COMMENTARY: However people look at the cryptocurrency industry, it's clear that the rise of digital currencies has become a primary catalyst for a growing number of high-stakes security incidents, with breaches like the Bybit hack underscoring the critical risks involved.
This latest breach, one of the most significant crypto exchange hacks of recent times, has left the cryptocurrency community reeling. While many aspects of the incident were crypto-specific, the underlying lessons apply to any organization using cloud infrastructure either for asset management and transaction processing, or cloud applications in general.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
What happened?
Right now, here’s what we know: the breach peaked on February 21, when attackers exploited a vulnerability in Bybit’s internal systems during a routine transfer of funds between its cold and hot wallets. It’s safe to assume hackers were learning Bybit’s processes for a long time beforehand. For context, cryptocurrency exchanges like Bybit, along other crypto holders, store assets in two primary types of wallets:
- Cold Wallets: These are offline, secure storage devices designed to protect cryptocurrencies from online threats. Since cold wallets are disconnected from the internet, up until connected to a computer for a wire, they are considered much safer for long-term storage of digital assets.
- Hot Wallets: These wallets are online and actively used for day-to-day transactions. They let users quickly deposit, withdraw, or trade cryptocurrencies. However, because they’re connected to the internet, they are inherently more vulnerable to cyberattacks.
The breach happened during a transfer of assets from Bybit’s cold wallet to its hot wallet. During this process, the attackers — believed to be a part of the North Korean Lazarus Group — managed to intercept the transaction and reroute the funds to their own wallets, stealing a staggering 400,000 Ethereum (ETH), worth approximately $1.5 billion at the time.
The vulnerability that was exploited was related to Bybit’s transaction signing process. Specifically, the system used “blind-signing,” meaning that the transaction was signed without fully revealing the transaction details to the party signing it. This lack of visibility allowed the attackers to inject malicious transaction data, diverting the funds without the signing process detecting any anomaly.
Additionally, the attack was made easier by a lack of secondary verification in the transaction approval process. Once the transaction details were blind-signed, no further layers of approval or multi-signature verification were in place to catch any irregularities. This was a critical security oversight.
What cloud security experts can learn
The Bybit breach, while rooted in the specifics of cryptocurrency exchanges, exposes important vulnerabilities that we can apply to any organization managing digital assets, especially those leveraging cloud infrastructure. Several factors contributed to the breach, so here’s a list of valuable lessons for cloud security experts and security executives to learn from what went wrong:
- Insecure transaction signing and lack of multi-signature approval: At the heart of the Bybit incident was a blind-signing flaw during the transfer process between the cold and hot wallets. Blind-signing occurs when transaction details aren’t fully visible to the party authorizing the transaction, making it easier for attackers to manipulate the process. In Bybit's case, this lack of transparency let the hackers inject fraudulent transaction data without detection. Security practitioners should recognize that transaction visibility is essential to maintaining the integrity of any financial transaction, particularly in an environment where large sums are involved. To mitigate risks like this, it’s critical to implement multi-signature (multi-sig) protocols. Multi-sig ensures that more than one party or system must approve a transaction before it’s executed, significantly reducing the risk of unauthorized transfers.
- Lack of secondary verification for high-value transactions: In addition to the blind-signing vulnerability, Bybit failed to implement a secondary verification process for high-value transfers. Once a transaction was signed, no further layers of verification were in place to prevent tampering. This oversight made it much easier for the attackers to carry out their scheme without triggering any red flags. For cloud security engineers, it’s a clear warning. Secondary authentication, particularly for high-value transactions, is non-negotiable. Just as many cloud environments use multi-factor authentication (MFA) to secure access, high-value transfers should trigger additional layers of approval or verification. Whether through SMS, email confirmations, or even manual oversight, we need to have a secondary approval process to ensure the integrity of the transaction.
- Insufficient monitoring and incident detection: The breach was discovered only after the cold wallet had been emptied, highlighting a major gap in Bybit's internal monitoring and detection systems. An event of this magnitude should have been flagged in real-time by an effective monitoring system. Without continuous surveillance and the ability to quickly identify abnormal activities, it’s far too easy for malicious actors to operate undetected. Security executives should prioritize real-time monitoring for any high-risk activity. Establishing alerts for large transactions, failed login attempts, and unusual access patterns can offer an early warning system for suspicious activities. Automated tools and artificial intelligence can play an essential role in identifying patterns that might otherwise go unnoticed.
- Weak access control and lack of segmentation: It appears that the attackers may have gained access to Bybit's internal systems, whether through phishing, stolen credentials, or exploiting software vulnerabilities. Once inside, they manipulated the wallet transfer process. This suggests inadequate access controls and possibly a lack of network segmentation, which should have isolated sensitive systems from less critical ones. Cloud security practices should focus on role-based access control and identity and access management to limit access to sensitive data and systems to only those who absolutely need it. It’s essential to implement strong, context-based authentication for administrative roles. Additionally, network segmentation can ensure that even if an attacker gains access to one part of the system, they cannot move freely within the entire infrastructure.
- The role of cloud infrastructure in the attack: While the attack wasn't directly caused by flaws in Bybit’s cloud infrastructure, it does underscore the importance of securing the cloud environments that handle digital asset management. The exchange likely relied on cloud-hosted services for wallet management, transaction processing, and API integration. Without proper cloud security practices, attackers can easily compromise these systems. Teams also need to encrypt sensitive data, such as private keys and wallet information, and secure transaction data both at rest and in transit.
- Incident response planning and coordination: Finally, it's essential to have a well-defined incident response plan in place. Bybit’s response was quick, but the damage could have been mitigated if the security protocols had been stronger. Cloud security teams should work with internal and external partners to ensure a coordinated response in the event of a breach, including communication plans, mitigation strategies, and remediation processes.
The Bybit incident serves as a wake-up call for anyone operating in the cloud, particularly those handling large amounts of digital assets. While cryptocurrency exchanges have unique security challenges, the lessons learned from this breach are universally applicable to any cloud security environment. By implementing strong multi-signature protocols, improving access control, enhancing real-time monitoring, and ensuring secure transaction signing, cloud security executives can build stronger defenses and reduce the likelihood of similar incidents occurring within their own organizations.
Shira Shamban, vice president of cloud, CYE
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
