In this episode of ITWeb TV, Hendrik de Bruin, head of SADC security consulting at Check Point Software Technologies, discusses how the Bybit hack occurred, who is behind it, and how crypto exchanges can protect themselves from such attacks. #BybitHack
Crypto-currency hacks are set to continue until adequate regulations are put in place to mitigate against these threats, said Hendrik de Bruin, head of SADC security consulting at Check Point Software Technologies, in an interview with ITWeb TV.
De Bruin was speaking after Dubai-based crypto-currency exchange Bybit was hacked of approximately 400 000 Ethereum, valued at $1.5 billion. This incident is considered to be the largest crypto-currency exchange hack, to date.
The attack was largely attributed to North Korean hackers, specifically the Lazarus Group and its subset TraderTraitor.
Traditional bank robberies, once defined by masked criminals storming physical vaults, have evolved into sophisticated cyber heists targeting digital assets, De Bruin commented.
He noted that as financial systems transitioned online, cyber criminals adapted, exploiting vulnerabilities in banking networks and crypto-currency platforms.
Groups like Lazarus have demonstrated how state-sponsored hackers can steal billions by breaching crypto exchanges, laundering funds through decentralised finance platforms, and evading international sanctions.
De Bruin pointed out that the Bybit hack challenges previous beliefs about crypto security, showing that despite strong smart contracts and protections, the human factor is often the weakest link.
This incident highlights how user interface manipulation and social engineering can compromise even the most secure wallets, he added.
According to latest reports, Bybit hackers have already successfully converted at least $300 million of their record-breaking $1.5 billion crypto heist into unrecoverable funds.
Describing how the hack unfolded, De Bruin said crypto-currency exchanges make use of hot and cold wallets.
He explained that a hot wallet is a crypto-currency wallet connected to the internet, making it convenient for quick transactions but more vulnerable to hacks. A cold wallet is offline, making it highly-secure but less convenient for quick access.
In the Bybit case, the hackers exploited a cold wallet to steal the funds, primarily consisting of Ethereum tokens.
The incident marks a new phase in attack methods, featuring advanced techniques for manipulating user interfaces.
Rather than just targeting protocol flaws, the attackers used clever social engineering to trick users, which led to the compromise.
“The majority of the exchange’s funds will be stored in an offline cold wallet. The reason why we refer it to as offline or cold wallet is because it is disconnected from where the majority of the funds are stored,” said De Bruin.
“Funds are then transferred from that cold wallet to a hot wallet, which is basically used for various transactions. So, a cold wallet is essentially a safe for your crypto-currency.
“What appears to have happened in this specific incident is a transfer was made from a cold wallet to a hot wallet where the actual hack occurred. Instead of those funds being transferred to an online or hot wallet, they were transferred to other wallets that are managed and operated by cyber criminals.”
He noted that Check Point Research, in real-time, identified when the Bybit hack occurred based on monitoring.
Attribution of hacks is oftentimes difficult, especially when it comes to crypto-currencies. “However, we do have a fairly good idea of who it is. It would appear from the evidence that we have gathered that it is the Lazarus Group – a North Korean-supported hacking group.”
De Bruin explained that one of the biggest things the Lazarus Group is known for nowadays is crypto-currency.
“They are very well-known for stealing crypto-currency on behalf of the North Korean regime. The reason for that is fairly obvious. Because of all the sanctions on North Korea, they need to find alternative income. That is the biggest modus operandi for the Lazarus Group.”
Hendrik de Bruin, head of SADC security consulting at Check Point Software Technologies. (Photograph by Lesley Moyo)
Lazarus Group hacked Sony Pictures in 2014, he said. In November 2014, Sony Pictures Entertainment was hit with a devastating cyber attack, and the hackers − identifying themselves as “Guardians of Peace” − leaked vast amounts of confidential data, including unreleased movies, internal e-mails and employee information. The attack caused Sony significant financial and reputational damage.
The attack is believed to have been in retaliation for “The Interview”, a comedy film that depicted a fictional assassination of North Korean leader Kim Jong-un, which angered the North Korean regime. US intelligence agencies concluded that North Korea, through the Lazarus Group, orchestrated the attack to punish Sony and deter the release of the film.
The Lazurus Group is also known for the WannaCry ransomware attack − one of the largest and most destructive cyber attacks in history, said De Bruin.
WannaCry was a ransomware worm that spread rapidly across the world, infecting over 230 000 computers in more than 150 countries. The malware encrypted files on infected systems and demanded a ransom in Bitcoin, threatening to delete the files if the payment wasn’t made.
“It’s often perceived that crypto-currency is an anonymous way of transacting on the internet. To an extent, that is true, but you must also bear in mind that these crypto-currencies have a ledger, which is publicly viewable. That’s transparency where you can actually see where a transaction originated from and which wallet the funds were sent to.”
However, having the ability to link that wallet ID to a specific individual is where the difficulty arises and that’s where regulations come in.
“When we look at this specific attack, we can see where a lot of the funds went to and identify those wallets. But identifying the individual or organisation behind the wallet will be the difficult part.
“The crypto-currency market is very much in its infancy and when it comes to regulation, it’s always evolving. Before the traditional banks established security protocols and regulations, they also faced an onslaught of criminality and heists, such as bank robberies.
“So, we will continue to see attacks on crypto-currencies and the evolution of the attacks. It’s up to the regulatory bodies to implement things like KYC [know your customer] in order to prevent this.”
