North Korea's Unprecedented $1.5 Billion Crypto Heist Exploited Human Element, Not Code

North Korean hackers have executed the largest cryptocurrency theft in history, draining $1.5 billion from Dubai-based exchange Bybit by compromising its multisignature cold wallet system. The attackers stole over 400,000 ethereum and staked ethereum coins without exploiting code vulnerabilities or infrastructure.

Security researchers from Elliptic identified North Korean signatures in the subsequent laundering operations, consistent with the nation's ongoing cryptocurrency theft operations that fund its weapons programs. Investigators determined the hackers manipulated the user interfaces on multiple Bybit employees' devices simultaneously, tricking authorized personnel into approving what appeared to be legitimate transactions. This sophisticated attack "altered the smart contract logic and masked the signing interface," according to Bybit's disclosure.

"The Bybit hack has shattered long-held assumptions about crypto security," noted researchers at Check Point. "No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link."

Weakest link

[CommunityMember]

AI to humans: "You are the weakest link, goodbye".

Re:

[Iamthecheese]

> Investigators determined the hackers manipulated the user interfaces on multiple Bybit employees' devices simultaneously, tricking authorized personnel into approving what appeared to be legitimate transactions

This is NOT exploiting human weaknesses. No more than getting a back door into Linux code would be. I mean you could say that humans should review every line of code before running it, but that would be wrong, stupid, and a huge copout.

Theres a difference

[Slashythenkilly]

Between stealing and being smart enough to get away with it. Leaving your digital fingerprint at a server is as bad as forgettimg your ski mask before robbing the 711. Theres only one suspect and while 1.5 billion may not be a lot to Dubai, I have no doubt that they can and will find a partner to help send a message. Russia has enough to handle in Ukraine and borrowing North Korean troops already. Best of luck kimmie, you made a bad decision.

Re:Theres a difference

[Bert64]

Even if it was the north koreans, what can dubai do about it? There is no legal route - no law enforcement cooperation between these countries etc. Doing an off the books operation would be risky, with no guarantee of success, and who would they target?

And that's assuming the north koreans are responsible at all, as you point out it was a highly sophisticated attack so the perpetrators should be more than capable of covering their tracks, perhaps they did by laying a false trail that pointed to north korea?

Re:

[DarkOx]

All true.

I would also suggest that the DPRK might even be 'just fine' with being caught. Sure it may give away some 'methods and practices' but honestly most of these techniques are open secrets anyway. DPRK has a limited set of levers on the world stage and all of them have been reduced in potential effectiveness or been impaired with serious potential for blow back in one way or another. Like China deciding to cut them off if they do something to 'incompatible' with China's other diplomatic ambitions lik

Re:

[Anonymous Coward]

They didn't leave a signature. A signature was detected when they laundered the money.

That's the thing about cryptocurrency. At some point if they need real cash then that has to go through a system that can be traced just like always.

Originally the idea behind Bitcoin was to trade the coin itself as currency and remove the need for government based monetary systems. For the most part that has not worked out because commercial entities have to play by the old rules.

Re:

[AnOnyxMouseCoward]

So, one dictatorial regime steals from a company based in Dubai. The problem is it's a State that committed the action. What's the company (Bybit) going to do to North Korea? Nothing. They're in no position of power to do anything. However, you propose the Dubai government, or maybe the UAE, will find a partner to avenge the crime against this company. How do you think that's going to work? What would be the "message"?

Not to mention, NK and Russia are friends as you say, since NK sends troops to Ukraine.

and

[rossdee]

nothing of value was lost.

Bogus headline

[jbmartin6]

The details in TFA do not support any claims that code wasn't exploited. The attackers used code to present a fake transaction to the signers rather than the wallet-draining transaction they were really approving. The details of how they got access to do that and everything else are not provided.

Re:

[bill_mcgonigle]

> The details in TFA do not support any claims that code wasn't exploited

None of the news stories on this make sense.

I get that "the news is fake" most of the time but this one smacks of half-the-story.

It sure sounds like there's a mole somewhere between Kim and the CEO (who protected customer funds).

Re:

[jbmartin6]

Bybit released a technical report claiming that Safe{Wallet} was compromised, and the attacker replaced a Javascript file in Safe's S3 storage with one that specifically targeted Bybit's contracts and wallet. So they knew enough about Bybit to produce a highly targeted supply chain attack. Presumably other Safe customers loaded the malicious javascript but were not affected.

Weasel words

[coofercat]

> This sophisticated attack "altered the smart contract logic and masked the signing interface,"

So it wasn't' a very "smart contract" then, if it could be so easily altered. I suspect my old paper contract is probably "smarter", or at least using it would be.

The old saying "a fool and his money..." should be forked to be "a crypto exchange and its money...". Are any of them actually capable of running a service without getting hacked? They're an obvious target, which ups the ante rather a lot, but are an

Re:

[bill_mcgonigle]

> So it wasn't' a very "smart contract" then, if it could be so easily altered.

reportedly:

It was just a fake contract presented by phishing.

They outsourced their security to a third party web service so they had to be Internet connected.

---

For $40B I will fire up a dedicated laptop and plug in a serial cable, but apparently that's just me.

"Why bother with all that when TrustMeBro.com is only $99/mo?"

Whomever sold that idea might be worth looking into more.

I have an idea

[CEC-P]

I bet it'd only take a billion to blow up their entire country and get it back. That's a net gain recovery.

Re:

[gtall]

Brilliant!! Let's see millions of people die because you have some cockeyed notion it "get it back".

LOL let's do it again

[JustAnotherOldGuy]

Crypto is a nothing more than a decentralized, crowd-funded Ponzi scheme.

Try that with a real bank

[gweihir]

No luck? I wonder why that is ...

A multisig wallet is not a cold wallet

[DrMrLordX]

N/T

This good for BitCoin!

[LostMonk]

It really is bro!

something does not add up

[awwshit]

> without exploiting code vulnerabilities or infrastructure ... manipulated the user interfaces on multiple Bybit employees' devices simultaneously, tricking authorized personnel

Bybit is saying that these manipulated user interfaces are normal operation.