The Bybit hacking incident this time was indeed quite a big deal. In layman's terms, the hacker used advanced techniques to bypass the multi-signature security mechanism and emptied the exchange's hot wallet. The direct loss exceeded US$1.5 billion, which is equivalent to more than 400,000 ETH and stETH being transferred away. It is considered the largest theft case in the history of the cryptocurrency circle. From the technical details, the hacker deployed the malicious contract as early as February 19, and then waited until the 21st to replace the original Safe multi-signature contract with its own malicious version through the signatures of three owners. This step is critical, because multi-signature was originally the core security measure used by the exchange to diversify risks. As a result, the hacker directly tampered with the contract logic and swept away all the assets in the hot wallet through the backdoor functions sweepETH and sweepERC20. The SlowMist team analyzed that this method is very similar to the previous attack mode of the North Korean hacker organization Lazarus Group, such as the intrusion and money laundering path against Safe multi-signature, but there is no solid evidence yet.
The flow of the stolen money is also quite particular. The first step of the hacker will be to exchange all ERC20 tokens (including derivatives such as stETH) for ETH, then convert ETH into BTC and finally slowly exchange it into RMB through Asian exchanges, probably to support North Korea's nuclear weapons program. What's more troublesome is that these funds will not be dumped all at once, but will be sold slowly over several years, which is equivalent to burying a long-term mine in the market. In order to fill the hole, Bybit can only borrow ETH to repay users, but if it really can't get it back, it will have to buy ETH with its own money to fill the hole. In this way, the actions of exchanges buying ETH and hackers selling ETH may offset each other, but in the long run, the market pressure is still not small.
From an industry perspective, this incident exposed several major problems: First, the multi-signature mechanism itself may be hacked, especially if the person managing the private key is phished or an insider does something wrong, the entire system will collapse. Second, the security of hot wallets is questioned again. Many exchanges have retained highly liquid assets for the sake of user experience, but they have become targets. Third, there is the ongoing threat of North Korean hackers. These people are professional and are not in a hurry to cash out, so the possibility of recovery is almost zero.
As for the market reaction, Bitcoin plummeted several times as soon as the news came out. More than 4 billion yuan was liquidated in the entire network within 24 hours. It is certain that user confidence was frustrated.
Although Bybit responded immediately, industry insiders generally believe that the money cannot be recovered and can only be compensated by subsequent risk control and insurance. This incident also reminds all exchanges: security cannot rely solely on technology, but also needs to be combined with internal process monitoring and personnel management, such as the dispersion of multi-signature permissions, the adjustment of the asset ratio of cold and hot wallets, and even cooperation with on-chain monitoring companies for early warning. Finally, hackers are always evolving, and the defense of exchanges must also follow suit, otherwise the next one to be emptied may be themselves.
If you need any questions during business hours, please deduct 1 from the comment area.
