QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$1 436 173 000 USD
FEBRUARY 2025
GLOBAL
BYBIT
DESCRIPTION OF EVENTS
Bybit is a popular cryptocurrency exchange platform that offers a wide range of trading services, including spot trading, futures contracts, and derivatives. It caters to both individual and institutional traders with features like copy trading, automated trading bots, and the innovative Bybit Earn program for asset growth. Bybit also embraces Web3 technology, promising industry-leading security and reliability. The platform supports over 1,700 cryptocurrencies and is available in more than 160 countries. It offers a seamless experience across web and mobile apps, with advanced tools like AI-driven insights through TradeGPT, staking opportunities, and a variety of bonuses and rewards for new users. Bybit is committed to providing accessible and secure trading solutions for crypto enthusiasts globally.
While ByBit's wallet was technically cold, their transaction displaying front-ends were connected to networked devices and vulnerable to exploitation. Furthermore, even their cold wallet signing itself was subject to displaying manipulated information. These two factors made their wallets effectively hot.
While ByBit technically implemented a multi-signature requirement, multiple aspects of their system failed to be independent. For example, all signing devices operated on the same network, using the same wallet hardware and software. Using identical processes circumvented the multi-sig security benefits by creating a single-point of failure.
Therefore, ByBit's wallet failed on a fundamental level to be both multi-sig and cold. Due to their security implementation, it was not fundamentally different from the hot wallets which are typically associated with large-scale breaches.
"SEAL's advisory on the DPRK threat pulls no punches. TraderTraitor (Lazarus Group's alias) begins their attacks with sophisticated social engineering, creating fake recruiter personas and reaching out over LinkedIn, Telegram, or Twitter.
They spend months performing reconnaissance, deploying malware like malicious Chrome extensions to modify trusted websites.
The Lazarus Group's playbook is ruthlessly efficient.
They first find targeted employees through social engineering, add private GitHub repository access to the victims through live chat tools, and trick users into running code containing backdoors."
"The keys backing the multisig were held on hardware wallets, controlled by distinct parties within each organization."
"The attackers may have had persistent access to ByBit's internal systems, monitoring operations and communications until the perfect moment arrived.
The most disturbing aspect? The attack succeeded because as soon as Ben Zhou signed, the attackers immediately executed the transaction themselves - not waiting for ByBit's systems to process it normally."
"Sophisticated hackers orchestrated a precision strike on the exchange, siphoning away 401,346 ETH ($1.11B), 90,375 stETH ($250.8M), 15,000 cmETH ($44M) and 8,000 mETH ($23.5M) in a matter of minutes."
"just hours after the hack, ZachXBT cracked the case wide open, solving Arkham Intel's bounty by linking the attack to the LAZARUS GROUP, North Korea's infamous state-sponsored hacking organization.
ZachXBT's submission was a masterpiece - analyzing test transactions, connected wallets, and timing analyses, and solving the bounty in a blistering four hours."
"the Lazarus Group isn't waiting around - they've already started moving the funds.
The next day, they transferred 5,000 ETH to a new address and began laundering it through eXch (a centralized mixer) while bridging funds to Bitcoin via Chainflip.
Some platforms like Tether managed to freeze 181,000 USDT, but it's a drop in the ocean of stolen assets."
ByBit has created a $140m bounty for the recovery of the funds. It is unclear whether funds will be recoverable, given that the attacker is state-sponsored by North Korea.
Bybit is a popular cryptocurrency exchange offering services like spot trading, futures contracts, and derivatives. The platform supports over 1,700 cryptocurrencies and operates in 160+ countries, emphasizing Web3 technology and robust security. Bybit's security failed when sophisticated hackers from the Lazarus Group exploited vulnerabilities in their cold wallet setup, which was effectively a hot wallet due to improper multi-signature implementation. The attack resulted in the theft of $1.43B worth of Ethereum, with the hackers quickly laundering the funds. The hunt for any possible asset recovery is ongoing. ByBit has covered all losses for their customers.
ByBit Rekt Article (Feb 28)
etherthefttransaction (Feb 28)
Ben Zhou - "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss." - Twitter/X (Feb 28)
BitMEX Research - "Seems that around 75% of @Bybit_Official ETH user deposits have been stolen" - Twitter/X (Feb 28)
ZachXBT Investigation On Telegram (Mar 3)
Wallet Address Of Exploiter - Etherscan (Mar 3)
The Compromised ByBit Wallet - Etherscan (Mar 3)
Ben Zhou - "Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe....ter/X (Mar 3)
ZachXBT - "At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP." - Twitter/X (Mar 3)
MissionGains - "I submitted the information first, and even replied in your comments" - Twitter/X (Mar 3)
