North Korea pulled off the biggest cryptocurrency heist in history

Dubai-based cryptocurrency exchange Bybit was robbed on Friday last week of approximately $1.5 billion worth of cryptocurrency, and fingers are being pointed at North Korea.

2

Bybit officials confirmed the theft of more than 400,000 Ethereum, along with staked Ethereum coins, just hours after the theft took place. According to the disclosure by Bybit, the cryptocurrency coins were initially stored in a "Multisig Cold Wallet" but were then transferred out to an exchange hot wallet where they were then distributed out of the exchange altogether to wallets with unknown owners. Now, researchers at Elliptic, a blockchain analysis firm, has said the moves bear the calling cards of North Korean attackers who have reportedly already washed the funds.

So, how did this happen? Multisig Cold wallets are some of the most secure digital wallets available to cryptocurrency traders, as the idea behind the wallet is much like a nuclear missile launch that requires multiple people to engage. Just like the missile, the wallet requires two or more authorized persons to digitally sign before access can be granted. Immediately, speculation began on how the wallet was drained, with many pointing fingers at Safe, the company that provides the infrastructure hosting the cold wallet. However, Safe conducted an internal examination of its systems and found no traces of unauthorized access.

"The Bybit hack has shattered long-held assumptions about crypto security. No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link. This attack proves that UI manipulation and social engineering can bypass even the most secure wallets," said Dikla Barda, Roman Ziakin, and Oded Vanunu, researchers at security firm Check Point

Investigators further dove into the digital paper trail and found the case of the theft was a result of the smart contract logic being manipulated and the signing interface being manipulated. For those who don't know, this means the attackers infiltrated Bybit and manipulated the wallet signing user interface on each individual's device that is needed for access to the Multisig cold wallet. The implication of such an attack has caused a ripple effect throughout the cryptocurrency industry as it has shattered a long-held assumption about cryptocurrency security.

The concerns don't stop there, as it's still unknown how the hackers managed to gain access to the user interfaces of the multiple Bybit employees that were needed to approve the transaction. However, researchers Dan Guido, Benjamin Samuels, and Anish Naik of security firm Trail of Bits wrote that hackers working for the North Korean government may have installed malicious code in the Bybit system a while ago that enabled the hackers to work undisclosed to Bybit security. Additionally, the researchers state that this malware could allow the manipulation of what users see in their interfaces.

The massive $1.5 billion hack has shaken the cryptocurrency industry, particularly the security that protects it.