Bybit loses $1.5B in hack

a related blog from Trail of Bits about the opsec failure of this: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43140754">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43140754</a>

There&#x27;s some info and speculation in these two (distinct) articles, but I&#x27;d love to know technical details of where the gaffs were.<p>eg. Was client software compromised? Did the multisig keyholders succumb to social engineering? Were the signers using airgapped machines &#x2F; hardware devices?<p><a href="https:&#x2F;&#x2F;archive.ph&#x2F;YMZrq" rel="nofollow">https:&#x2F;&#x2F;archive.ph&#x2F;YMZrq</a><p><a href="https:&#x2F;&#x2F;blockworks.co&#x2F;news&#x2F;bybit-hack-raises-security-questions" rel="nofollow">https:&#x2F;&#x2F;blockworks.co&#x2F;news&#x2F;bybit-hack-raises-security-questi...</a>

It&#x27;s obviously not a cold wallet if it&#x27;s connected to the exchange.

How on earth is it possible they can cover a 1.5B loss? Are they really sitting on that much profit, or is the goal to ponzi it out from here, MtGox style?

There should be something like a &quot;finalizing transaction&quot;, which both the sender and receiver need to sign after the first transaction has been mined, i.e. like an in-built escrow. If it&#x27;s not signed by both, then funds are returned. This wouldn&#x27;t protect against key leakage, but in this case, the tx was signed by accident. This would also protect against sending to wrong address.

I&#x27;m a huge crypto believer but I can admit that we don&#x27;t have a serious system if a person can just transfer over $1.5B from a well known crypto cold wallet to different accounts with nothing flagging it and no way to reverse it.

&quot;Please rest assured that all other cold wallets are secure.&quot;<p>Unreal.

Can someone even explain what Bybit is actually about? I searched around when the hack was announced, but I&#x27;m very confused. Mostly what I saw said &quot;scam&quot; on it.<p>This isn&#x27;t your run-of-the-mill Coinbase style exchange, right?

A crypto exchange WazirX was hacked for ~$300M, roughly 50% of the users fund gone.<p>There is no action on the CEO since the hack in July 2024. He sits in Dubai. He just got a nod from Supreme Court of SG to just average out the funds and distribute it among the users.<p>No action has been initiated against the company&#x2F;ceo for losing the fund. He is geared up to launch another company&#x2F;exchange.

What are the chances that a Bybit insider is behind this?

I have no idea how crypto exchanges work. Could someone ELI5 some of this? I have questions:<p>Did the cold storage wallet contain users&#x27; ETH? That seems implied by &quot;Can Cover Loss&quot;.<p>If so, why does a crypto exchange hold users&#x27; ETH in a wallet that can execute transactions without said user&#x27;s authorization&#x2F;password for each transaction. Doesn&#x27;t even Facebook require entering a password every time to change certain profile settings?<p>Or maybe more generally, why does there need to be such a large cold-storage wallet to run an exchange?<p>Also how or why would they have the assets to be able to cover this?<p>There&#x27;s some other seemingly conflicting info I found in searches for Bybit:<p>- Bybit is not legal in Canada. Bybit is restricted in Canada and other jurisdictions, including the United States, the United Kingdom, and Singapore.<p>- Bybit originates from Singapore, a global hub for cryptocurrency and blockchain technology. Singapore has a favorable regulatory environment for cryptocurrencies, which has attracted many exchanges to establish their headquarters there.<p>- There&#x27;s also a mix of results where some say Bybit is safe&#x2F;secure and others saying they aren&#x27;t (irrespective of this event). This story seems to indicate that they had measures to make it safe, but it didn&#x27;t save them.

&gt; have a wallet, work at bybit &gt; understand backdoor &gt; steal money from your account, some from others &gt; bybit pays you back &gt; still have money you stole

<p><pre><code> Bybit CEO Ben Zhou wrote on X that a hacker &quot;took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address.&quot; </code></pre> &quot;Control&quot; has a specific meaning under UCC Article 12, which was ratified in 2022 and is slowly being adopted by U.S. states. It links some rights to control&#x2F;possession of keys, even if a blockchain asset may have been stolen before being sold, <a href="https:&#x2F;&#x2F;www.clearygottlieb.com&#x2F;&#x2F;news-and-insights&#x2F;publication-listing&#x2F;ucc-digital-asset-amendments-finalized" rel="nofollow">https:&#x2F;&#x2F;www.clearygottlieb.com&#x2F;&#x2F;news-and-insights&#x2F;publicatio...</a><p><i>&gt; Article 12 – dealing directly with the acquisition and disposition of interests (including security interests) in “controllable electronic records,” which would include Bitcoin, Ether, and a variety of other digital assets ... a good faith purchaser for value who obtains control (a “qualifying purchaser”) takes its interest free of conflicting property claims... Control under Article 12 is designed to be a technology-neutral functional equivalent of “possession.” It generally encompasses circumstances when a party has the “private key”</i>

When even professional companies that have billions of dollars under management can&#x27;t securely manage their crypto assets, how likely is it that individuals can?

Remember the golden rule that when it comes to crypto it is a scam 100% of the time. Congrats to the Bybit CEO on his newfound wealth.

And they keep everything in one wallet why?!?!<p>Surely you&#x27;d allocate a new wallet&#x2F;1m roughly and always keep it spread.

Terrifying to imagine how much funding terrorist states might be getting by hacks like this.

I wouldn&#x27;t be surprised if Bybit cuts a deal with the hacker to return the funds. There&#x27;s no way that $1.46 billion of marked ETH can be liquidated and off-ramped to fiat.

In case of a state actor just imagine the weapons that could be bought with this kind of money and the potential lives lost due to this mess

Given how many of these exchanges have been hacked (or were fraudulent), how is it that people still use them?

Their English Wikipedia page is deleted as of 1:42am pst. Any idea what that’s about?

My understand is that the original transaction was a small fraction of the total balance of ETH in the wallet. How then were they able to liquidate the entire ETH wallet?

Who says ByBit can cover the loss? The article title says that but the article quotes do not. The CEO only said that their other cold wallets are intact and that withdrawals remain normal.<p>Bybit claims to be regulated by the Virtual Assets Regulatory Authority of Dubai.[1] But the lookup page at VARA says they only have &quot;In-principle approval&quot;, not a full license. &quot;Applicants holding an IPA are strictly prohibited from initiating operations, conducting any virtual asset activities, or servicing clients until they have obtained their full VASP licence from VARA.&quot;<p>Uh oh.<p>[1] <a href="https:&#x2F;&#x2F;www.vara.ae&#x2F;en&#x2F;licenses-and-register&#x2F;public-register&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.vara.ae&#x2F;en&#x2F;licenses-and-register&#x2F;public-register...</a>

More like byebit.<p>Unregulated asset exchanges. Haven&#x27;t we been there before a loong time ago?

These are not hacks, just like Mtgox, Celsius, FTX etc etc etc were not hacks. These are crypto insiders supporting the stablecoin so they can print and set a floor on prices before&#x2F;during potential mass sell off events.

We are in the middle of the bull market. fyi.

&gt; &quot;Please rest assured that all other cold wallets are secure. All withdrawals are normal,&quot; he added.<p>There are no American infidels in Baghdad. Never!

&gt;Bybit CEO Ben Zhou wrote on X that a hacker &quot;took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address.&quot;<p>Um how tf does a cold wallet get hacked?

Whelp, you better shorted $SAFE.

[flagged]

I found it funny that the idea of blockchain, which, the system trusts no single entity but trusts transaction consensus, yet one trusts a single entity who holds your wallet and risk of losing if they get hacked while there&#x27;s no mediators&#x2F;regulators to revert the transaction

Kim Jong 1337 hacker strikes again

woops

The entirety of the cryptocurrency world is so obviously a &quot;Chesterton&#x27;s Fence&quot; situation.<p>Every pseudo-intellectual thinks that the fiscal world is &quot;too complicated&quot; and they&#x27;re going to &quot;simplify&quot; it by making some token, only for people to realize that the monetary world <i>is just complicated</i>, and they have to reinvent everything that already existed in the traditional banking system.<p>I had to do some work on an ACH system a couple years ago [1], and I read through a large chunk of the ACH standard, which was about 800 pages. It&#x27;s easy to see and hear that and think &quot;that&#x27;s way too complicated, what could possibly be so hard about money transfers that necessitates an 700 page specification??&quot;, but as I read it and saw how many edge cases it took into account, it was easy to see why it got so huge. It turns out that dealing with money is just a really hard problem at scale.<p>I fell for the cryptocurrency hype of 2021, and I will fully acknowledge that that came out of a complete lack of understanding of how fiscal systems work. I wish everyone else would just grow up already.<p>[1] Usually disclaimer: not hard to find my work history, it&#x27;s not hidden, but I ask that you do not post anything about it (or at least any proper nouns about it) here.

another &quot;exchange was hacked&quot; story, why I am not surprised.

Society has devolved a bit when not long ago a heist like this would involve sieging Nakatomi Plaza, now it takes just finding a bug in someone&#x27;s defective Python codes.

From the article:<p>&gt; The wallet in question appears to have sent 401,346 ETH ($1.1 billion) as well as several other iterations of staked ether (stETH) to a fresh wallet, which is now liquidating mETH and stETH on decentralized exchanges, etherscan shows. The wallet has sold around $200 million worth of stETH so far.<p>If you showed me a paragraph like this a decade ago and told me it was from 2025, I would have a difficult time believing you.

Crypto use case: Finance North Korea&#x27;s nuclear missile program.

[flagged]

<a href="https:&#x2F;&#x2F;www.web3isgoinggreat.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.web3isgoinggreat.com&#x2F;</a>

As Frank Drebin would say, “Nothing to see here.”<p><a href="https:&#x2F;&#x2F;youtube.com&#x2F;watch?v=aKnX5wci404" rel="nofollow">https:&#x2F;&#x2F;youtube.com&#x2F;watch?v=aKnX5wci404</a>

[flagged]

Old man yells at cloud vibes every time a crypto post comes on HN.<p>No interesting discussions ever. Just axes being sharpened and people who dislike it taking the opportunity to gloat. I would characterize the pro crypto people but I don’t see any. Which is said because over the last 5 years I have found crypto, bitcoin, and stable coins to be extremely useful when helping family members in emerging markets.<p>But hey it’s all trash, the west doesn’t need it so let’s all dance on its grave.. i guess we will keep dancing for another 15 years.