Major Crypto Exchange Bybit Hacked to the Tune of $1 Billion
One of the largest crypto exchanges, Bybit, which had so far managed to avoid any major breaches, confirmed that an attacker stole 401,000 ethereum (ETH) ($1 billion) during a multisignature transaction today. (Updates throughout the entire text)
The company stated that it detected unauthorized activity involving one of its ETH multisignature cold wallets while attempting to transfer funds to a hot wallet. A cold wallet is an offline hardware device designed to store private keys for crypto assets, while a hot wallet is typically a software wallet connected to the internet. Meanwhile, a multisignature wallet requires more than one private key to authorize a transaction.
"Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic. As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address," the company said.
According to DeFiLlama, this Bybit exploit is the largest of all time, representing 16% of all previous crypto hacks.
In any case, Bybit claims that all its other cold wallets remain "fully secure" and that "all client funds are safe," with operations continuing as usual.
According to Ben Zhou, the CEO of Bybit, it appears that this specific transaction was changed. All the signers saw the UI displaying the correct address, and the URL was from Safe, the so-called ownership layer.
"However, the signing message was actually modifying the smart contract logic of our ETH cold wallet," Zhou added.
In an update during a livestream, Zhou said that he was the last signer during the transaction that looked normal and that everything went according to their protocol. He said he signed the transaction using his Ledger hardware wallet.
However, 30 minutes after the initial transaction of 30,000 ETH was signed, they received an emergency call saying that the company’s ETH cold wallet had been drained.
‘Bybit is solvent’
The CEO assured that “Bybit is solvent even if this hack loss is not recovered, all of clients' assets are 1-to-1 backed, we can cover the loss.”
Analysts at BitMEX Research also confirmed that based on their "very quick back-of-the-envelope calculation," the company still looks solvent.
The CEO reiterated that their clients won’t suffer losses as the company is able to cover it from its reserves.
Co-founder of the largest crypto exchange Binance, Changpeng Zhao (CZ), suggested that Bybit halt "all withdrawals for a bit as a standard security precaution" and offered his help.
However, Zhou said that the company currently doesn’t have plans to pause withdrawals, even as clients rush to take their funds from the platform.
Per Zhou, the company is also not planning to buy back the stolen amount in the market and has already secured a bridge loan—a type of short-term loan—from its partners, at the time of the livestream worth 80% of the stolen amount, to secure liquidity on the platform.
The CEO said that how the company was hacked is still not clear.
Meanwhile, Safe claims that they have not found evidence that their official frontend was compromised, but their "Safe{Wallet} is temporarily pausing certain functionalities."
Similar attacks
0xngmi of the DeFiLlama DeFi analytics platform noted that this is a similar case to the hacks of two other crypto platforms, WazirX and Radiant, last year, when "either signers' computers or intermediate interfaces got hacked."
According to the developer, a virus may have been used to replace the transaction with a fraudulent one before sending it to the hardware wallet, or the Safe interface may have been hacked, displaying the right transaction but sending it to a different wallet.
"The end result is that signers saw an innocent [transaction] in [Safe] interface, but a malicious [transaction] was actually sent to their wallets instead, which they signed thinking it was the innocent [transaction] they reviewed before," 0xngmi said, stressing that it's just their opinion.
In either case, according to Bybit, its security team, "alongside leading blockchain forensic experts and partners," is now investigating the incident. The company also welcomed assistance from other experts.
Analysts at Arkham Intelligence report that the stolen funds have begun moving to new addresses, where they are being sold, while the hacker used 53 wallets.
Arkham also created and funded a bounty to help identify the person or organization behind the hack.
Meanwhile, as is usual during crypto-related turmoil, scammers have already jumped on the opportunity to defraud people by sending emails pretending to be from Bybit. Even those who don’t have an account with Bybit have received emails urging them to take action to "secure and verify" their wallet. Stay vigilant.
