Crypto Firm Offers Up to $140M Bounty for Recovery of Hacked Funds
In a notable development in the cryptocurrency sector, Bybit, a compromised crypto exchange, has successfully replenished $1.4 billion in Ether that was stolen in a recent cyber incident, according to CEO Ben Zhou.
A comprehensive proof-of-reserves audit will soon confirm that client assets have been restored to a 1:1 ratio, employing a verification method based on Merkle Trees, Zhou announced via social media.
Blockchain analytics firm Lookonchain estimates that Bybit managed to recover approximately 446,870 Ether, valued at around $1.23 billion, employing a combination of loans, whale deposits, and direct acquisitions. This recovery represents nearly 88% of the stolen funds linked to the attack attributed to North Korea’s notorious Lazarus Group. TRM Labs noted, “In a single day, North Korea’s hackers nearly doubled the funds they pilfered in 2024.”
Lookonchain also traced the acquisition of 157,660 Ether, equivalent to $437.8 million, by a wallet associated with Bybit from crypto investment firms such as Galaxy Digital, FalconX, and Wintermute through over-the-counter transactions. Another wallet amassed about $304 million worth of Ether from various centralized and decentralized exchanges.
The $1.4 billion theft marks the largest cyber heist in the cryptocurrency domain, constituting 60% of all stolen digital assets reported last year. Following the breach, Bybit experienced a notable increase in customer withdrawals, peaking at $5.3 billion over the weekend. Hacken, the auditing firm verifying Bybit’s reserves, stated that the exchange’s total assets still surpass its liabilities, ensuring the backing of user funds.
The breach has been characterized as a shift in attack methodologies, with Checkpoint indicating that the incident involved sophisticated manipulation techniques targeting user interfaces rather than just exploiting protocol vulnerabilities. The attackers employed social engineering tactics, leading to the compromise of a significant institutional multisig setup.
The vulnerabilities exploited were in the Gnosis Safe multisig system, which relies on externally generated signatures rather than on-chain votes, making it susceptible to user interface manipulation and unauthorized signatures. The attackers likely employed phishing or malware to compromise multisig signers’ devices. By deceiving victims into interacting with a counterfeit user interface that resembled a trusted platform, they obtained approval for a transaction that transferred control of the cold wallet to the attacker.
This incident underlines the limitations of multisig setups when signers are compromised, emphasizing that cold wallets are not inherently secure if attackers can manipulate user perceptions. Experts advise that the industry should implement end-to-end transaction validation to mitigate future risks, as reliance on human decision-making is no longer sufficient.
To hide the tracks of their transactions, hackers are expected to utilize mixers, though the significant scale of this theft could complicate their efforts. Elliptic pointed out that the Lazarus Group typically follows a predictable laundering process, starting by swapping pilfered tokens for a cryptocurrency like Ethereum and entering a “layering” phase to obscure the stolen assets through various wallets and cross-blockchain transfers.
In a rapid course of action, the stolen assets were distributed across 50 wallets within two hours post-attack, with significant portions already moved. Allegations have surfaced regarding an unnamed service facilitating the laundering despite Bybit’s requests to block transactions. eXch, a crypto exchange known for anonymous trades, has been accused of processing millions of dollars in stolen Bybit assets, which it denies while admitting to handling a minimal volume of funds.
Notably, the Lazarus Group has laundered over $200 million using a mix of illicit methods up until 2023, as highlighted by Chainalysis, which notes a shift towards cross-chain bridges as they refine their laundering strategies.
Bybit has reached out to “the brightest minds in cybersecurity and crypto analytics,” offering a 10% reward for recovered funds, which could amount to $140 million if the entire stolen amount is retrieved. At the time of this report, data from DefiLlama indicates that Bybit held $10.9 billion in total assets. The attack also prompted a sharp decline in Ether’s price, which fell from $2,831 to $2,629 in a span of hours before it began to recover.
