cold wallet to the hot and the operation is signed by several employees at the same time. To do this, Bybit uses a multi-signature solution (multisig) of Safe {Wallet}, and each employee involved in the transaction sign Use of large, Cryptokey private book.
The attackers studied the system in detail and, according to independent researchers, compromised a safe development machine {Wallet}. Presumably, malicious changes have been made to the code to display SAFE web application pages {Wallet}. But the logical bomb inside has been triggered Only if the transaction source corresponded to the address of the bybit contract – Otherwise, the Wallet {Wallet} worked as usual. After carrying out their own investigation, the owners of Safe {Wallet} rejected the conclusions of the two independent information security companies, insisting that their infrastructure had not been hacked.
So what happened? During a routine recharging of $ 7 million to a hot portfolio, bybit employees saw on their computer screens this exact amount and the address of the recipient, which corresponded to the address of the hot portfolio. But other data have been sent for the signature instead! For regular transfers, the recipient’s address can (and should!) But when signing multisig transactions, this information is not displayed – bybit employees have essentially made a blind transfer.
Consequently, they inadvertently imprisoned an intelligent malicious contract which moved all the content of one of the cold wallets of Bybit to several hundred false wallets. As soon as the withdrawal of the Bybit portfolio has been completed, it seems that the code on the website {portfolio} Safe returned to the harmless version. The attackers are currently busy “superimposing” the stolen Ethereum – transferring it to the blow in an attempt to wash it.
By appearance, Bybit and his customers were victims of a targeted attack in the supply chain.
The case of appeal is not unique
The FBI has officially appointed A North Korean group has appointed Traderraitoror as author. In information security circles, this group is also known as Lazarus, Apt38 or Bluenoroff. Its brand style is persistent, sophisticated and supported attacks in the cryptocurrency sphere: hacking wallet developers, stealing cryptography exchanges, flying to ordinary users and even making false game games upon receipt.
Before the survey raid, the group’s record was the flight of $ 540 million in the Blockchain Ronin Networks, created for the game Infinity Axie. In this attack in 2022, the pirates infected the computer of one of the game developers using a false work offer in an infected PDF file. This social engineering technique Stay in the group’s arsenal to date.
In May 2024, the group succeeded in a Smash-And-Grab of Over $ 300 million in Japanese cryptocurrency DMM BitcoinWhich went bankrupt accordingly. Before that, in 2020, more than $ 275 million were Kucoin crypto exchange siphoneWith a “private key disclosed” for a hot wallet quoted as reason.
Lazarus has perfected her cryptocurrency flight tactics for more than a decade now. In 2018, we wrote on a series of attacks on banks and crypto exchanges using a trojanized cryptocurrency trading application as part of Operation Applejeus. Elliptical experts estimate that the total criminal profits of the actors linked to the north amount to around $ 6 billion.
What cryptographic investors should do
In the case of Bybit, customers were lucky: the exchange quickly repaired the wave of withdrawal requests which followed and promised to compensate the losses of its own funds. Bybit remains in business, so customers do not need to take special measures.
But the hack again demonstrates how difficult it is to secure the funds flowing in blockchain systems, and how much you can do to cancel a transaction or reimburse money. Given the unprecedented scale of the attack, many have called for the reversal of Ethereum blockchain in its pre-hack state, but Ethereum developers Consider this “technically insoluble”. Meanwhile, parbit has Announced a premium program For crypto exchanges and ethical researchers up to 10% of any fund recovered, but so far, only $ 43 million has materialized.
It caused some Cryptographic industry experts To speculate that the main benefits of the hack will be an increase Auto-leather of cryptographic assets.
Guest Move the responsibility for the secure storage of the shoulders of specialists in yours. Therefore, only do this route if you have total confidence in your abilities to control all security measures and follow them rigidly day by day. Note that regular users without billions of cryptowallets are unlikely to deal with a sophisticated targeted attack specifically on them, while generic mass attacks are easier to deviate.
So what do you need for secure self-assurance of cryptocurrency?
- Buy a hardware wallet with a screen. It is the most effective way to protect cryptographic assets. First do a little research and make sure you buy a portfolio from a renowned supplier – and directly: never used or on a market. Otherwise, you could get a pre-priest portfolio that swallows all your funds. When you use a portfolio to sign transfers, always check the recipient’s address on the computer screen and the portfolio screen to exclude its substitution by a malicious intelligent contract or a Clipper Trojan This replaces Cryptowallet addresses in the clipboard.
- Never store portfolio seed phrases in electronic form. Forget to use files on your computer and photos of your gallery for this – Modern Trojan horses have learned to infiltrate Google Play and the App Store and recognize data in the photos stored on your smartphone. Only paper records (or metal engravings, if you prefer) preserved in a place of safety or in another physically secure place, protected against unauthorized access and natural disasters, will do the trick. You could consider several storage locations, as well as the division of your sentence of seeds into parts.
- Don’t keep all your eggs coins in a basket. For supports of large quantities or different types of cryptographic assets, it is logical to use several wallets. Small amounts for transactional needs can be stored on an crypto exchange, while the volume can be divided between several elements of material cryptows.
- Use a dedicated computer. If possible, devote a computer to cryptocurrency transactions. Phystail access to him physically (for example, put it in a safe, a locked closet or a locked room), use disk encryption and password connection, and have a separate account with its own passwords (that is to say, different from your main computer). Install reliable protection and activate the maximum safety settings on your “cryptocurrency”. Connect it to the Internet only for transactions and use it only for operations with wallets. Playing games, reading cryptographic news and chatting with friends is for another device.
- If devoting a computer is not practical or not profitable, Maintain strict digital hygiene on your main computer. Configure a separate account with low privileges (non -administrator) for crypto operations, and another account – also not administrator – for work, cats and games. It is not necessary to work in administrator mode, except to update the system software or considerably reconfigure the computer. Connect to your dedicated “cryptographic account” only for operations with wallets and disconnect immediately afterwards. Do not give foreigners access to the computer and do not share the administrative passwords with anyone.
- Be careful when choosing Cryptowallet software. Carefully study the description of the software, make sure that the application has been on the market for a long time and check that you download it from the official website and that the digital signature of the distribution corresponds to the website and the name of the seller. Perform a deep analysis of your computer with an up -to -date security solution before installing and running Cryptowallet software.
- Be careful with updates. Although we generally recommend updating all software immediately, in the case of cryptocurrency applications, it is worth adjusting this policy. After the release of a new version, wait about a week and read the criticism before installing it. This will give the community time to take all the Bugs or Trojan horses that have been able to sneak in the update.
- Follow improved IT security measures described in our message Protect cryptographic investments: four key steps towards securityWho include installing a powerful safety solution, such as Kaspersky Premium, on your computer and smartphone, to update your operating system and your browsers regularly, and using solid and unique passwords.
- Expect a phishing. Cryptocurrency fraud can be both multifaceted and sophisticated, so all the unexpected messages by e-mail, Messenger application and others must be considered the beginning of a scam. Stay at the top of all the latest crypto scams by following our blog or Telegramas well as other sources of renowned cybersecurity.
Find out more about cryptographic scams and the means to protect you in our dedicated messages:
