you misread my post (mea culpa) - it's not important whether they stole ETH, BTC, SOL or whatnot - it's not a failure of the asset itself obviously - what I meant︀ was that events like this will help people understand that exchanges are not only the︁ weak centralized spots of the ecosystem but also a reason why most shitcoins have life︂ longer than a mayfly and why so many people get burned massively
ByBit hacked 1,4billions $ stolen ( in ETH).
- Thread starter toums
- Start date
- Status
To those saying it was not a real hack, the postmortem audit has been published
https://twitter.com/x/status/1894773852598939786
It totally checks out.
Awaiting those who are sure this is not what it looks like, to back up their claims.
I like this forum for its refreshing non-propaganda view points, but sometimes it feels people are just happy to wear tinfoil hats and spin stories
I have firsthand witnessed crypto hacks of mindblowing amounts from the inside (thankfully never to me) and can certainly tell you i know those people were left with nothing (and sometimes massive psychological trauma) after the hacks. Even when reddit and twitter were︀ awash with conspiracy theories.
Thus would like those claiming an inside job or whatever to︁ back up their claims and also comment on this audit, if their cybersec knowledge permits︂ to intelligently assess it
https://twitter.com/x/status/1894773852598939786
It totally checks out.
Awaiting those who are sure this is not what it looks like, to back up their claims.
I like this forum for its refreshing non-propaganda view points, but sometimes it feels people are just happy to wear tinfoil hats and spin stories
I have firsthand witnessed crypto hacks of mindblowing amounts from the inside (thankfully never to me) and can certainly tell you i know those people were left with nothing (and sometimes massive psychological trauma) after the hacks. Even when reddit and twitter were︀ awash with conspiracy theories.
Thus would like those claiming an inside job or whatever to︁ back up their claims and also comment on this audit, if their cybersec knowledge permits︂ to intelligently assess it
*putting my tin foil cap on*︃ that story about some Safe Wallet developer whose computer was hacked means that the whole︄ Safe Wallet ecosystem is being developed by one person, so after some evil (((North Korean)))︅ hacker uploaded the malicious code from that developer's machine nobody has noticed that.
nobody reviewed︆ the code, nobody saw the evil commit, they don't use any version control system or︇ any deployment system, just a single developer with absolute control over the website.
if this︈ is not an inside job then everybody must withdraw their money from Bybit as soon︉ as possible.
nobody reviewed︆ the code, nobody saw the evil commit, they don't use any version control system or︇ any deployment system, just a single developer with absolute control over the website.
if this︈ is not an inside job then everybody must withdraw their money from Bybit as soon︉ as possible.
I get the skepticism about conspiracy theories, but in this case, dismissing insider involvement seems premature. The Verichains and Sygnia reports lay out a clear, sophisticated attack, but they also leave questions unanswered.
This wasn’t some random, opportunistic exploit. The malicious JavaScript injected into Safe.Global’s AWS S3 bucket wasn’t just tampering with transactions generically; it was hardcoded to specifically target Bybit’s multisig wallet and its signers. That level of precision suggests not just extensive pre-exploitation reconnaissance, but also insider knowledge of Bybit’s cold wallet structure and internal procedures.
A few things stand out:
- How did the attackers gain privileged access? Modifying production JavaScript files︀ on Safe.Global requires either an API key, hijacking of admin access, or social engineering of︁ someone with access. The reports confirm that Safe.Global’s S3 bucket was compromised, but they don’t︂ explain how that access was obtained, arguably the most crucial part of the attack chain.︃
- The attackers waited until a high-value contract upgrade transaction was happening before executing the︄ attack. That’s not the kind of timing you get from an external scan alone; it︅ suggests someone either inside or very close to the operation had advance knowledge of Bybit’s︆ transaction schedule.
- The malicious script was uploaded shortly before the high-value transaction, reinforcing the︇ idea that the attackers weren’t just sitting on their access; they knew exactly when to︈ act.
- Within two minutes of the 'heist', the malicious JavaScript files on Safe.Global were︉ reverted back. That’s an incredibly fast response, which again proves their meticulous planning.
So, yes,︊ it was a legitimate hack, I never denied that or doubted nation-state involvement. But that︋ doesn’t rule out an insider role, either through direct involvement or negligence.
It’s easy to︌ say "where’s the proof of an inside job?" but the better question is: where’s the︍ proof that this wasn’t at least partly facilitated by someone on the inside? There are︎ too many unanswered questions, including:
Safe.Global is probably in full damage-control mode right now. I doubt we’ll get︀ more transparency anytime soon, at least not until their PR team figures out how to︁ spin this into the usual "this could have happened to anyone" narrative.
Until these gaps︂ are explained, skepticism about an insider angle isn’t tinfoil-hat territory, it’s just paying attention to︃ what hasn’t been answered yet.
This wasn’t some random, opportunistic exploit. The malicious JavaScript injected into Safe.Global’s AWS S3 bucket wasn’t just tampering with transactions generically; it was hardcoded to specifically target Bybit’s multisig wallet and its signers. That level of precision suggests not just extensive pre-exploitation reconnaissance, but also insider knowledge of Bybit’s cold wallet structure and internal procedures.
A few things stand out:
- How did the attackers gain privileged access? Modifying production JavaScript files︀ on Safe.Global requires either an API key, hijacking of admin access, or social engineering of︁ someone with access. The reports confirm that Safe.Global’s S3 bucket was compromised, but they don’t︂ explain how that access was obtained, arguably the most crucial part of the attack chain.︃
- The attackers waited until a high-value contract upgrade transaction was happening before executing the︄ attack. That’s not the kind of timing you get from an external scan alone; it︅ suggests someone either inside or very close to the operation had advance knowledge of Bybit’s︆ transaction schedule.
- The malicious script was uploaded shortly before the high-value transaction, reinforcing the︇ idea that the attackers weren’t just sitting on their access; they knew exactly when to︈ act.
- Within two minutes of the 'heist', the malicious JavaScript files on Safe.Global were︉ reverted back. That’s an incredibly fast response, which again proves their meticulous planning.
So, yes,︊ it was a legitimate hack, I never denied that or doubted nation-state involvement. But that︋ doesn’t rule out an insider role, either through direct involvement or negligence.
It’s easy to︌ say "where’s the proof of an inside job?" but the better question is: where’s the︍ proof that this wasn’t at least partly facilitated by someone on the inside? There are︎ too many unanswered questions, including:
- How Safe.Global’s S3 credentials were compromised (was it phishing? A️ rogue employee? A vulnerable third-party provider?)
- How the attackers knew when to strike and which wallets to target.
- Why is there no evidence of Bybit being compromised?
- Why was the malicious JavaScript not detected before the attack?
Safe.Global is probably in full damage-control mode right now. I doubt we’ll get︀ more transparency anytime soon, at least not until their PR team figures out how to︁ spin this into the usual "this could have happened to anyone" narrative.
Until these gaps︂ are explained, skepticism about an insider angle isn’t tinfoil-hat territory, it’s just paying attention to︃ what hasn’t been answered yet.
https://www.trmlabs.com/post/the-bybit-hack-following-north-koreas-largest-exploit
"Initially, portions of the stolen Ethereum were routed through networks such as Binance Smart Chain and Solana, but the majority has now been converted directly into Bitcoin. Despite the swift movement of assets, most of the converted Bitcoin remains largely stationary, suggesting that the hackers are preparing for large-scale liquidation or further obfuscation through over-the-counter (OTC) networks."
It is crazy how fast︀ this amount is being moved, proves again that BTC and its alternative ecosystem are strong︁ and viable.
"Initially, portions of the stolen Ethereum were routed through networks such as Binance Smart Chain and Solana, but the majority has now been converted directly into Bitcoin. Despite the swift movement of assets, most of the converted Bitcoin remains largely stationary, suggesting that the hackers are preparing for large-scale liquidation or further obfuscation through over-the-counter (OTC) networks."
It is crazy how fast︀ this amount is being moved, proves again that BTC and its alternative ecosystem are strong︁ and viable.
I will sort of deny what I posted as a I had an interesting discussion about this incident which led me to digging into it a bit more and I found this short video that provides an interesting angle of view on ETH and why it was/is more likely that such incidents happen on ETH network
for those interested take it as an input - I don't claim anything as I don't care about Bybit, ETH and alike - perhaps one more valid point to BTC ossification︀ discussion
for those interested take it as an input - I don't claim anything as I don't care about Bybit, ETH and alike - perhaps one more valid point to BTC ossification︀ discussion
Only three addresses left with some ETH in, 10k went to 40 different addresses.
https://etherscan.io/accounts/label...id=undefined&size=25&start=0&col=2&order=desc
https://etherscan.io/accounts/label...id=undefined&size=25&start=0&col=2&order=desc
- Status