How North Korean hackers stole $1.5B in ethereum from Bybit

When North Korean hacker group Lazarus stole nearly $1.5 billion worth of ethereum tokens from crypto exchange Bybit, one question was: How? The tokens were stored in cold wallets, unconnected to the internet and theoretically out of reach of cyberthieves.

The short answer is, the hackers tricked Bybit employees, including CEO Ben Zhou, into approving a series of fraudulent transactions.

Crypto investigator ZachXBT uncovered the identity of the thieves on the social platform X, and crypto analysis firm Arkham Intelligence verified his findings.

The analysis highlighted major security vulnerabilities in the crypto ecosystem. Namely, both Bybit and others pointed out the difficulties that can come with manually verifying the legitimacy of transactions prior to signing off on them.

The setup

Bybit holds various cryptocurrencies in cold wallets. This means that it stores credentials associated with certain cryptocurrency accounts on computers that are not directly connected to the internet. In particular, Bybit holds ether in cold wallets held by Safe, a company that specializes in cold wallet storage.

Bybit periodically withdraws from these cold wallets to top off so-called warm wallets, Zhou said in online posts and interviews following the Friday heist. In warm wallets, credentials are held online and transactions can be created automatically, but human involvement is needed to sign the transaction and send it to a hot wallet or distributed ledger. Bybit uses warm wallets to top off its hot wallets, which are used to actively move cryptocurrency. 

This system allows Bybit to maintain a balance of security and liquidity for its crypto assets, depending on how much cryptocurrency the company needs to transact or hold in reserve at any given time.

When the company moves cryptocurrency from a cold wallet to a warm wallet, it uses a multi-signatory approach, often called multisig, that involves multiple people manually reviewing and approving a transaction before it is executed.

In the case of Friday’s heist, Zhou was set to be the last signatory on the transaction.

The heist

Lazarus Group appears to have stolen the funds from Bybit by either manipulating the view each of the Bybit cold wallet signatories had of the 400,000-ether transaction, or by presenting a legitimate-looking transaction that Bybit could have identified as fraudulent with a more in-depth review.

Zhou said the attack occurred after he received a request to sign a transaction he believed would move money from a Bybit cold wallet to a warm wallet.

When Zhou viewed the smart contract that would execute the transaction, it had a correct address and a URL from Safe, but “the signing message was to change the smart contract logic of our ETH cold wallet,” he said on X.

This attack appears to have relied heavily on social engineering rather than technical exploits, according to some observers.

“The hacker didn’t break the code,” wrote Gautham Santhosh, co-founder of PolynomialFi, a system for derivatives trading on the ethereum blockchain, on X. “They broke the humans.”

By Zhou’s account, this error might have been the result of insufficiently verifying the transaction he was signing because the destination of the funds was obfuscated by the code that runs the smart contract.

“One of the issues with, at least from my experience, with the ethereum-related cold wallet transfer is that it doesn’t exactly show the destination; it shows a lot of code,” Zhou said during a live-streamed update about the incident.

Zhou then started to say that he didn’t fully check something about the smart contract.

“I checked the code, but I didn’t check fully if — normally, also the address, the destination address, is not inside of that multisig signing,” Zhou said, cutting himself off.

Although Lazarus appears to have tricked Zhou and the Bybit team that approved the fraudulent transaction, it is unclear how exactly the group presented a legitimate-looking contract for the team to sign.

For its part, Safe said that its own systems for signing transactions remained secure.

“We have not found evidence that the official Safe frontend was compromised,” the company wrote on X on Friday. “However, out of caution, Safe{Wallet} is temporarily pausing certain functionalities. User security is our top priority, and we’ll provide more updates soon.”

The company was conducting a “comprehensive forensic review of all services,” according to Safe co-founder Lukas Schor, who also implored users to “please take care that you properly verify any transaction that you sign.”

The fallout

Once Bybit approved the fraudulent transaction, Lazarus routed the stolen funds through a number of wallets and exchanges in an attempt to launder the money. These wallets have been listed by Arkham and ZachXBT in hopes that other exchanges would voluntarily blacklist them from transactions.

Despite the theft, Bybit managed to remain solvent, and as of Monday, it was still processing withdrawals — a feat some observers found shocking.

“Exchanges like Bybit don’t typically continue operating after billion-dollar hacks,” said PolynomialFi’s Santhosh. “A $1.46B+ hack that didn’t crash the exchange is unprecedented.”

Nic Puckrin, a financial analyst and founder of crypto blog The Coin Bureau, told American Banker that the “biggest issue” to resolve in the wake of this incident is so-called “blind signing,” which is when someone signs a crypto transaction without seeing all the details of the transaction.

“It sounds like an obvious weak point, but it happens often and is a fundamental flaw of ethereum virtual machine-type transactions,” Puckrin said. “I know, however, that this issue is already being worked on by the industry’s leading hardware wallets.”

Emma Kinery contributed reporting.