Last week, ByBit, one of the largest centralized exchanges, suffered the biggest hack in digital asset history, with attackers stealing approximately $1.4 billion worth of Ethereum – primarily native ETH, alongside some wrapped versions.
Despite the magnitude of the breach, ETH exhibited strong price resilience following the event. ByBit responded swiftly, immediately acknowledging the attack and assuring customers that the exchange could cover the losses, ensuring their funds remained secure.
1. How has the hack affected ByBit?
Withdrawals continued to be processed as usual in the aftermath of the hack, with customers withdrawing over $5 billion over the weekend. When combined with the nearly $1.5 billion stolen, this brought the total outflows from the exchange to over $6.5 billion — without triggering a liquidity crisis.
ByBit took immediate steps to replenish its ETH reserves, purchasing ETH over-the-counter (OTC). The exchange has now completed its repurchase and published an updated, audited Proof of Reserves (PoR), confirming that customer assets are fully backed 1:1 — achieved in under 72 hours following the attack.
- Banks as crypto custodians: Could there be a downside for staking?
- Altcoin sell-off forcing traders to protect portfolios with puts
- Does Solana need ETF approvals to take it to $1000?
2. How has the ByBit hack affected the wider cryptocurrency market?
ByBit’s response, alongside the broader market’s reaction, highlights the resilience of the digital asset sector. Particularly, this is evident when compared to previous market cycles, where smaller incidents triggered significantly greater turmoil.
“The ability of the market to absorb this unprecedented hack with minimal disruption, coupled with ETH’s price stability, underscores the growing credibility and maturity of the industry and its participants,” said Matteo Greco, a research analyst with Fineqia International in Canada.
3. How was the ByBit hack carried out?
According to Bybit, the ‘forensic investigation into the recent security incident’ reaffirms “the integrity of Bybit’s infrastructure while providing crucial insights into the nature of the attack.”
The investigation has revealed that the credentials of a developer were compromised, allowing “the attacker to gain unauthorized access to the Safe(Wallet) infrastructure and totally deceive signers into approving a malicious transaction.”
Safe, a firm providing smart contract infrastructure across a variety of networks, confirmed that the attack stemmed from a compromised employee computer and argued its smart contracts remain unaffected. Having said that, CoinDesk has said that a person familiar with the incident claims “the hack would not have been possible had Bybit not ‘blind signed’ the transaction.” The term describes signing a smart contract transaction without viewing the content of the transaction itself.
4. Who was responsible for the ByBit hack?
In an announcement released yesterday, the FBI has labelled the hack as part of the ‘TraderTraitor’ tactic, whereby fake recruitment messages entice recipients to download ‘malware-laced cryptocurrency applications.’
While the announcement doesn’t specifically name Lazarus Group, the FBI has previously associated TraderTraitor to that hack outfit. Additionally, the FBI has encouraged actors in the crypto space, like apps, exchanges, bridges, DeFi services, and others, to ‘block transactions’ associated with the TraderTraitor actors.
Lazarus Group is a shadowy co-operative of hackers which some security analysts have linked to the regime in North Korea.
5. What are the implications for DeFi?
The FBI’s encouragement that actors in the crypto space block illicit transactions highlights a key challenge for crypto infrastructure which is often designed to be permissionless by nature. DeFi venues, for instance, are characterized by allowing any user with a wallet to connect and trade.
“In this context, some crypto infrastructure has seen record usage following the hack,” crypto markets advisory firm FRNT Financial said in a note this week. FRNT noted that cross-chain protocol for trading tokens processed 859bn in trades yesterday (Thursday), its highest daily volume to date.
It is currently unclear if global authorities will pressure protocol operators to block or censor transactions associated with Lazarus Group. Having said that, there is speculation within the crypto sector that had the hack occurred under a crypto-antagonistic administration in the US, there could have been legal pressures that would have challenged crypto’s permissionless and decentralized design principles. That may be one for the new administration in Washington DC to answer.
