Key Points:
- North Korean hackers conducted a sophisticated attack on the Dubai-based cryptocurrency exchange Bybit.
- The theft involved over 400,000 Ethereum and staked Ethereum coins, disclosing the incident just hours after it occurred.
- The cryptocurrency was initially stored in a “Multisig Cold Wallet” but was transferred to a hot wallet controlled by Bybit, before being moved to wallets owned by the attackers.
- An investigation revealed no unauthorized access to Bybit’s infrastructure or vulnerabilities in associated Safe wallets or codebase.
- The hack was executed by altering smart contract logic and masking the signing interface, allowing the attackers to take control of the ETH Cold Wallet.
- Bybit’s incident report humorously referred to the event as “Unauthorized Activity Involving ETH Cold Wallet.”
- This incident underscores that the human element in cryptocurrency security remains a significant vulnerability, despite strong technological protections.
Executive Summary:
A highly sophisticated attack by North Korean hackers resulted in the theft of $1.5 billion worth of cryptocurrency from the exchange Bybit, specifically over 400,000 ethers. The breach exploited human trust and deceit rather than technical vulnerabilities, manipulating the smart contract logic to gain control of the cryptocurrency stored in a multisig cold wallet. This incident emphasizes the critical importance of addressing the human factor in crypto security, as advanced technical safeguards alone are insufficient to prevent such exploits.
12ft.io Link: https://12ft.io/https://www.schneier.com/blog/archives/2025/02/north-korean-hackers-steal-1-5b-in-cryptocurrency.html
Archive.org Link: North Korean Hackers Steal $1.5B in Cryptocurrency - Schneier on Security
Original Link: https://www.schneier.com/blog/archives/2025/02/north-korean-hackers-steal-1-5b-in-cryptocurrency.html
User Message: North Korean Hackers Steal $1.5B in Cryptocurrency
It looks like a very sophisticated attack against the Dubai-based exchange Bybit:
Bybit officials disclosed the theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a “Multisig Cold Wallet” when, somehow, it was transferred to one of the exchange’s hot wallets. From there, the cryptocurrency was transferred out of Bybit altogether and into wallets controlled by the unknown attackers.
…a subsequent investigation by Safe found no signs of unauthorized access to its infrastructure, no compromises of other Safe wallets, and no obvious vulnerabilities in the Safe codebase. As investigators continued to dig in, they finally settled on the true cause. Bybit ultimately said that the fraudulent transaction was “manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet.”
The announcement on the Bybit website is almost comical. This is the headline: “Incident Update: Unauthorized Activity Involving ETH Cold Wallet.”
This hack sets a new precedent in crypto security by bypassing a multisig cold wallet without exploiting any smart contract vulnerability. Instead, it exploited human trust and UI deception.
No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link.
for more on see the post on bypassing methods