There are hackers every year, and this year is no exception.

As we all know, in the dark jungle of the crypto world, theft and theft are in a delicate balance, the hackers are rampant and the security standards are also in This time the stress tests have been continuously raised, and public responsibility, a rare word in the field of cryptocurrency, has been placed in front of projects or platforms again and again, testing the "pattern" and "each platform" of each platform. The "joint force" of the market.

Just shortly after the beginning of the year, a vicious incident occurred again. On the evening of February 21, the exchange Bybit was hit by a hacker worth $1.46 billion. From the perspective of amount, this incident is already the largest hacker in cryptocurrency history.

Tracing the source of hackers, the mysterious North Korean organization Lazarus Group has once again surfaced.

Time is back to February 21, an ordinary Friday night, but something extraordinary happened in the crypto market. At 23:27, the on-chain detective Zachxbt surveillance channel said that the total amount of suspicious funds flowing out of Bybit was over 1.46 billion US dollars.

Then, the encrypted KOLFinish also issued a document to confirm that the data on the chain detected that the Bybit multi-sign address would transfer the ETH worth US$1.5 billion and use DEX to The LSD asset is converted into native ETH, which emphasizes that the address is exchanged through 4 different DEXs, which will lead to large slippages and transaction losses, and the transaction volume is so large, which is obviously unusual.

At 23:44, Bybit co-founder and CEO Ben Zhou posted a statement to confirm this statement, saying that the hacker controlled a specific ETH cold wallet, but the rest of the cold wallets Safe and withdrawal is normal. This news undoubtedly clarified the hacker's crime, and the amount of stolen $1.5 billion has caused the market to panic for a while.

According to CoinMarketCap data statistics, Bybit has $16.2 billion in reserve assets before being hacked , the stolen assets of US$11.5 billion account for about 8.64%. Judging from the amount alone, this has become the largest hacker theft in cryptocurrency history, exceeding the 6.1 losses suffered by Poly Network in 2021.Theft of $100 million, even if it is not the crypto field, the amount of $1.5 billion in fraud is already shocking in the traditional field. After this incident, Bybit hacker ETH held more than Fidelity and Vitalik, holding about 0.42% of the total supply of Ethereum tokens, becoming the 14th largest holder in the world.

The hackers seemed to be familiar with the operation. Shortly after the funds were stolen, the hackers diverted 490,000 ETHs to 49 addresses and transferred them to 49 addresses. Later, we started to launder money using the currency mixer.

In this context, although Bybit spoke out in time, saying that his solvency was sufficient, he quickly started the live Q&A and proposed to use a bridge loan to resolve the issue, but this incident After that, the directly related ETH price fell 6.7% on the day, and Bitcoin also fell nearly 3% from its high point on the day.

From this moment, Bybit and the hackers entered a tug-of-war of life and death. On the one hand, Bybit needs to resolve the asset deficit that may be faced as soon as possible, and face users' panic withdrawals and even the bank runs that may be triggered by the bank. On the other hand, the exchange is also obliged to use comprehensive means to prevent hackers' funds from being cashed out.

It is worth mentioning that after the incident, major exchanges that have joined forces with each other quickly staged a Mars rescue. Binance, the first-tier exchanges, quickly launched support with OKX, HTX, and HashKey, and CZ also provided solutions in a timely manner. But what is surprising is that the second-tier exchanges have gathered together to keep warm and have directly brought a wave of timely help. Bitget showed an amazing big picture, supporting 40,000 ETH to Bybit in the shortest time. Of course, such a huge amount inevitably means the possibility of a community of interests behind it, but the support of real money still reflects a rare opportunity in the industry. Warmth.

MEXC hot wallet also transfers 12,652 stETH to Bybit cold wallet. Although Binance did not move, whales came first, and giant whales also provided about 67,000 ETH. ABCDE Du Jun also posted on social media that he would transfer 10,000 ETH to Bybit, and 1 No withdrawal of coins within the month. According to Ember Monitoring, five institutions and individuals have provided loan support to Bybit, totaling about 120,000 ETH, worth about US$321 million.

Thanks to the effective actions of the CEO and the joint efforts of the industry, in 2At 9 a.m. on the 22nd of the month, Bybit CEO Ben Zhou said that 99.994% of the withdrawals have been completed, and all services of Bybit Exchange, including cash withdrawal functions, have returned to normal. On the same day, monitoring agencies such as SOSOVALUE also stated that Bybit funds had completed gap coverage, saying that the Bybit trading platform had inflows of more than US$4 billion in the past 12 hours. According to the latest news today, Bybit CEO Ben Zhou tweeted that Bybit has completely filled the ETH gap and a new audit POR (proof of reserve) report will be released soon. Lookonchain also monitored that Bybit has obtained 447,000 ETH through various channels.

The fund run is being solved, and the industry is also working hard against hackers. Bybit said that it had filed a case to investigate it, and through coordinated efforts by multiple parties, it successfully freezes $42.89 million of stolen funds in one day. The institutions that provide assistance include Tether, THORChain, ChangeNOW, FixedFloat, Avalanche Ecosystem, CoinEx, Bitget, Circle, etc. But it has to be admitted that despite this, it is still very difficult to hope to completely block the sale of tokens from hackers in the decentralized market of crypto. As of 9 a.m. today, Bybit hackers have exchanged 50,700 ETH ($142 million) for DAI and other assets on the chain. They currently hold 448,600 ETH ($1.26 billion). If the timeline is extended, This fund will sooner or later be sold out.

What exactly can hackers bypass the industry's highest security standard and successfully take away $1.5 billion in public?

Soon, details about the attack were further disclosed. Bybit official Twitter said Bybit detected unauthorized activities involving one of the ETH cold wallets. When the event occurred, the ETH multi-signature cold wallet performed the transfer of the hot wallet. Unfortunately, the deal is manipulated by a complex attack that masks the signature interface, displays the correct address, and changes the underlying smart contract logic. As a result, an attacker can control the affected ETH cold wallet and transfer its assets to an unidentified address.

The attack method is actually not complicated. In short, all exchanges have cold wallets and hot wallets, and cold wallets are used to safely store assets. Hot wallets are used for daily transaction needs, and there will be a transfer of amounts between the two. This time, the hacker is paying close attention to it.This process. When Bybit transferred funds from cold wallets to hot wallets as usual, the hacker pretended to be a fake transaction interface and link, realizing the fishing waters. Since cold wallets are usually a multi-sign mechanism, hackers also use social work skills in this article to hack people/equipment to initiate transactions, so that subsequent auditors can lower their vigilance. After seeing the initiator's transfer application, the auditors will do more I directly clicked to agree, and after agreeing, the wallet permissions were given to the hacker. In other words, the hackers did not attack Safe's multi-signature agreement itself, but designed solutions to human weaknesses.

Safe front-end intrusion + social workers' methods quickly reminded the market of the infamous initiator - the North Korean hacker Lazarus Group. In previous historical cases, Radiant Capital and WazirX were both stolen using similar methods, and they invaded and replaced the signature content from employees with multiple signs, upgraded the Safe contract with a deployed malicious contract. After the operation was successful, the funds were quickly transferred to the mix. The coin tool was proposed, and then the sound of the sound was silenced.

This suspicion was confirmed. Four hours after the incident, on-chain detective ZachXBT submitted conclusive evidence to confirm that the attack on Bybit was organized by North Korean hackers. Lazarus Group implementation.

In terms of derogatory meaning, Lazarus is undoubtedly a terrifying existence in the industry. From North Korea, which has a low level of modernization, Lazarus is the world's top hacker organization, which is quite fragmented and absurd. The first battle of Lazarus Group was Operation Troy in 2009. Hackers used DDOS, a common attack to complete the breakthrough in South Korea, and successfully implanted texts for Independence Day commemoration in 36 website master guide records (MBRs).

After that, Sony Film and Television and the Federal Reserve Bank of New York were attacked one after another, and the WannaCry ransomware attack affected nearly 200,000 computers in 150, making it one Become famous by fighting. Beginning in 2017, the hacker group began to shift its target to the crypto field with higher anonymity. Bithumb and Nicehash have both been tragically killed. In recent years, the organization is behind Ronin's stolen $620 million and Horizon Bridge's $100 million. A report released by blockchain security platform Immunefi said that Lazarus Group suffered more than $300 million in the cryptocurrency hacking incident in 2023, accounting for 17.6% of the total losses that year. In 2024, WazirX was also attacked.Losed $234.9 million in crypto assets.

攻击频频得手，且数额巨大，即便美国司法部追溯也无果，这一组织，在互联网世界的无主之地中制造混乱，持续不断的为其祖国朝鲜实现外汇创收。或许也有人疑问，朝鲜是如何培养出如此厉害的黑客高手？

实际上，这也是朝鲜的不得已之举。在长期的制裁中，相比于长枪大炮等实际投入巨大的国防安全事务，在数字化世界培养黑客，已然是朝鲜最具性价比的方案。 Since the 1980s, South Korea has started hacking training under the code name "Secret War" and recruits students with the Automation University as its core base. It is said that the application elimination rate is 80%. Even if you enter the study, you have to accept up to 9 years.年的严格训练，并从小就开始赋予使命，按照攻击地域编入不同的组别，甚至会化身卧底融入当地文化以完成任务目标。

Of course, the huge profits will not be less. Hackers can earn up to $2,000 per month, and are equipped with luxury apartments in the city center of more than 185 square meters, although it seems对黑客而言价值不多，但在人均年收入不足1000美元的朝鲜，他们，可以被认为是金字塔尖的人物。

善与恶，在成年人的世界中，很难评价，对于遭受无妄之灾的用户们，Lazarus可以被认为是纯粹的恶，但对于For North Korea, every action of hackers represents income generation and contribution, which may be a great benefit to ordinary people.

In the interweaving of good and evil, what the encryption field can do is to continuously improve security standards and formulate more complete security mechanisms and crises Solution to face aggressive attacks and preserve fragile assets in the dark forest.

It is worth mentioning that this Bybit incident is undoubtedly a great rescue in the history of encryption. Regardless of the reason, the confidence and courage of the industry to work together in the crypto world still touches the market and becomes a rare dawn of human nature in garbage time. Perhaps everyone knows that today's market can no longer withstand such a large-scale A hack. What is quite interesting is that in the face of such a high-profile attack, the US regulators that love long-arm jurisdiction seem to remain silent, and the new era of supervision is well-deserved.

But anyway, improving security is what all users needThe priority of high attention is Bybit, this time it is Bybit, which has a strong capital, so everyone supports it. Although the amount of stolen is large, it is only Bybit's profit for a year. However, the currency circle is never just Bybit, without a ripples, and there is no way to ask for help. , Retail investors who often lose their money are stolen are the norm in the industry. For ordinary users, how to achieve a balance between safety and efficiency will be an eternal issue.