Anyway, Bybit has released a report on what happened with their hack in the first place. Point by point, the picture is as follows:
- First they hacked the comp of one of the developers of #safe (a multisig wallet provider), through which Bybit signed their trances.
- Then Lazarus injected a malicious script directly into one of the files Safe stored on their servers in AWS (specifically S3).
- This script spoofed transactions at the signature stage. That is, you sign one thing, but in fact another thing is already flying out.
- And the code worked only if the transaction went to one of two addresses: the Bybit contract and some murky test address, which, most likely, was controlled by the hackers themselves.
- As soon as the transaction went away, the hackers immediately cleaned up their tracks, deleted the script and uploaded a clean version of the file back.
- As a result of the investigation, it became clear that the Bybit infrastructure itself was not affected, it was Safe that was affected. Safe's contracts were not touched either, the whole attack went through the interface.
Safe from its side gave minimum information, they promised to tell more after the investigation is completed.
#cz_binance also reacted negatively to Safe's report, because nothing is really clear from it.
Anyway, it's another reminder that regular users have nothing to hope for at all except their paranoia hehehe 🥹
#chainalysis btw posted a graph of how Lazarus are trying to launder money. What do you think? Isn't that art? 🥲
