ByBit Multi-Sig Cold Wallet Not Cold Or Multi-Sig

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

ByBit Logo/Homepage

Bybit is a popular cryptocurrency exchange offering services like spot trading, futures contracts, and derivatives. The platform supports over 1,700 cryptocurrencies and operates in 160+ countries, emphasizing Web3 technology and robust security. Bybit's security failed when sophisticated hackers from the Lazarus Group exploited vulnerabilities in their cold wallet setup, which was effectively a hot wallet due to improper multi-signature implementation. The attack resulted in the theft of $1.43B worth of Ethereum, with the hackers quickly laundering the funds. The hunt for any possible asset recovery is ongoing. ByBit has covered all losses for their customers.

About ByBit

Bybit is a popular cryptocurrency exchange platform that offers a wide range of trading services, including spot trading, futures contracts, and derivatives[1]. It caters to both individual and institutional traders with features like copy trading, automated trading bots, and the innovative Bybit Earn program for asset growth. Bybit also embraces Web3 technology, promising industry-leading security and reliability[1]. The platform supports over 1,700 cryptocurrencies and is available in more than 160 countries[1]. It offers a seamless experience across web and mobile apps, with advanced tools like AI-driven insights through TradeGPT, staking opportunities, and a variety of bonuses and rewards for new users[1]. Bybit is committed to providing accessible and secure trading solutions for crypto enthusiasts globally[1].

The Reality

While ByBit's wallet was technically cold, their transaction displaying front-ends were connected to networked devices and vulnerable to exploitation. Furthermore, even their cold wallet signing itself was subject to displaying manipulated information. These two factors made their wallets effectively hot.

While ByBit technically implemented a multi-signature requirement, multiple aspects of their system failed to be independent. For example, all signing devices operated on the same network, using the same wallet hardware and software. Using identical processes circumvented the multi-sig security benefits by creating a single-point of failure.

Therefore, ByBit's wallet failed on a fundamental level to be both multi-sig and cold. Due to their security implementation, it was not fundamentally different from the hot wallets which are typically associated with large-scale breaches.

What Happened

ByBit's wallet signing infrastructure was compromised, designed to trick signers into unknowingly upgrading their primary Ethereum storage wallet. Once all signers had signed the upgrade, this allowed the attackers to sweep all 401,346.768858404671846374 ETH from the wallet.

Key Event Timeline - ByBit Multi-Sig Cold Wallet Not Cold Or Multi-Sig
Date Event Description
March 8th, 2019 10:09:00 AM MST Warnings About YAML.load Developer ingydotnet commits an upgrade to the YAML project to deprecate the unsafe behavior of the yaml.load() and yaml.load_all() methods by issuing warnings when called without specifying a loader[2]. The update introduces safer loading options, such as full_load(), safe_load(), and unsafe_load(), with FullLoader being the preferred method[2]. It also refines the FullConstructor and UnsafeConstructor classes to ensure better security, while updating tests to align with these changes[2].
February 1st, 2025 6:50:18 PM MST Domain Name Registration The Lazarus group registers getstockprice[.]com, along with other domains[3].
February 4th, 2025 1:55:45 AM MST Safe Wallet Developer Compromised One of the developers on the Safe Wallet team is compromised, tricked into running a malicious payload[3].
February 5th, 2025 1:36:51 AM MST AWS Environment Accessed The Safe{Wallet} AWS environment is first accessed[3].
February 5th, 2025 7:06:25 AM MST Unsuccessful MFA Registration Attempt The attacker attempts to register their own MFA device, which is unsuccessful[3].
February 16th, 2025 8:22:44 PM MST Command And Control Activity The attacker performs command and control activity within the AWS environment, using the current AWS session[3].
February 19th, 2025 8:29:25 AM MST Wayback Machine Capture A snapshot of the Safe{Wallet} website is taken which includes the malicious JavaScript code[3].
February 21st, 2025 7:13:35 AM MST ByBit Wallet Upgraded A blockchain transaction is signed which upgrades the ByBit wallet[3], adding a new sweep() function which allows the wallet to be emptied.
February 21st, 2025 7:15:13 AM MST Wayback Machine Capture A snapshot of the Safe{Wallet} website is taken which no longer includes the malicious JavaScript code[3].
February 21st, 2025 7:16:11 AM MST ByBit Cold Wallet Emptied An ethereum transaction appears which empties the ByBit cold wallet, sending 401,346.768858404671846374 ETH from ByBit[4] to a wallet controlled by Lazarus, a North Korean hacking group[5].
February 21st, 2025 8:20:00 AM MST ZachXBT Investigation ZachXBT shares an initial notice and investigation on Telegram[6].
February 21st, 2025 8:44:00 AM MST Explanation Of Attack Post Ben Zhou, CEO of ByBit, posts an announcement detailing the attack being specific to one transaction upgrading a single wallet[7].
February 21st, 2025 9:07:00 AM MST ByBit Announcement Sent Ben Zhou, CEO of ByBit, posts an announcement on Twitter/X to confirm to customers that they "can cover the loss" in this case and "all of clients assets are 1 to 1 backed" "even if this hack loss is not recovered"[8].
February 21st, 2025 9:12:00 AM MST BitMex Reports 75% Gone BitMex Research announces that the funds comprise roughly 75% of the customer Ethereum stored by the ByBit platform[9].
February 21st, 2025 9:29:00 AM MST Meir Dolev Analysis Posted Mier Dolev posts an additional analysis, noting that the attackers did several dry runs of their exploit prior to the main heist[10].
February 22nd, 2025 6:20:00 AM MST Tether Funds Are Frozen Vladamir S, using handle @officer_cia, shares that $181,000 in USDT Tether funds appear to have been frozen[11].
February 22nd, 2025 11:52:00 AM MST Rekt News Article Posted Online Rekt posts a news article describing details of the heist[12]. The article is shared on Twitter/X[13].
February 24th, 2025 7:20:00 AM MST When Shift Happens Podcast Ben Zhou's interview is published on the podcast "When Shift Happens"[14][15], where he discusses the harrowing moment when Bit, the crypto exchange he co-founded, was hacked for $1.5 billion in Ethereum[14]. Despite the shock of losing such a massive sum, Ben remained calm and focused on managing the crisis[14]. He immediately ensured that the company’s other assets were secure and that client funds were safe, which helped restore trust[14]. Within three days, Bit’s liquidity returned to 100%, and many institutional clients came back[14]. Ben attributes the company’s recovery to transparent leadership, a structured crisis response procedure, and his ability to prioritize tasks and stay laser-focused, even with little sleep[14]. The interview would be published later on February 26th[14].
March 6th, 2025 8:00:00 AM MST Safe.eth Publishes Investigation Updates Safe.eth publishes an investigation update[3]. The security incident is being investigated in collaboration with Mandiant[3]. Evidence continue to point to a state-sponsored attack by the DPRK-linked TraderTraitor group[3]. The attack involved compromising a Safe{Wallet} developer's laptop and hijacking AWS session tokens to bypass MFA controls[3]. Despite hundreds of hours of analysis, gaps remain in fully recovering the attack details[3]. Safe{Wallet} has implemented significant security enhancements, including infrastructure resets, lockdowns, and improved malicious transaction detection[3]. They call for industry-wide action to improve transaction verification and user experience[3].

Technical Details

This exploit wasn't due to advanced cryptography flaws or zero-day exploits, but a simple mistake: a developer's laptop was socially engineered into running a malicious Docker project[16].

Social Engineering Of Safe Developer

"SEAL's advisory on the DPRK threat pulls no punches. TraderTraitor (Lazarus Group's alias) begins their attacks with sophisticated social engineering, creating fake recruiter personas and reaching out over LinkedIn, Telegram, or Twitter.

They spend months performing reconnaissance, deploying malware like malicious Chrome extensions to modify trusted websites.

The Lazarus Group's playbook is ruthlessly efficient.

They first find targeted employees through social engineering, add private GitHub repository access to the victims through live chat tools, and trick users into running code containing backdoors."[12]

Attackers ultimately infiltrate Safe's infrastructure by exploiting a vulnerability in the YAML configuration[16]. The system was accessed via a basic vulnerability in PyYAML’s yaml.load function, which had been known and warned about for years[2][16].

Exploiting Safe Wallet Infrastructure

The approach taken was methodical[16]. After compromising the developer’s machine, they hijacked AWS session tokens, bypassing multi-factor authentication[16]. Over 19 days, they carefully manipulated Safe's systems, eventually injecting malicious JavaScript into Safe’s wallet interface[16].

Tricking ByBit Into Signing Upgrade

The injected code specifically targeted Bybit’s cold wallet signers, subtly replacing legitimate transactions with an attacker's contract[16].

"The keys backing the multisig were held on hardware wallets, controlled by distinct parties within each organization."[12]

"The attackers may have had persistent access to ByBit's internal systems, monitoring operations and communications until the perfect moment arrived.

The most disturbing aspect? The attack succeeded because as soon as Ben Zhou signed, the attackers immediately executed the transaction themselves - not waiting for ByBit's systems to process it normally."[12]

BitBy's Wallet Which Was Compromised:[4]

Wallet Address Of Lazarus Exploiter:[17]

Total Amount Lost

"Sophisticated hackers orchestrated a precision strike on the exchange, siphoning away 401,346 ETH ($1.11B), 90,375 stETH ($250.8M), 15,000 cmETH ($44M) and 8,000 mETH ($23.5M) in a matter of minutes."[12] This amount has been widely estimated at $1.4b[16].

All wallet losses came from draining a single wallet. BitMEX estimated that the losses represented 75% of customer deposits[9].

The total amount lost has been estimated at $1,436,173,000 USD.

Immediate Reactions

ZachXBT was one of the first to report on the hack on Telegram[6].

According to the Arkham Intel bug bounty, "just hours after the hack, ZachXBT cracked the case wide open, solving Arkham Intel's bounty by linking the attack to the LAZARUS GROUP, North Korea's infamous state-sponsored hacking organization[18].

ZachXBT's submission was a masterpiece - analyzing test transactions, connected wallets, and timing analyses, and solving the bounty in a blistering four hours."[18]

However, another user named MissionGains on Twitter claims to have solved the case sooner[19]. An official explanation for their not receiving the promised reward does not appear forthcoming.

Ultimate Outcome

"the Lazarus Group isn't waiting around - they've already started moving the funds.

The next day, they transferred 5,000 ETH to a new address and began laundering it through eXch (a centralized mixer) while bridging funds to Bitcoin via Chainflip.

Some platforms like Tether managed to freeze 181,000 USDT, but it's a drop in the ocean of stolen assets."[12]

Total Amount Recovered

ByBit has agreed to cover all losses on behalf of users[8].

While ByBit created a bounty of $140m, there do not appear to have been any funds recovered from Lazarus.

Ongoing Developments

ByBit has created a $140m bounty for the recovery of the funds[13]. It is unclear whether funds will be recoverable, given that the attacker is state-sponsored by North Korea.

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

While ByBit technically implemented a multi-signature system, this was circumvented by the fact that all signatories were using the same wallet software and on the same shared network. This allowed malware to be spread throughout the network, and all signatories were tricked into signing the same malicious transaction.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 1.4 ByBit Homepage (Accessed Mar 5, 2025)
  2. 2.0 2.1 2.2 2.3 Commit 0cedb2a By ingydotnet - YAML Github (Accessed Mar 13, 2025)
  3. 3.00 3.01 3.02 3.03 3.04 3.05 3.06 3.07 3.08 3.09 3.10 3.11 3.12 3.13 3.14 Safe.eth - Investigation Updates and Community Call to Action - Twitter/X (Accessed Mar 13, 2025)
  4. 4.0 4.1 The Compromised ByBit Wallet - Etherscan (Accessed Mar 3, 2025)
  5. Transfer Of 401,346.768858404671846374 ETH From ByBit "Cold Storage" To Lazarus Controlled Wallet - Etherscan (Accessed Feb 28, 2025)
  6. 6.0 6.1 ZachXBT Investigation On Telegram (Accessed Mar 3, 2025)
  7. Ben Zhou - "Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe....ter/X (Accessed Mar 3, 2025)
  8. 8.0 8.1 Ben Zhou - "Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss." - Twitter/X (Accessed Feb 28, 2025)
  9. 9.0 9.1 BitMEX Research - "Seems that around 75% of @Bybit_Official ETH user deposits have been stolen" - Twitter/X (Accessed Feb 28, 2025)
  10. Mier Dolev - "2 days before the hack , the attacker did several dry runs" - Twitter/X (Accessed Mar 5, 2025)
  11. Vladimir S - "Tether also just froze 181k USDt connected to the @Bybit_Official hack." - Twitter/X (Accessed Mar 5, 2025)
  12. 12.0 12.1 12.2 12.3 12.4 12.5 ByBit Rekt Article (Accessed Feb 28, 2025)
  13. 13.0 13.1 RektHQ - "$1.43B heist on @Bybit_Official claims the throne on our Rekt Leaderboard. Lazarus pulled off the perfect digital sleight-of-hand, tricking multisig signers to sign away the keys to the kingdom." - Twitter/X (Accessed Mar 5, 2025)
  14. 14.0 14.1 14.2 14.3 14.4 14.5 14.6 Bybit Founder: How I Survived The Biggest Crypto Theft Of All Time | E110 (Accessed Mar 13, 2025)
  15. KevinWSHPod - Twitter/X (Accessed Mar 13th, 2025)
  16. 16.0 16.1 16.2 16.3 16.4 16.5 16.6 16.7 Not So Safe - Rekt (Accessed Mar 13, 2025)
  17. Wallet Address Of Exploiter - Etherscan (Accessed Mar 3, 2025)
  18. 18.0 18.1 ZachXBT - "At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP." - Twitter/X (Accessed Mar 3, 2025)
  19. MissionGains - "I submitted the information first, and even replied in your comments" - Twitter/X (Accessed Mar 3, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=ByBit_Multi-Sig_Cold_Wallet_Not_Cold_Or_Multi-Sig&oldid=6632"