Latest news with #SafeWallet
Yahoo
28-02-2025
- Business
- Yahoo
North Korean hackers ‘took just two minutes' to pull off record $1.5bn heist
North Korean hackers took just two minutes to make off with $1.5bn (£1.2bn) in cryptocurrency, cyber security researchers believe, in the single biggest heist in history. Post-mortem reports commissioned by the cryptocurrency exchange Bybit, which last week saw hundreds of millions of dollars in the Ethereum cryptocurrency stolen by a Pyongyang-linked group, revealed details of how the hackers breached its systems. The cyber attackers were able to compromise a so-called cold wallet used by Bybit, a Dubai-based cryptocurrency exchange. These hardware wallets, akin to an encrypted USB-stick, are supposed to be secure, as they are kept offline and away from the internet. However, when the cryptocurrency exchange attempted to move funds from their hardware wallet into an online account, the attackers were able to strike within seconds. Cyber security experts from Sygnia and Verichains said the hacked transaction was as a result of a breach in a technology called Safe Wallet, having pieced together the events from digital records. Two days before the incident, North Korean hackers, believed to be part of the rogue state's notorious Lazarus Group, injected malicious code into the online infrastructure of Safe Wallet, which it would use to communicate with ByBit's account when it was activated. Safe Global, the company behind the wallet, said the hackers had managed to 'compromise the machine of a Safe Wallet developer', blaming the hacking group's 'sophisticated social engineering attacks'. The malicious code was specifically designed to crack Bybit's wallet. It was able to mimic the coded 'signature' of three accounts, including the chief executive of Bybit, when it activated. When Bybit attempted to transfer its funds, at 2.15pm last Friday, the hackers swiftly drained its wallets of 400,000 Ethereum coins, using a backdoor function they had inserted. According to Sygnia's report 'two minutes after the malicious transaction was executed and published', the hackers removed their code and escaped from the system before Bybit even realised the money was gone. Having made off with the funds, the North Korean group has rapidly worked to launder the funds through a series of cryptocurrency exchanges. The hack represents the most devastating attack yet by North Korea's cyber agents, who are under the command of the state's intelligence service and tasked with stealing funds from the West to finance the country's weapons of mass destruction. It eclipses the $1.3bn stolen by North Korea over the whole of 2024. The country's hackers have been blamed for a total of $6bn in cryptocurrency thefts over the last decade. It is larger than the biggest bank heist in history, when $1bn was stolen by Saddam Hussein from Iraq's central bank in 2003. The Bybit hack has been blamed on Lazarus Group, a group linked to Kim Jong-un's intelligence agency, the Reconnaissance General Bureau. The group is notorious for its carefully planned attacks, using a mix of social engineering, email phishing and technical brilliance to expose systems. On Wednesday, the FBI formally blamed North Korea for the heist, labelling the hacking group behind with the codename TraderTraitor. The FBI said the hackers were 'proceeding rapidly and have converted some of the stolen assets to bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains'. It called on exchanges to identify and block suspect transactions. While many digital coin transactions are anonymous, they can be tracked through its digital ledger technology, known as the blockchain, by security experts. However, many exchanges have few know-your-customer or anti-fraud checks – or little incentive to comply with investigations in the unregulated space. Meanwhile Ben Zhou, the chief executive of Bybit, said he had declared 'war against Lazarus', promising up to $140m as a reward for organisations that were able to capture or freeze stolen funds. He added he would name and shame exchanges that failed to block known transactions from Lazarus Group. He said: 'We will not stop until Lazarus or bad actors in the industry is eliminated.' Safe Global said it had 'fully rebuilt, reconfigured all infrastructure and rotated all credentials, ensuring the attack vector is fully eliminated'. It added: 'Safe remains committed to security, transparency, self-custody and pushing the industry forward.' Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.
Telegraph
28-02-2025
- Business
- Telegraph
North Korean hackers ‘took just two minutes' to pull off record $1.5bn heist
North Korean hackers took just two minutes to make off with $1.5bn (£1.2bn) in cryptocurrency, cyber security researchers believe, in the single biggest heist in history. Post-mortem reports commissioned by the cryptocurrency exchange Bybit, which last week saw hundreds of millions of dollars in the Ethereum cryptocurrency stolen by a Pyongyang-linked group, revealed details of how the hackers breached its systems. The cyber attackers were able to compromise a so-called cold wallet used by Bybit, a Dubai-based cryptocurrency exchange. These hardware wallets, akin to an encrypted USB-stick, are supposed to be secure, as they are kept offline and away from the internet. However, when the cryptocurrency exchange attempted to move funds from their hardware wallet into an online account, the attackers were able to strike within seconds. Cyber security experts from Sygnia and Verichains said the hacked transaction was as a result of a breach in a technology called Safe Wallet, having pieced together the events from digital records. Two days before the incident, North Korean hackers, believed to be part of the rogue state's notorious Lazarus Group, injected malicious code into the online infrastructure of Safe Wallet, which it would use to communicate with ByBit's account when it was activated. Safe Global, the company behind the wallet, said the hackers had managed to 'compromise the machine of a Safe Wallet developer', blaming the hacking group's 'sophisticated social engineering attacks'. The malicious code was specifically designed to crack Bybit's wallet. It was able to mimic the coded 'signature' of three accounts, including the chief executive of Bybit, when it activated. When Bybit attempted to transfer its funds, at 2.15pm last Friday, the hackers swiftly drained its wallets of 400,000 Ethereum coins, using a backdoor function they had inserted. According to Sygnia's report 'two minutes after the malicious transaction was executed and published', the hackers removed their code and escaped from the system before Bybit even realised the money was gone. Having made off with the funds, the North Korean group has rapidly worked to launder the funds through a series of cryptocurrency exchanges. Biggest heist in history The hack represents the most devastating attack yet by North Korea's cyber agents, who are under the command of the state's intelligence service and tasked with stealing funds from the West to finance the country's weapons of mass destruction. It eclipses the $1.3bn stolen by North Korea over the whole of 2024. The country's hackers have been blamed for a total of $6bn in cryptocurrency thefts over the last decade. It is larger than the biggest bank heist in history, when $1bn was stolen by Saddam Hussein from Iraq's central bank in 2003. The Bybit hack has been blamed on Lazarus Group, a group linked to Kim Jong-un's intelligence agency, the Reconnaissance General Bureau. The group is notorious for its carefully planned attacks, using a mix of social engineering, email phishing and technical brilliance to expose systems. On Wednesday, the FBI formally blamed North Korea for the heist, labelling the hacking group behind with the codename TraderTraitor. The FBI said the hackers were 'proceeding rapidly and have converted some of the stolen assets to bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains'. It called on exchanges to identify and block suspect transactions. While many digital coin transactions are anonymous, they can be tracked through its digital ledger technology, known as the blockchain, by security experts. However, many exchanges have few know-your-customer or anti-fraud checks – or little incentive to comply with investigations in the unregulated space. Meanwhile Ben Zhou, the chief executive of Bybit, said he had declared 'war against Lazarus', promising up to $140m as a reward for organisations that were able to capture or freeze stolen funds. He added he would name and shame exchanges that failed to block known transactions from Lazarus Group. He said: 'We will not stop until Lazarus or bad actors in the industry is eliminated.' Safe Global said it had 'fully rebuilt, reconfigured all infrastructure and rotated all credentials, ensuring the attack vector is fully eliminated'. It added: 'Safe remains committed to security, transparency, self-custody and pushing the industry forward.'
Yahoo
27-02-2025
- Business
- Yahoo
Bybit Hack Forensics Show North Korean Hackers Stole $1.5 Billion in Largest Crypto Heist by Exploiting SafeWallet Developer
Bybit's recent $1.5 billion hack was traced back to a compromised SafeWallet developer's machine, allowing North Korea's Lazarus Group to execute the largest crypto theft in history. A forensic investigation by Sygnia and Verichains found that attackers injected malicious JavaScript into SafeWallet's Amazon Web Services (AWS) infrastructure, tricking signers into approving fraudulent transactions. The breach on Feb. 21 targeted Bybit's Ethereum multisig cold wallet, redirecting over 400,000 ETH and liquid-staked ETH to an attacker-controlled address. The attack was designed to remain undetected, with the injected JavaScript only activating under specific conditions when accessed by Bybit signers. Two minutes after the stolen funds were moved, the malicious code was removed from SafeWallet's AWS S3 bucket. Sygnia's investigation found that these changes had been made two days before the hack, indicating a premeditated attack. Bybit CEO Ben Zhou confirmed that while SafeWallet's infrastructure was breached, Bybit's internal systems were not compromised. Following the attack, Bybit replenished user funds by borrowing 40,000 ETH from Bitget, which has since been repaid. The exchange also secured reserves through asset purchases and large-holder deposits, ensuring full backing of client assets. SafeWallet responded by rebuilding and reconfiguring its entire infrastructure, rotating credentials, and temporarily removing Ledger integration while restoring services. The company stated that no vulnerabilities were found in its smart contracts or front-end code but urged users to exercise caution when signing transactions. Blockchain analysts, including ZachXBT, TRM Labs, and Elliptic, linked the Bybit attack to previous hacks by Lazarus Group, citing wallet overlaps with past breaches at Phemex, BingX, and Poloniex. Elliptic reported that since 2017, North Korean hackers have stolen over $6 billion in cryptocurrency, with funds allegedly used to support the country's missile program. Chainalysis estimated that North Korean cybercriminals stole $1.34 billion in crypto in 2024 alone. Bybit first detected unauthorized activity in its Ethereum cold wallet on Feb. 21 at 12:30 p.m. UTC during a routine transfer to a hot wallet. The attackers intercepted the process, altered smart contract logic, and masked the signing interface, allowing them to execute the fraudulent transfer. The incident accounted for over 60% of all crypto funds stolen last year, surpassing the 2022 Ronin Network and 2021 Poly Network hacks. Despite the massive loss, Bybit maintained operations without significant downtime, restoring reserves and resuming withdrawals. SafeWallet has since implemented additional security measures, including enhanced monitoring alerts and validation checks for transaction data. Bybit's forensic review found no direct compromise of its systems, but the attack has rattled investor confidence, contributing to a decline in Ether prices and broader market instability.
Yahoo
21-02-2025
- Business
- Yahoo
Bybit Exchange Loses $1.4 Billion in Major Security Breach, Ethereum Price Falls
Bybit suffered a security breach today, with attackers stealing approximately $1.4 billion in Ethereum-based tokens. The incident triggered a market reaction, with Ethereum's price dropping by 2% to $2,685, while Bitcoin saw an over 1% decline to $96,632. Source: Ethereum price page Bybit CEO Ben Zhou confirmed the hack occurred when attackers exploited a planned transfer between the exchange's wallets. "The signing message was to change the smart contract logic of our ETH cold wallet," Zhou explained. In other words, while Bybit's team thought they were approving a routine transfer between wallets, they were actually signing a transaction that modified their cold wallet's smart contract, giving the attacker the ability to withdraw funds. The attacker gained control of a specific ETH cold wallet and transferred its contents to an unidentified address. In a follow-up statement, Zhou indicated that rather than immediately purchasing ETH to cover the losses, Bybit would work with partners to secure bridge loans. The exchange is experiencing transaction volumes 100 times higher than normal, leading to processing delays, particularly for large withdrawals. Binance founder, CZ, responded to the incident by suggesting Bybit temporarily halt withdrawals as a security precaution, offering assistance. Safe Wallet, meanwhile, has temporarily paused certain functionalities while their security team investigates the incident. SlowMist, a blockchain security firm, noted similarities to a previous hack of Radiant Capital attributed to North Korean hackers. Security researcher ZachXBT, who first spotted suspicious outflows from the exchange, reported that the stolen funds were being distributed across 39 different addresses, apparently in an attempt to obscure the money trail. In an official statement, Bybit detailed the attack's mechanics: "The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic." Despite the significant loss, Zhou assured users that the exchange remains financially stable. The exchange confirmed that other cold wallets remain secure and withdrawals are functioning normally. The breach has sparked responses across the cryptocurrency ecosystem. Ethena Labs assured users that their USDe stablecoin remains fully collateralized, with less than $30 million in unrealized PNL related to Bybit hedge positions, representing less than half of their reserve fund. This incident adds to a series of security breaches in the cryptocurrency sector during February 2025. Earlier this month, ZkLend, a Starknet-based money-market protocol, lost $9.5 million in an exploit, though the funds were later returned through the Railgun protocol. The stolen assets included liquid-staked Ether (stETH), Mantle Staked ETH (mETH), and various other ERC-20 tokens. Sign in to access your portfolio
