Hack of Wallet provider behind 1.4 billion USD bybit theft, investigating – DL News

An investigation by the cyber security company SYGNIA has attributed the cause of the $ 1.4 billion hack from Bybit to the popular multi-signature letter-bag pocket pockets.

The investigation “suggests that the basic cause of the attack is malicious code that comes from the infrastructure of the safe wallet” ” DL newssaid. “So far, the forensic examination has not found a compromise in Bitbit's infrastructure.”

Safe wallet confirmed the results in one X Post And calmed down users that their means were safe.

“The Safe Wallet team has completely rebuilt all infrastructures, turned all login information to ensure that the attack vector is completely eliminated.” Safe said and added that the report from Syrgnia had not found any weaknesses in the safe smart contracts or source code.

Crypto Exchange Bybit A suffered on Friday 1.4 billion US dollars hackThe industry rock. Security researcher quickly The attack connected To the Lazarus Group, a state-funded North Korean hacking group.

An independent investigation by the security company Verichain came to the same conclusions as Sygnia.

How it worked

The results of sygnia show a complex, targeted attack against bybit.

The hack began that Lazarus affects one of the developer machines of the safe wallet at an unknown time before the theft, says Sygnia's report.

It is not known whether access to the systems of secure wallets was leaked through or whether Lazarus has received access via other means.

Lazarus has previously hacked in crypto companies with social engineering techniques. This often includes getting employees to unknowingly download malignant software or click on malicious links.

As soon as Lazarus had access, he injected code into the data that was operated by the Cloud data provider of Safe Wallet, the Amazon Web Services and affect the wallet provider's website. The malicious code was designed in such a way that Bitbits's wallet was asked for a transaction.

This code was activated when Bybit tried to transfer funds out of the target pocket on Friday.

Nothing appeared on the surface for the three Bybit employees who signed the transaction exceptionally. Under the hood, however, the content of the transaction had been processed by the malicious code to transfer the possibility of performing transactions from Bybit to Lazarus.

As soon as the transaction has been signed, Lazarus gained the ability to move the ether worth 1.4 billion US dollars and ether -tokens from Bybits wallet.

“This only emphasizes what many security researchers have already said that sensitive transaction loads should be checked regardless of the front-end interface” DL news.

Lazarus covers its traces

Even after Lazarus had carried out his attack, it wasn't finished yet.

Just two minutes after the execution of the malicious transaction, Lazarus removed the malicious code from the infrastructure of the Safe Wallet and covered its traces.

Sygnia said it confirmed that Lazarus had injected and then removed the malicious code by looking at time -controlled snapshots in public web archives.

Lazarus' attempt to cover his traces indicates that he may want to use the same attack method.

Several top -class crypto companies and Defi protocols use safely website.

“The hack could have been much worse if the hackers tried to compromise other high-quality multi-sigs and not just from bybits,” said Lewellen.

Sygnia said his examination of the hack was still taking it.

Tim Craig is DL News' The Defi correspondent based in Edinburgh. Turn with tips Tim@dlnews.com.

Aleks Gilbert is DL news'New York Defi correspondent. You can reach him areks@dlnews.com.