The recent security breach at Bybit has sent shockwaves through the cryptocurrency world, marking what is being called one of the largest digital asset thefts in history. CoinJar is not affected by this incident. Here’s a breakdown of what we know and what may have happened.

What Happened at ByBit

Bybit, a major cryptocurrency exchange, experienced a significant security breach resulting in the theft of a massive amount of Ethereum. 

In a statement, ByBit reported that approximately $1.5 billion worth of digital assets were compromised.

How the attack unfolded

Based on ByBit’s investigation so far, here is a simplified explanation:

1. Compromised developer computer

A computer belonging to developers at Safe (often referred to as Safe{Wallet}) was hacked. 

Safe Global is a provider of cryptocurrency wallets, and it is important to note that CoinJar does not use Safe Global for its crypto storage.

2. Malicious code inserted on AWS

The attackers gained access to Safe’s Amazon Web Services (AWS) S3 bucket, where key files were stored. They injected malicious JavaScript code into these files.

3. Supply chain attack trigger

This harmful code was specifically designed to alter transaction details during the signing process. It was triggered if a transaction originated from ByBit’s contract address.

4. Swift cover-up

Two minutes after executing each malicious transaction, the attackers replaced the compromised code in the S3 bucket with clean versions, erasing direct evidence of the tampering.

5. Impact on ByBit

When users tried to move funds via Safe’s service, the malicious script silently modified the transaction details during approval, affecting only those transactions associated with ByBit. 

This underscores that the attack started with Safe’s storage environment, rather than ByBit’s infrastructure.

What commentators are saying

A number of commentators have pointed out that, in hindsight, certain security measures appear to have been inadequate. They argue a few points.

ByBit’s security checks

Commentators say that even though the attackers used a sophisticated supply chain approach, ByBit’s internal processes should have caught discrepancies in the transaction instructions. 

In particular, when moving large sums (over $1 billion) exchanges typically verify transaction details on a separate, air-gapped machine (a completely isolated computer).

Human vulnerabilities in complex attacks

While some aspects of this hack may appear “basic,” the broader supply chain tactic was sophisticated, using compromised third-party code that would not have been easy to detect in real time. It seems any system can be vulnerable when attackers gain access through indirect avenues.

Missed double-checks

According to industry best practices, large transfers should be verified more than once, especially if initiated by an external service. Some commentators believe ByBit could have implemented stronger fail-safes to confirm transaction details independently of Safe’s code.

ByBit’s response

ByBit’s CEO, Ben Zhou, has pledged to reimburse affected users, reassuring customers that their losses will be covered.

ByBit is reportedly working on securing bridge loans to cover losses, while emphasising its commitment to transparent communication with the community.

ByBit has partnered with blockchain forensic companies to track the stolen funds. Its prompt and open response has been relatively well-received, helping maintain some degree of market confidence despite the severity of the incident.

Conclusion: A lesson on sophisticated supply chain attacks

The ByBit hack, while a devastating blow to the exchange and its users, is a stark reminder of the ever-evolving threats in both traditional and decentralised finance. 

Although commentators have criticised ByBit for procedural lapses (such as a lack of transaction-verification methods), this breach also reveals the complexity of supply chain attacks. They often only become clear after the damage is done, because attackers exploit trust relationships with third parties and cover their tracks swiftly.

ByBit’s quick and transparent response, along with its pledge to reimburse users, has helped mitigate the immediate fallout. While some suggest that only a state-sponsored attacker could pull off such a large-scale theft, the exact identity of the perpetrators remains unknown. 

What is certain is that criminals continue to refine their methods, and vigilance remains crucial.

The finance industry, whether in the traditional space or the crypto realm, must accept the reality of increasingly sophisticated cyber threats.

The above information is not to be read as investment, legal or tax advice and takes no account of particular personal or market circumstances; all readers should seek independent investment, legal and tax advice before investing in cryptocurrencies. There are no government or central bank guarantees in the event something goes wrong with your investment. This information is provided for general information and/or educational purposes only. No responsibility or liability is accepted for any errors of fact or omission expressed therein. CoinJar Europe Limited makes no representation or warranty of any kind, express or implied, regarding the accuracy, validity, reliability, availability, or completeness of any such information. Please remember past performance is not a reliable indicator of future results. Don't invest unless you're prepared to lose all the money you invest. Due to the nature, complexity and volatility of crypto, it may be perceived to be a high-risk investment.

CoinJar Europe Limited is authorised by the Central Bank of Ireland as a crypto-asset service provider (registration number C496731).