The penetration of $ 1.4 billion against BYBIT was not the biggest exploitation in the date of encryption – it was a major test of industrial management capabilities, which highlights its maturity since the FTX collapsed.
On February 21, North Korea Lazarus Group has made 1.4 billion dollars In the ether (EthRelated archers in a breach, which was initially sent chills throughout the entire world of encryption, but it was rapidly extinguished as the industry gathered behind bybit to manage the repercussions.
Below is a look at how the attack is revealed, how it responded by bybit, and where stolen money moves.
source: elliptical
February 21: Break
BYBIT was first discovered by ONSAIN Sleuth Zachxbt, which warned the platforms and exchange of black list addresses associated with hacking.
Shortly after that, the co -founder and CEO of BYBIT BEN ZHOO confirmed the exploitation and began to provide updates and information about the breach.
Beyond death from the analysis chain initially stated that Lazaros Executed Holding attacks to access Excination money, but the analysis was later updated to report that infiltrators control a safe developed computer instead of prejudice to BYBIT systems.
The attackers managed to “redirect” about 401,000 ETH, at a value of $ 1.14 billion at the time of exploitation, and transferred it via a network of intermediate portfolios.
The complex network of portfolios, bodies and cross transfers used by infiltrators to hide money. source: series
February 21: Bybit confirms that the governor is safe and Ethena Solvency
The stock exchange was fast to ensure that its remaining portfolios were safe, Advertisement Just minutes after Chu certain The exploitation is that “all other cold portfolios are still completely safe. All customer money is safe, and our operations continue as usual without any disturbance.”
After a few hours of penetration, clients with clouds remained open. Chu I mentioned in a session of questions and answers The stock exchange has approved and processed 70 % of withdrawal requests at the time.
Ethaina Decentralization Fund Tell the users that the bearing stablecoinUsde, the solvents were still after the penetration. According to what was reported, the platform had $ 30 million in exposure to financial derivatives on BYBIT, but it managed to compensate for losses through the Reserve Fund.
February 22: The encryption industry gives a helping hand, included in the blacklist
A number of encryption exchange Continue to help bybit. CEO of Bitget Gray Chen Declare The exchange of it has loaned about 40,000 ETH (about $ 95 million at the time).
Crypto.com CEO Chris Marzalek He said He was directing his company’s security team to provide assistance.
Exchanging and other clothes began to freeze the money -related money. CEO of Tether Paulo Erdino to publish On x that the company may be frozen 181,000 USDT (USDT) Connected with penetration. Senior Information Security officials in Polygon, Mudit Gupta, He said The Mantle team managed to recover about $ 43 million of money from infiltrators.
Related to: Adam back draws “Evm Missign” as a fundamental cause of penetration bybit
Zhou posted a note on the X, a sign of a number of prominent encryption companies that he said helped bybit, including Bitget, Galaxy Digital, Ton Foundation and Tether.
source: Ben Chu
BIP also Declare A reward program for up to 10 % of the recovered funds, which is more than $ 140 million to seize it.
February 22: Running over clouds, Lazaros transfer money
After the accident, the user’s withdrawal brought the stock exchange Total asset value Lower 5.3 billion dollars.
Despite running on clouds, the stock exchange remained open, albeit with delay, an independent proof from Bybit, Hackeen, certain The reserves still go beyond the obligations.
Meanwhile, Blockchain tracks showed that Lazarus continued Divide money into intermediate portfoliosMore overcoming their movement.
https://www.youtube.com/watch?
In one of the examples, Blockchain Lokonchain Analysis said that Lazarus has moved 10,000 ETH, at a value of $ 30 million, to a portfolio determined as “Bybit Exploiter 54” to start laundering.
Blockchain security company wrote that the money was probably the money Go to a mixer – Service that hides links between Blockchain transactions – although “this may prove a challenge due to the huge size of stolen assets.”
February 23: Tabor, continues by capacity of money, black lists grow
Blockchain analysts Zachbt and Nick Pax Both claimed that the infiltrators were able to launder the money not to identify the exchange of customer encryption. Zachxbt claimed that Exchantsed was washing $ 35 million of money and then sent 34 ETH to a hot portfolio for another exchange.
source: Nick Pax
Parasitic to reject It washed the money to North Korea, but it confessed to processing “a small part of the money of the Bybit penetration.”
Money “Ultimately introduced our address 0xf1da173228fcf015f43f3ea15abbb51f0D8F1123 which was an isolated issue and the only part that is dealt with through our exchange, which will be donated for the public good.”
To help identify the wallets that participated in the accident, bybit She released a portfolio listed in the blacklist API programming interface. The stock exchange said that the tool will help infiltrators the white hat in the aforementioned reward program.
Related to: In the photos: a standard penetration of $ 1.4 billion
BIP also She managed to restore her ether reserves To nearly half of the place where they were before the penetration, largely through immediate purchases in trading without a prescription after the accident, but also including the excitement of other stock exchanges.
February 24: Lazaros monitored on Dexs, closes by eth gap
Sleuths Blockchain continued to monitor the flow of money associated now with Lazaros. Arkham intelligence The monitored addresses associated with infiltrators Dexes (Dexs) try to trading stolen encryption for Dai (Dai).
According to a wallet interaction, some of the stolen eth from Bybit with Sky, UniswAP and OKX Dex Protocol. According to the LMK trading platform, the infiltrator managed to switch at least $ 3.64 million.
Unlike other Stablecoins such as USDT and USDC (USDC)Dai cannot be frozen.
Zhou announced that bybit “Close the entire ETH gap” – that is, Renewing $ 1.4 billion in ether I was lost in penetration. His announcement was followed by the report of the external authority.
Bybit got the ether reserves to pre -fishing levels. source: Darkfost
February 25: War on Lazaros
Bybit launched a site dedicated to the recovery efforts, which ZHO promoted during an invitation Current currency community to unify the Lazaros Group. The site distinguishes between those who helped and those who refused to cooperate.
Nearly $ 95 million has been transferred in the money reported to Exch. source: Lazarusbounty
It highlights the individuals and entities who helped freeze stolen money, and give them a 10 % division equally between the reporter and the entity that frozen money.
It is also called Excr as a single platform that refused to help, claiming that it ignored 1061 reports.
February 26: The FBI confirms reports of Lazaros and the solution amid safe
The US FBI has confirmed widespread doubts North Korean infiltrators committed the exploitation of bybitNaming commercial actors, known as the Lazaros Group among cybersecurity.
In the public service announcement, FBI Urging The private sector-including node operators, exchanges and bridges-to prevent transactions coming from related Lazarus addresses.
source: Pasce Cabscaccio
The FBI has set 51 suspicious Blockchain addresses associated with penetration, while the Cyber Security Company Al -Alailji identified more than 11,000 broker.
Meanwhile, I found investigations after this Safewallet It led to exploitation, not through the BYBIT infrastructure, as I mentioned earlier.
February 27: The oxen size explosion
TRM Labs Security Company A mark has been placed The speed of the efforts to wash infiltrators with Beit “is especially worrying, as more than 400 million dollars moved by February 26 through the intermediary governor, encryption transfers, and Crosschain and Dexs bridges. TRM also noticed that most stolen revenues have been transferred to Bitcoin (BTC), A tactic is usually associated with Lazaros. Most of the converted bitcoin is still stopping.
Meanwhile, Arkham intelligence Find Lazaros may move at least $ 240 million in ETH Besieged Crosschain By replacing it in bitcoin. Cointelegraph found that thorchain’s The total amount of exchange exploded beyond a billion dollars In 48 hours.
Thorchain developer “Pluto” announced Immediate departure from the project After voting to prevent transactions related to North Korean infiltrators. Meanwhile, Lokonchain reported that The infiltrators laundered 54 % of the stolen money.
What does a breeder purchase means a penetration for encryption
Bybit may have managed to restore its fully missing reserves, but the accident raised greater questions about the Blockchain industry and how breaches can be addressed.
Ethereum developer Tim Pico quickly Refuse a call for the decline of the ethereum network To recover bybit. He said that the penetration was radically different from the previous incidents, adding that “the interconnected nature of the Ethereum and the settlement of economic transactions <> Offchain, makes this matter difficult today.”
The repercussions of the exploitation of Bybit indicate that the Lazarus group has become more efficient in transferring Blockchain money. TRM LABS investigators suspect that this may indicate an improvement in the North Korea encryption infrastructure or improvements in the capacity of the underground financial network to absorb illegal funds.
With the growth of the closed value on Blockchain platforms, so Are attacks developed?. This industry is still a major target for infiltrators in the North Korean state who are said to be their profits to finance the arms program.
magazine: Wild “Whale Whale Control” claims, Bitcoin: Asia Express
