According to analysts, the attackers used a complex, multi-stage scheme involving phishing attacks on exchange employees and hacking the security system. We spoke with leading developer Evgeny Frolikov, who created a system that independently finds and fixes vulnerabilities in companies' software, about how cybercriminals managed to gain access to funds and withdraw them from the crypto wallet.
«The Bybit incident is not accidental. Over the past few years, crypto exchanges have repeatedly been attacked by hackers. According to statistics, cyberattacks are one of the main problems faced by crypto exchanges. Vulnerabilities in security systems and insufficient protection of user data provide fertile ground for criminals, and the lack of experienced cybersecurity specialists also exacerbates the situation.»
«The main feature of this hack is not the 'classic' theft of private keys, but the seizure of control over the multi-signature mechanism by replacing the 'master copy' of the smart contract. In simple terms, the hackers found a way to replace the 'engine' or basic code of the multi-signature wallet, which held most of the funds,» says Evgeny Frolikov.
How did this become technically possible, and why was the attack so effective?
On most crypto exchanges, cold (or 'upgradeable') wallets work in such a way that the wallet code can be changed if the required number of signatories confirm the 'request' for an update. Therefore, the hackers introduced a substituted transaction. To do this, the attackers deployed two special so-called smart contracts: a 'Trojan' contract, which created the appearance of a harmless transaction – that is, looked like a normal request to transfer tokens, and a 'Backdoor' contract, which gave the hackers full access to the wallet after the 'update'.
Employees who thought they were confirming a simple transfer of tokens were actually authorizing a wallet update that connected the attackers' 'backdoor' contract instead of the original secure code.
After the substitution was successful, the hackers gained full control over the wallet. They immediately used special functions ('sweepETH', 'sweepERC20') to 'sweep' all funds (ether and tokens) to their addresses. That is why the hackers managed to transfer 70% of the exchange's Ethereum assets in a matter of minutes.
Why might the crypto exchange's precautions and routine checks have failed?
Firstly, the signatories were misled: the employees who put their signatures relied on the 'readable' interface, which indicated 'safe' transfer details, and did not read the actual technical code they were signing. However, the real transaction data was hidden behind the interface. Even if the system has multi-stage control, social engineering or interface substitution can mislead several responsible persons at once.
And secondly, the flexibility of the upgrade: the ability to change the wallet code is convenient, but if additional checks are not configured, you can suddenly 'upgrade' it to a malicious version.
What lessons has the global crypto industry learned from this?
Based on my experience, I can note that a number of changes must occur to increase the level of security in the cryptocurrency industry for greater platform security. First of all, platforms should invest in protection technologies and hire cybersecurity experts. Crypto exchanges should develop stricter security protocols, including multi-factor authentication and user data encryption.
The second important step should be to open access to reserve funds. Creating separate, well-protected reserves will prevent complete loss of user funds in the event of a successful attack. Regular security audits and vulnerability testing of systems should also be actively conducted. If we talk about the main lessons for the market, I would list the following:
- Regular audit of upgradeable contracts. Any «upgradeable proxy» should be checked for the possibility of unauthorized change of the «master copy».
- Transparency of transactions: the people responsible for signatures should not only see a «beautiful description» of the operation, but also check exactly which code will be launched.
- Restriction of upgrade rights. You can use a stricter model in which a contract can only be changed after a «time window» so that other signatories and auditors have a chance to detect an anomaly.
- Separation of roles. Not all signatories should have equal weight when upgrading a wallet. You can appoint «specialized» signatories who are only responsible for technical updates that go through a separate verification procedure.
The theft of $1.46 billion from the Bybit crypto exchange is a wake-up call for the entire industry. Such events underscore the importance of security in the field of cryptocurrencies and the need for careful attention to the protection of user data. Understanding the nuances of cybersecurity and taking preventive measures are important steps to protect both platforms and investors. Only through joint efforts can we create a safe environment for trading and investing in cryptocurrencies that will foster trust and strengthen the market.