The recent security breach at Bybit has sent shockwaves through the cryptocurrency world, marking what is being called one of the largest digital asset thefts in history. CoinJar is not affected by this incident. Here’s a breakdown of what we know and what may have happened.
Bybit, a major cryptocurrency exchange, experienced a significant security breach resulting in the theft of a massive amount of Ethereum.
In a statement, ByBit reported that approximately $1.5 billion worth of digital assets were compromised.
Based on ByBit’s investigation so far, here is a simplified explanation:
1. Compromised developer computer
A computer belonging to developers at Safe (often referred to as Safe{Wallet}) was hacked.
Safe Global is a provider of cryptocurrency wallets, and it is important to note that CoinJar does not use Safe Global for its crypto storage.
2. Malicious code inserted on AWS
The attackers gained access to Safe’s Amazon Web Services (AWS) S3 bucket, where key files were stored. They injected malicious JavaScript code into these files.
3. Supply chain attack trigger
This harmful code was specifically designed to alter transaction details during the signing process. It was triggered if a transaction originated from ByBit’s contract address.
4. Swift cover-up
Two minutes after executing each malicious transaction, the attackers replaced the compromised code in the S3 bucket with clean versions, erasing direct evidence of the tampering.
5. Impact on ByBit
When users tried to move funds via Safe’s service, the malicious script silently modified the transaction details during approval, affecting only those transactions associated with ByBit.
This underscores that the attack started with Safe’s storage environment, rather than ByBit’s infrastructure.
A number of commentators have pointed out that, in hindsight, certain security measures appear to have been inadequate. They argue a few points.
Commentators say that even though the attackers used a sophisticated supply chain approach, ByBit’s internal processes should have caught discrepancies in the transaction instructions.
In particular, when moving large sums (over $1 billion) exchanges typically verify transaction details on a separate, air-gapped machine (a completely isolated computer).
While some aspects of this hack may appear “basic,” the broader supply chain tactic was sophisticated, using compromised third-party code that would not have been easy to detect in real time. It seems any system can be vulnerable when attackers gain access through indirect avenues.
According to industry best practices, large transfers should be verified more than once, especially if initiated by an external service. Some commentators believe ByBit could have implemented stronger fail-safes to confirm transaction details independently of Safe’s code.
ByBit’s CEO, Ben Zhou, has pledged to reimburse affected users, reassuring customers that their losses will be covered.
ByBit is reportedly working on securing bridge loans to cover losses, while emphasising its commitment to transparent communication with the community.
ByBit has partnered with blockchain forensic companies to track the stolen funds. Its prompt and open response has been relatively well-received, helping maintain some degree of market confidence despite the severity of the incident.
The ByBit hack, while a devastating blow to the exchange and its users, is a stark reminder of the ever-evolving threats in both traditional and decentralised finance.
Although commentators have criticised ByBit for procedural lapses (such as a lack of transaction-verification methods), this breach also reveals the complexity of supply chain attacks. They often only become clear after the damage is done, because attackers exploit trust relationships with third parties and cover their tracks swiftly.
ByBit’s quick and transparent response, along with its pledge to reimburse users, has helped mitigate the immediate fallout. While some suggest that only a state-sponsored attacker could pull off such a large-scale theft, the exact identity of the perpetrators remains unknown.
What is certain is that criminals continue to refine their methods, and vigilance remains crucial.
The finance industry, whether in the traditional space or the crypto realm, must accept the reality of increasingly sophisticated cyber threats.