Lazarus hacks Bybit, likely accessed multi-sig signers' devices in $1.5B ETH theft

North Korea's hacking group, Lazarus, orchestrated the largest-ever attack on a centralized crypto exchange by stealing over $1.5 billion in ETH and derivative tokens from Bybit on Feb. 21, as reported by The Block. According to Bybit's post-mortem investigation, the hackers manipulated the smart contract's logic and the signing interface to take control of the ETH cold wallet, resulting in the transfer of over 400,000 ETH and stETH to an unknown address. Following the theft, the funds were dispersed across multiple wallets in a typical Lazarus strategy. Bybit suspects a vulnerability in Safe{Wallet}, a self-custodial multi-signature wallet, and is focusing its investigation on this potential flaw. Safe confirmed its cooperation with Bybit's ongoing probe and has temporarily disabled some functionalities of Safe as a precaution. Security experts suggest that Lazarus gained access to the devices of the cold wallet's multi-sig signers through various methods such as phishing, malware infections or a faulty Chrome plugin. This access allowed them to trick the signers into authorizing a malicious transaction by presenting a deceptive interface.