A survey by the Cybersecurity Company Sygnia retraced the cause of the piracy of $ 1.4 billion by Bybit to the Popular Multi-Signature Portfolio portfolio.
The survey “suggests that the deep cause of the attack is a malicious code from the infrastructure of Safe Wallet”, the Sygnia report, seen by DL Newssaid. “Until now, the medico-legal survey has not found any compromise of the Bybit infrastructure.”
A safe wallet confirmed the results in a X post And reassured the users that their funds were safe.
“The Wallet Safe team has fully rebuilt, reconfigured all infrastructure and turned all identification information, ensuring that the attack vector is completely eliminated.” Safe said, adding that Sygnia’s report has found no vulnerability in safe smart contracts or the source code.
Friday, the vitto of Crypto underwent a $ 1.4 billion hackrocking industry. Safety researchers quickly connected the attack At the Lazare group, a North Korean hacking group sponsored by the state.
An independent investigation by the security company Verhains has reached the same conclusions as Sygnia.
How did it work
Sygnia’s results reveal a complex and targeted attack against Bybit.
Piracy began with Lazarus compromising one of Safe Wallet’s developer machines at an unknown moment before the flight, according to Sygnia’s report.
It is not known if access to SAFE WALLET systems has been disclosed or if Lazarus had access by other means.
Lazare has already hacked cryptographic companies using social engineering techniques. This often involves encouraging employees to download malware without knowing it or click on malware.
Once Lazare has had access, he injected the code into the data served by the Cloud Data Supplier of Safe Wallet, Amazon Web Services, having an impact on the portfolio provider website. The malicious code was designed to only activate when the Bebit portfolio asked to carry out a transaction.
This code was activated when Bebit tried to transfer funds from the targeted portfolio on Friday.
On the surface, nothing appeared out of the ordinary for the three employees of Bybit who signed the transaction. But under the hood, the contents of the transaction had been published by the malicious code to transfer the possibility of carrying out bybit transactions to Lazarus.
As soon as the transaction has been signed, Lazarus has acquired the ability to move the value of $ 1.4 billion in ether and ether tokens marked out of the Bybit portfolio.
“This only makes it permanent what many security researchers have already said that the useful sensitive transaction expenses should be checked independently of the front interface,” said Michael Lewellen, head of solutions engineering at Blockaid, said DL News.
Lazarus covers her tracks
Even after Lazarus executed her attack, she was not over.
Only two minutes after the execution of the malicious transaction, Lazarus deleted the malicious code of the infrastructure of Safe Wallet, covering its traces.
Sygnia said he confirmed that Lazarus had injected and then deleted the malicious code by examining the timed snapshots on the archives of the public web.
Lazarus’ attempt to cover her tracks indicates that she was potentially wanted to use the same attack method again.
Several high -level crypto companies and DEFI protocols use safe portfolios, including Oracle Provider ChainLink, $ 32 billion in loan protocol and Ethereum Layer 2 Starknet, according to the safe portfolio website.
“Piracy could have been much worse if the pirates tried to compromise other multi-Sigs of great value and not just edges,” said Lewellen.
Sygnia said her hack investigation was still underway.
Tim Craig is DL News’ DEFI correspondent based in Edinburgh. Handle with advice Tim @dlnews.com.
Aleks Gilbert is DL News“DEFI correspondent based in New York. You can reach it at Aleks@dlnews.com.
