Bybit loses $1.5B in hack but can cover loss, CEO confirms
127 comments
·February 21, 2025Geee
There should be something like a "finalizing transaction", which both the sender and receiver need to sign after the first transaction has been mined, i.e. like an in-built escrow. If it's not signed by both, then funds are returned. This wouldn't protect against key leakage, but in this case, the tx was signed by accident. This would also protect against sending to wrong address.
Mengkudulangsat
This would also protect againts dusting attacks.
Illicit addresses sending to thousands of random recipients and making them all marked by automated KYC systems.
chabes
From the article:
> The wallet in question appears to have sent 401,346 ETH ($1.1 billion) as well as several other iterations of staked ether (stETH) to a fresh wallet, which is now liquidating mETH and stETH on decentralized exchanges, etherscan shows. The wallet has sold around $200 million worth of stETH so far.
If you showed me a paragraph like this a decade ago and told me it was from 2025, I would have a difficult time believing you.
satvikpendem
Crypto shenanigans were happening in 2015, even as far back as 2010, so I would have to absolutely believed you to hear that it continues happening, as crypto is a fundamentally unstable platform.
netrap
Just crazy. Bank heists fully online...
ratg13
MT Gox got famously hacked over 10 years ago .. anyone keeping this much money in an online wallet would have to be functionally retarded.
Yet here we are.
smolder
It's definitely embarrassing that people losing their shirts in crypto didn't see it coming. It's bad that people think a zero sum game is worth playing against incumbents. The marks aren't the worst part, though. Everyone promoting memecoins and utility-free cryptocurrency in general is either ignorant or just a bad person with a warped idea of success. Personal money accumulation is a sad goal compared to actual wealth creation. The parasites who push crypto on the hopeful proto-bag holders are destroying the prosperity that supports them.
pfannkuchen
Yeah on memecoins isn’t that just a loophole for running naked pyramid schemes? I.e. a pyramid where everyone knows it’s a pyramid.
Like the weird part about a pyramid is that depending on your risk tolerance it may actually make sense to participate in a pyramid even if everyone involved knows it’s a pyramid. So are that many people being scammed as in tricked (seems hard to believe), or is it just a risky form of gambling that is outlawed in legacy formats.
EDIT: Ponzi -> Pyramid
redrove
It was an offline multi-sig wallet. Hackers seem to have musked the transaction when the owners signed it as it looked good to them.
cypherpunks01
Wow it must have been really musked then, huh?
posnet
And only a few weeks ago the lawsuit started payout the 'early lump sum' repayment option for creditors.
jsemrau
"Bybit CEO Ben Zhou wrote on X that a hacker "took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address."
From the article. Not that I endorse crypto, in fact I despise it. But at least per this statement, it seems to have been handled offline. How a hacker could get access to this is another story to unpack.
edit: I guess this is the story that "unpacks". One more reason to not believe in crypto.
timjver
By "online wallet" they were likely referring to the Bybit website being the wallet of those customers that held their coins there rather than keeping them in their own private wallets, and not whether the hack involved a hot wallet or a cold wallet. Calling it a custodial wallet would have been more accurate.
rkagerer
There's some info and speculation in these two (distinct) articles, but I'd love to know technical details of where the gaffs were.
eg. Was client software compromised? Did the multisig keyholders succumb to social engineering? Were the signers using airgapped machines / hardware devices?
https://blockworks.co/news/bybit-hack-raises-security-questi...
cypherpunks01
A huge problem with signing EVM transactions using hardware wallets is that is common to be blind signing messages. The device has no knowledge of the SAFE EVM contract functions or any other context, it just asks you to sign an gobblygook opaque binary message so you may have no idea what's being signed, is my experience using multiple different vendor HW wallets. Not sure if that's what happened, but possible this type of problem contributed to the exploit. BTC TXs are simple enough that all HW wallets can basically display what's happening, but with turing-complete arbitrary computations in EVM this becomes very difficult.
rkagerer
Thanks for spelling this out, the explanation makes a lot of sense.
You'd think they could at least show a blockie representing the contract, or reputational party who cryptographically vouched for it.
mhmmmmmm
https://x.com/tayvano_/status/1847877011462901915 This thread has some info about very similar past attacks, should give some insights into the level of sophistication that goes into something like that.
rNULLED
> have a wallet, work at bybit > understand backdoor > steal money from your account, some from others > bybit pays you back > still have money you stole
zer0x4d
I'm a huge crypto believer but I can admit that we don't have a serious system if a person can just transfer over $1.5B from a well known crypto cold wallet to different accounts with nothing flagging it and no way to reverse it.
stouset
In the face of the never-ending list of these kinds of events, the laughably impossible task of average nontechnical individuals protecting their own assets (and the consequence of total financial ruin when they fail to do so), the overwhelming number of and size of scams, rug pulls, fraud, outright Ponzi schemes, and on and on and on… what exactly is left to keep anyone a “huge believer”?
Put differently, it’s been seventeen years of constant and escalating mayhem. What would finally be enough to shake your faith?
throwawayqqq11
> what exactly is left to keep anyone a “huge believer”?
Bias. I expect believers to have earned a profit or still hold significant quantities of crypto assets.
But in their favor, trust in any currency is the foundation of its value. States create it by collecting taxes and paying employees. Crypto currencies generally lack that heavy weight central authority, so they kind of have to believe to the point where they get burned.
dandanua
> What would finally be enough to shake your faith?
Crypto scams run by top government officials? Oh, wait...
JTyQZSnP3cQGa8B
You like decentralized money without laws and accountability, but would like to have a central thing (TBD) that is accountable and respect laws? How would that work?
zer0x4d
I'm not too sure but few things come to mind:
1. Upgrade protocol to include protections for well known cold wallets held by exchanges (ex: API call has to be made to the exchange's security endpoint to validate each transaction out of the wallet. Exchange staff would need to manually allowlist large transactions before they are transmitted).
2. Decentralized voting on reversal of transactions (90-95%+ vote needed to reverse to avoid 51% attacks)
jeswin
This is getting pretty close to the banking system, at which point one needs to ask - maybe just improve existing protocols?
JamesLefrere
Solutions have existed for years (eg Gnosis Safe), they just aren’t being used by that exchange.
huang_chung
Society has devolved a bit when not long ago a heist like this would involve sieging Nakatomi Plaza, now it takes just finding a bug in someone's defective Python codes.
grues-dinner
You don't even have to break into a wierd high-tech vault to get an unreasonably slow (or fast) billion-dollar progress bar with a snazzy custom UI toolkit these days. Not sure if technology or inflation is most to blame!
Klaster_1
I wonder how many programmers resort to crime after they were laid off and couldn't find a job. Like soldiers after a war.
ooterness
Relevant comedy sketch? "Secret agent squad, but they're all just the hacking guy."
wyre
That might make for a good book or movie plot.
NetOpWibby
Starring Rami Malek, Tom Holland, Kyla Pratt, and George Clooney?
ratg13
You just gotta trust the wrong people.
Don’t forget FTX willingly hired the Ultimate Bet “god mode” guy.
philipwhiuk
It's obviously not a cold wallet if it's connected to the exchange.
abuani
It's also not reassuring that the CEO claims cold wallets are safe and secure, just after losing 1.46B
cozzyd
Perhaps their servers have cryogenic cooling
javier2
Cold usually means it needs multiple physical people to sign from offline devices to move it. Hot wallet usually is automated. Here it looks like the «hackers» found a way to trick enough people to sign this transaction
gnabgib
It could still be cold. "took control of the specific ETH cold wallet" sounds like stealing the physical hardware. Like someone stealing the vault key, or the HDCP master key getting leaked.
vessenes
They could have gotten the recovery phrase off some paper, then imported it wherever. More likely than guessing the pin on a ledger with a short number of tries before wiping.
Etheryte
Yeah this makes no sense whatsoever.
> [The hacker] took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address.
Did the hacker physically break into their office or what?
shawabawa3
Possibly yes
Or some part of their system failed and the key was compromised without them realising it (like the Debian insecure keys debacle or whatever)
qingcharles
Can someone even explain what Bybit is actually about? I searched around when the hack was announced, but I'm very confused. Mostly what I saw said "scam" on it.
This isn't your run-of-the-mill Coinbase style exchange, right?
cypherpunks01
It's the second largest crypto exchange by volume globally, behind Binance. Specialized in derivatives but they have lots of regular retail products that you might find at Coinbase. Basically like a bigger version of Coinbase from Asia.
mkagenius
A crypto exchange WazirX was hacked for ~$300M, roughly 50% of the users fund gone.
There is no action on the CEO since the hack in July 2024. He sits in Dubai. He just got a nod from Supreme Court of SG to just average out the funds and distribute it among the users.
No action has been initiated against the company/ceo for losing the fund. He is geared up to launch another company/exchange.
thesumofall
In case of a state actor just imagine the weapons that could be bought with this kind of money and the potential lives lost due to this mess
ArtTimeInvestor
When even professional companies that have billions of dollars under management can't securely manage their crypto assets, how likely is it that individuals can?
kangda123
It's a different ball game. The resources that went into executing this kind of hack were probably far higher than most wallets are worth anyway.
acc_297
Maybe not - a number of high-value past hacks have been very low effort
I have yet to see a thorough explanation of what specifically was hacked here anyhow
null
Who says ByBit can cover the loss? The article title says that but the article quotes do not. The CEO only said that their other cold wallets are intact and that withdrawals remain normal.
Bybit claims to be regulated by the Virtual Assets Regulatory Authority of Dubai.[1] But the lookup page at VARA says they only have "In-principle approval", not a full license. "Applicants holding an IPA are strictly prohibited from initiating operations, conducting any virtual asset activities, or servicing clients until they have obtained their full VASP licence from VARA."
Uh oh.
[1] https://www.vara.ae/en/licenses-and-register/public-register...