{"id":34355,"date":"2025-03-11T04:48:28","date_gmt":"2025-03-11T08:48:28","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/?p=34355"},"modified":"2025-03-17T15:42:37","modified_gmt":"2025-03-17T13:42:37","slug":"bybit-hack-lessons-how-to-do-self-custody-properly","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/bybit-hack-lessons-how-to-do-self-custody-properly\/34355\/","title":{"rendered":"Lessons from the Bybit hack: how to store crypto safely"},"content":{"rendered":"

February 21 was a dark day for the crypto market as it suffered the largest heist in its history. Attackers made off with around $1.5 billion from Bybit, the world\u2019s second-largest crypto exchange, with experts citing it as the biggest theft \u2013 of anything \u2013 of all time. Although neither this loss nor the withdrawal of a further $5 billion by panicked investors were fatal for Bybit, the incident underscores the fundamental flaws in the modern crypto ecosystem, and serves up some valuable lessons for regular users.<\/p>\n

How Bybit was robbed<\/h2>\n

Like all major crypto exchanges, Bybit secures stored cryptocurrency with multi-layered protection. Most funds are stored in cold wallets<\/a> disconnected from online systems. When current assets need topping up, the required sum is manually moved from the cold wallet to the hot one, and the operation is signed by several employees at once. For this, Bybit uses a multi-signature (multisig) solution from Safe{Wallet}, and each employee involved in the transaction signs it using a private Ledger hardware cryptokey<\/a>.<\/p>\n

The attackers studied the system in detail and, according to independent researchers, compromised a Safe{Wallet} developer machine. Presumably, malicious modifications were made to the code for displaying Safe{Wallet} web application pages. Having conducted their own investigation, the owners of Safe{Wallet} rejected the findings of the two independent information security companies, insisting that their infrastructure had not been hacked.<\/p>\n

So what happened? During a routine top-up of $7 million to a hot wallet, Bybit employees saw on their computer screens this exact amount and the recipient\u2019s address, which matched the hot wallet address. But other data got sent for signing instead! For regular transfers, the recipient\u2019s address can (and should!) be checked on the screen of the Ledger device. But when signing multisig transactions, this information isn\u2019t displayed \u2014 so Bybit employees essentially made a blind transfer.<\/p>\n

As a result, they inadvertently green-lighted a malicious smart contract that moved the entire contents of one of Bybit\u2019s cold wallets to several hundred fake wallets. As soon as the withdrawal from the Bybit wallet was complete, it appears that the code on the Safe{Wallet} website reverted to the harmless version. The attackers are currently busy \u201clayering\u201d the stolen Ethereum \u2014 transferring it piecemeal in an attempt to launder it.<\/p>\n

By the looks of it, Bybit and its clients were the victims of a targeted supply-chain attack<\/a>.<\/p>\n

The Bybit case is no one-off<\/h2>\n

The FBI has officially named<\/a> a North Korean group codenamed TraderTraitor as the perpetrator. In information-security circles, this group is also known as Lazarus, APT38, or BlueNoroff<\/a>. Its trademark style is persistent, sophisticated and sustained attacks in the cryptocurrency sphere: hacking wallet developers, robbing crypto exchanges, stealing from ordinary users, and even making fake play-to-earn games<\/a>.<\/p>\n

Before the Bybit raid, the group\u2019s record was the theft of $540\u00a0million<\/a> from the Ronin Networks blockchain, created for the game Axie Infinity<\/em>. In that 2022 attack, hackers infected the computer of one of the game\u2019s developers using a fake job offer in an infected PDF file. This social engineering technique remains in the group\u2019s arsenal<\/a> to this day.<\/p>\n

In May 2024, the group pulled off a smash-and-grab of over $300\u00a0million from Japanese crypto-exchange DMM Bitcoin<\/a>, which went bankrupt as a consequence. Before that, in 2020, more than $275 million was siphoned off the KuCoin crypto exchange<\/a>, with a \u201cleaked private key\u201d for a hot wallet cited as the reason.<\/p>\n

Lazarus has been honing its cryptocurrency theft tactics for over a decade now. In 2018, we wrote about a string of attacks on banks and crypto exchanges using a Trojanized cryptocurrency trading app as part of Operation AppleJeus<\/a>. Experts at Elliptic estimate<\/a> that North-Korea-linked actors\u2019 total criminal earnings amount to around $6\u00a0billion.<\/p>\n

What crypto investors should do<\/h2>\n

In the case of Bybit, clients were lucky: the exchange promptly serviced the wave of withdrawal requests that ensued, and promised to compensate losses from its own funds. Bybit remains in business, so clients don\u2019t need to take any particular action.<\/p>\n

But the hack demonstrates once again just how hard it is to secure funds flowing through blockchain systems, and how little can be done to cancel a transaction or refund money. Given the unprecedented scale of the attack, many have called for the Ethereum blockchain to be rolled back to its pre-hack state, but Ethereum developers consider this \u201ctechnically intractable\u201d<\/a>. Meanwhile, Bybit has announced a bounty program<\/a> for crypto exchanges and ethical researchers to the tune of 10% of any funds recovered, but so far only $43\u00a0million has materialized.<\/p>\n

This has caused some crypto industry experts<\/a> to speculate that the main fallout from the hack will be a rise in self-custody of crypto assets<\/a>.<\/p>\n

Self-custody<\/strong> shifts the responsibility for secure storage from the shoulders of specialists to your own. Therefore, only go down this route if you have total confidence in your abilities to master all security measures and follow them rigidly day by day. Note that regular users without cryptowallet millions are unlikely to face a sophisticated attack targeted specifically at them, while generic mass attacks are easier to deflect.<\/p>\n

So, what do you need for secure self-custody of cryptocurrency?<\/p>\n