Bybit has offered a reward of 10% of any recovered funds, in a bid to claw back some of the $1.4bn in cryptocurrency that was stolen late last week.
In what has been described as the largest ever crypto theft, North Korea’s Lazarus Group is suspected of carrying out the Ethereum attack on the Dubai-based exchange on Febrary 21.
“Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic,” Bybit explained in a post on X (formerly Twitter).
“As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address. Our security team, alongside leading blockchain forensic experts and partners, is actively investigating the incident,” the firm said.
Read more on crypto heists: Attackers Steal $618m From Crypto Firm.
Blockchain analysis firm Elliptic explained that the threat actors worked through a familiar two-stage money laundering process following the theft.
“The first step is to exchange any stolen tokens for a ‘native’ blockchain asset such as Ether. This is because tokens have issuers who in some cases can ‘freeze’ wallets containing stolen assets, whereas there is no central party who can freeze Ether or Bitcoin,” it said.
“This is exactly what happened in the minutes following the Bybit theft, with hundreds of millions of dollars in stolen tokens such as stETH and cmETH exchanged for Ether.”
Stage two involves “layering” the stolen funds in order to obfuscate the transaction trail, complicating tracing efforts long enough to enable the actors to cash out.
“Lazarus is currently engaged in this second stage of laundering. Within two hours of the theft, the stolen funds were sent to 50 different wallets, each holding approximately 10,000 ETH,” Elliptic continued.
“These are now being systematically emptied – as of 10pm UTC on February 23, 10% of the stolen assets (now worth $140m) have been moved from these wallets.”
Once moved out of these wallets, Lazarus may use decentralized exchanges, cross-chain bridges and centralized exchanges to further launder the funds, as well as mixers and an exchange called eXch which allows users to swap crypto assets anonymously.
In the meantime, Bybit has pledged up to $140m to “reward ethical cyber and network security experts who play an active role in retrieving the stolen cryptocurrencies in the incident.”
It praised the work of industry groups that came together to help trace, block and recover some of the stolen funds. For example, the mETH Protocol team successfully recovered 15,000 cmETH tokens worth around $43m, Bybit said.
The world’s second-largest cryptocurrency exchange also released a new API, which it said will update a list of suspicious wallet addresses identified so far and help streamline recovery efforts.
Bybit said it is also planning to a HackBounty platform that is currently under development, designed to empower the entire industry in tracking down hackers.
Crypto Community Continues to Face Cyber Challenges
Santiago Pontiroli, Acronis lead researcher, said the incident itself highlights the ongoing security challenges facing the crypto community.
“In this case, a combination of social engineering and a malicious but custom-crafted smart contract granted the attackers the keys to the kingdom,” he added.
“It reinforces the importance of maintaining control over private keys through hardware wallets or self-custody solutions to mitigate the risks associated with exchange vulnerabilities. It also emphasizes the critical need for heightened scrutiny over transactions, as blindly accepting interactions with smart contracts can open the door to malicious exploits.”
Bybit promised that no customers would be left out of pocket by the incident. As of Monday morning, it said on X that it was “close to 100% on our ETH reserves,” with deposits and withdrawals back to normal.
“I am energized by the incredible camaraderie on-chain and in real life. This can be a transformative moment for our industry if we get it right. Together, we can build a stronger defense system against cyber threats,” said Ben Zhou, co-founder and CEO of Bybit.