Here’s How North Korean Hackers Stole $1.5 Billion from Bybit

A major breach rocked the cryptocurrency exchange Bybit on Friday when Lazarus, North Korea’s notorious hacking group, stole over $1.5 billion in Ethereum and derivative tokens.

The attack, which targeted Bybit’s cold wallet, has sent shockwaves through the crypto community as experts scramble to figure out how the hackers infiltrated the system and what risks remain for others.

Bybit’s CEO, Ben Zhou, confirmed the breach occurred during a routine transfer between wallets. However, the transaction was altered through sophisticated manipulation of the underlying smart contract, allowing the attackers to take control. Over 400,000 ETH, stETH, and other tokens were siphoned off to multiple undisclosed wallets. As is typical with Lazarus, the funds were split into various addresses and converted into Ethereum via decentralized exchanges.

The attack has raised alarms about potential weaknesses in Safe{Wallet}, a multi-signature platform used by Bybit and many other exchanges to improve transaction security. While Safe has denied any direct breach of its system, it has suspended certain features for safety reasons as Bybit investigates. The primary concern is that the hackers may have exploited vulnerabilities in the devices used by Bybit’s multi-signature signers, manipulating the displayed information to trick them into approving fraudulent transactions.

There’s growing speculation that the attack may have involved insider knowledge, as the level of sophistication required to compromise multiple devices and maintain secrecy is considerable. This follows a disturbing pattern observed in other attacks, such as those on Radiant Capital and WazirX, where attackers used similar tactics to infiltrate systems through deceptive interfaces or malware.

While the precise method of attack remains unclear, some experts believe the hackers may have used malware or phishing techniques to infiltrate devices and compromise the multi-signature signing process. This targeted approach has prompted calls for stricter security protocols, including hardware wallets that are isolated from the internet to prevent similar attacks.

As the investigation continues, security specialists warn that this attack is part of a broader trend of increasingly advanced and targeted threats. The crypto industry must be vigilant, as such attacks continue to evolve and pose serious risks to the safety of digital assets across the sector.