The cryptocurrency industry and those responsible for securing it are still in shock following Friday’s heist, likely by North Korea, that drained $1.5 billion from Dubai-based exchange Bybit, making the theft by far the biggest ever in digital asset history.
Bybit officials disclosed the theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a “Multisig Cold Wallet” when, somehow, it was transferred to one of the exchange’s hot wallets. From there, the cryptocurrency was transferred out of Bybit altogether and into wallets controlled by the unknown attackers.
This wallet is too hot, this one is too cold
Researchers for blockchain analysis firm Elliptic, among others, said over the weekend that the techniques and flow of the subsequent laundering of the funds bear the signature of threat actors working on behalf of North Korea. The revelation comes as little surprise since the isolated nation has long maintained a thriving cryptocurrency theft racket, in large part to pay for its weapons of mass destruction program.
Multisig cold wallets, also known as multisig safes, are among the gold standards for securing large sums of cryptocurrency. More shortly about how the threat actors cleared this tall hurdle. First, a little about cold wallets and multisig cold wallets and how they secure cryptocurrency against theft.
Wallets are accounts that use strong encryption to store bitcoin, ethereum, or any other form of cryptocurrency. Often, these wallets can be accessed online, making them useful for sending or receiving funds from other Internet-connected wallets. Over the past decade, these so-called hot wallets have been drained of digital coins supposedly worth billions, if not trillions, of dollars. Typically, these attacks have resulted from the thieves somehow obtaining the private key and emptying the wallet before the owner even knows the key has been compromised.
Defenders soon turned to cold wallets. These accounts aren’t directly accessible to the Internet, so even if a would-be thief manages to obtain the private key securing it, there’s no way to access it and transfer the currency elsewhere. Multisig cold wallets go a step further. In much the same way that nuclear arms systems are designed to require two or more authorized people to successfully authenticate themselves before a missile can be launched, multisig wallets need the digital signatures of two or more authorized people before assets can be accessed.
Bybit was largely following best practices by storing only as much currency as needed for day-to-day activity in warm and hot wallets, and keeping the rest in the multisig cold wallets. Transferring funds out of cold wallets required coordinated approval from multiple high-level employees of the exchange.
Immediate speculation was that somehow the drained cold wallet, or the infrastructure hosting it—provided by a company called Safe—had been somehow compromised. This theory was plausible enough since, these sorts of thefts are usually accomplished by exploiting vulnerabilities in the code enforcing cryptocurrency smart contracts or the infrastructure hosting them. The speculation was also consistent with accounts from Bybit employees that, according to Safe, the user cold wallet interfaces for the affected Bybit employees “displayed the correct-appearing transaction information … yet a malicious transaction that had all valid signatures was executed onchain.” (Safe also paused its Safe{Wallet} services following the attack and, as this story went live on Ars, had begun a phased rollout to restore them.)
This theory was ruled out after a subsequent investigation by Safe found no signs of unauthorized access to its infrastructure, no compromises of other Safe wallets, and no obvious vulnerabilities in the Safe codebase. As investigators continued to dig in, they finally settled on the true cause. Bybit ultimately said that the fraudulent transaction was “manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet.”
Shattering assumptions
What that means is that multiple systems inside Bybit had been hacked in a way that allowed the attackers to manipulate the Safe wallet UI on the devices of each person required to approve the transfer. That revelation, in turn, has touched off something of a eureka moment for many in the industry.
“The Bybit hack has shattered long-held assumptions about crypto security,” Dikla Barda, Roman Ziakin, and Oded Vanunu, researchers at security firm Check Point, wrote Sunday. “No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link. This attack proves that UI manipulation and social engineering can bypass even the most secure wallets.”
It’s still unclear how the attackers managed to hack the UIs of multiple Bybit employees whose signatures were required for the funds to be moved out of cold storage, but as researchers Dan Guido, Benjamin Samuels, and Anish Naik of security firm Trail of Bits noted, hackers working on behalf of the North Korean government have long deployed sophisticated malware tools that:
- Operate seamlessly across Windows, MacOS, and various wallet interfaces
- Show minimal signs of compromise while maintaining persistence
- Function as backdoors to execute arbitrary commands
- Download and execute additional malicious payloads
- Manipulate what users see in their interfaces
These hackers have also been long known for their relentless social engineering prowess. They often spend weeks or months building online personas that ultimately win the trust of targets. That persistence likely allowed the thieves who hit Bybit to somehow tamper with the UIs of each company employee whose digital imprimatur was required to move the funds out of cold storage—and ultimately into wallets the hackers controlled—all at breakneck speed.
As both Check Point and Trail of Bits point out, the lessons learned here bring cryptocurrency security back to some of the most basic elements such as segmenting internal networks, adopting defense-in-depth practices that include multiple, overlapping controls for detecting and preventing sophisticated attacks, and preparation for scenarios precisely like this one.