Honey Wake Up. Another Crypto Hack Just Dropped!

It really gets more depressing every single time. This time North Korea’s Lazarus Group hacked ByBit for a whopping $1.4B. Cherry on top? This is the largest crypto hack we have ever seen.

So, what the hell happened? 

Background

Let’s familiarize ourselves with the parties involved. ByBit is one of the largest crypto exchanges in the world. In fact, Binance, ByBit, and Coinbase are pretty much the Big 3 of crypto exchanges.

The Lazarus Group, on the otherhand, are a North Korean state-sponsored hacking group responsible for some of the biggest hacks of all time like the 2014 Sony hack. 2017 WannaCry ransomware attack, and 2022 Ronin Network breach.

The Mechanics of the Hack

How the Attack Unfolded

The root cause of the Bybit hack was a carefully crafted malicious transaction designed to modify the smart contract logic of the exchange’s multisig cold wallet. 

Unlike a normal wallet, a multisig wallet requires approval from multiple parties to approve operations. Usually, a multisig wallet is considered extremely safe.

In this case, the attackers managed to hack a multisig wallet by exploiting a UI spoofing vulnerability within Safe - the multisig wallet provider used by Bybit.

1. Malicious Transaction Embedding: The hacker inserted malicious code within a seemingly legitimate transaction, which appeared to transfer funds from Bybit’s cold wallet to a designated hot wallet for daily operations.

2. Masked UI Deception: When Bybit’s signers reviewed the transaction via the Safe platform, the interface displayed a legitimate transfer with the correct wallet addresses and Safe URL, masking the underlying attack.

3. Multisig Exploitation: Once all required signers approved the transaction, the malicious code executed, altering the smart contract logic and granting the attacker full control over the cold wallet.

4. Asset Drainage: With ownership transferred, the hacker siphoned over $1.5 billion worth of ETH and stETH to an unidentified address, breaking records as the largest crypto theft in history.

This is extremely scary due to multiple reasons:

• The hacker knew every single person involved in a multi-sig involving billions of dollars.

• The attacker likely compromised the signers' devices through malware or phishing attacks. 

• Even multisig wallets are easily vulnerable to such attacks.

The Post-Hack Fund Movements

Blockchain investigators have been closely tracking the stolen assets as they move through various laundering stages. 

Step 1: Swapping stETH for ETH

One of the first moves by the hacker was to convert the stolen staked Ethereum (stETH) and other derivatives (cmETH, mETH) into ETH. 

This was done using decentralized exchanges (DEXs) like Uniswap and KyberSwap to avoid centralized oversight. Over $200-$300 million in ETH was offloaded through these platforms within the first 24 hours of the attack.

Step 2: Breaking Down Large Transfers

The hacker employed sophisticated tactics to split the funds into smaller amounts across multiple new wallet addresses. 

Initially, 10,000 ETH chunks were moved to 39 separate addresses, with an additional 10,000 ETH later being distributed across nine more wallets.

This method, known as ‘peeling,’ is a common laundering strategy designed to make tracking more difficult.

Step 3: Swapping ETH for BTC

After splitting the assets, the hacker began converting ETH to Bitcoin), a common laundering step used by North Korean-affiliated groups. 

BTC is often the preferred choice for off-ramping due to its higher liquidity and easier access to cashout networks.

Step 4: Off-Ramping to Fiat via OTC Desks

Once the ETH was converted into BTC, the funds were likely funneled through over-the-counter desks, P2P markets, and unregulated Asian exchanges. 

Historically, Lazarus Group has used Chinese-based OTC brokers who specialize in converting illicit funds into CNY in exchange for cash.

Step 5: Long-Term Dormancy and Gradual Sell-Off

Experts predict that a major portion of the stolen funds will remain dormant for years. Lazarus Group has historically held onto funds for extended periods before gradually liquidating them in small batches to avoid detection. 

Chainalysis reports from 2022 indicated that North Korea still held onto crypto assets from as far back as 2016.

Bybit’s Response

Bybit acted swiftly to reassure users and prevent further damage:

• Confirmed Solvency: CEO Ben Zhou emphasized that all client assets were 1:1 backed and that Bybit had more than enough reserves ($20 billion AUM) to cover the losses. Think about that for a second. A $1.4B hack accounted for only 1/20 of Bybit’s funds! That’s staggering.

• Operational Continuity: Withdrawals remained operational despite increased user demand, with over 580,000 withdrawals processed within 24 hours of the incident.

• Security Investigations: Bybit enlisted blockchain forensic firms, including Arkham Intelligence and ZachXBT, to trace the stolen assets.

• Bounty Program: The exchange offered a 10% bounty (up to $140 million) for the recovery of the stolen funds.

Given Lazarus Group’s expertise in laundering stolen crypto, the chances of retrieving the assets are slim. Bybit now faces two huge challenges in the coming months:

• Rebuilding Trust: While the exchange has proven its financial stability, restoring user confidence will require long-term security upgrades and transparent reporting.

• Regulatory Scrutiny: Given the scale of the theft, regulators may push for stricter security mandates for centralized exchanges.

Panic In Ethereum

Following the Bybit incident, calls emerged within the crypto community to roll back the Ethereum blockchain to reverse the hack and recover the stolen funds. This discussion was ignited by BitMEX co-founder Arthur Hayes, who tagged Ethereum co-founder Vitalik Buterin on X, asking if he would support such an action.

Bybit CEO Ben Zhou also acknowledged that his team reached out to the Ethereum Foundation to discuss the possibility of intervention. However, Ethereum core developers, including Tim Beiko, firmly rejected the idea, explaining that a rollback is neither technically nor socially feasible.

Why Ethereum Won’t Roll Back

Beiko outlined key reasons why rolling back Ethereum to pre-hack status isn’t possible:

1. Ethereum’s Account Model: Unlike Bitcoin, Ethereum operates on an account-based system, meaning transactions and balances are continuously updated rather than being strictly ordered in blocks. Reversing transactions without massive disruptions is nearly impossible.

2. No Protocol Violation: Unlike Bitcoin’s 2010 inflation bug or Ethereum’s 2016 DAO hack, the Bybit exploit didn’t violate any Ethereum protocol rules. It was a compromised multisig interface, making it indistinguishable from a legitimate transaction on-chain.

3. No Freezing Period: In the 2016 DAO hack, the stolen ETH was locked for a month, allowing time for coordination. In contrast, Bybit’s stolen funds were immediately moved across Ethereum and DeFi protocols, making them impossible to isolate.

4. DeFi and Cross-Chain Complexity: A rollback today would impact countless DeFi applications, bridged assets, liquidity pools, and off-chain transactions, leading to widespread financial chaos.

What Have We Learned?

1. Multisigs Aren’t Foolproof

The attack revealed a fundamental flaw in multisig security: even with multiple signers, human vulnerabilities can be exploited. If all signers are deceived by a spoofed UI, the security model fails.

2. UI Manipulation is a New Threat Vector

The use of Safe’s UI as a deception tool demonstrates the need for additional security measures beyond transaction signing. Hardware wallets with screen verification could mitigate similar attacks in the future.

3. Cold Wallet Security Needs a Rethink

While cold wallets are considered the gold standard for crypto security, they become vulnerable when connected to the internet for transactions. The industry must explore alternative solutions, such as decentralized custody or multiple independent security layers.

4. Lazarus Group Remains a Major Threat

The North Korean hacking group has been responsible for several major crypto heists, including the $625 million Ronin Network hack and the $70 million Phemex attack. Their ability to patiently launder funds over years, as documented by Chainalysis, makes recovery efforts difficult.

Conclusion

The Bybit hack is a wake-up call for the entire industry. 

The frustrating part is that prior to the hack, BTC looked prime to re-enter the $100,000 price market. However, it has since retracted to <$95,000 as the market absorbs the shock.

With billions at stake, the future of crypto security depends on learning from such incidents and developing better defenses against the next inevitable attack.

While the market recovers from the shock, you - as a trader - will need to be extra vigilant and cautious about your investments. This is why we’re inviting you to the Coiners Trenches Telegram channel.

A little educated guidance goes a long way.

Get the best crypto alpha delivered straight to your pocket.