Posted on 04/05/2025 11:17:45 AM PDT by EnderWiggin1970
Reading this was really irritating. For all the sophistication of the Lazarus team, Bybit was making astonishing mistakes operationally. No serious online exchange should have CEO's sitting at home in their underwear making unilateral billion-dollar transfers.
Even smaller value, routine withdrawals and other transfers should only be happening with employees and hardware (and software) in dedicated secure facilities using silos - physically and computationally separate departments, such that multiple independent transactions need to be made to the blockchain to release funds (M of N multisig, in industry parlance). Combined with competent real-time monitoring and "3rd party" (another silo) verification of all such transaction requests, this would greatly complicate any hacking efforts. (Plus, any huge transfers should be broken down into reasonably smaller TX - they should have a policy of never doing a single TX over $100M for example, and staggering a serious of such TX at 1/minute for example to ensure no more than 1 TX is at risk at a time.
There are exchanges with great long term track records in this area (Kraken for example); those who are lax won't exist in the long term. Consumers should press for exchanges to publish the principles (but not precise details) used by exchanges to safeguard funds, and audits should be done to ensure they are followed.
The good news is this crime only affects centralized, 1st generation crypto exchanges (CEXs). Hackers can't empty the vaults of decentralized exchanges (DEXs) because they never have custody of customer funds. Once you exchange your old government money for crypto and get it off the exchange you can transact freely with other individuals and businesses without ever touching a bank/CEX and its vulnerabilities.
NK says they’re sorry, will send a check to repay.
As soon as we submit payment of $14.99 to cover the cost of sending the check, right? ;-)
Just make sure they don’t try to repay with cash. Those rascals are pretty good at counterfeiting US currency.
Anyone capable of pulling off a crypto scam is certainly capable of making it look like someone else did it.
The first investigation starts in house.
Thanks for that insight. Wouldn’t they need someone to let them know that the CEO periodically makes transfers from a cold wallet to a hot wallet? Doesn’t sound like normal security protocols and just the type of lax security in place to facilitate a heist like this. In other words an inside job.
Isn’t it about time things started randomly exploding in the hermit kingdom?
CC
Any requests for transfer should be sent to a number of separate entities. For example to a verification department, with the verification departments' software reflecting back to the requestor's webpage the details of the request so they can see if anything changed. And then to multiple other departments each of which would sign a transaction and submit it to the blockchain as well as back to the first department to ensure the details have not been altered by a copy/paste attack.
I'm not a security pro and this is just off the cuff; I'm sure more security measures and review checks could be added. But any system is only as secure as its weakest link, and so even an exchange boasting of great security is worthless if it has a back door for the CEO to login with PW=Admin and skip all the security "rigamarole."
As the article mentions, Lazarus group has been ID’d as the culprit in dozens of attacks now. I agree with you in principle that obfuscation is a concern, but there’s been quite the body of evidence the last few years and I haven’t heard the Norks denying anything. I think they have gotten pretty arrogant in imagining themselves untouchable since they have state backing (and are funding the NK state, I don’t think this is going into individual hackers’ pockets.)
What scares me the most is that our government has no way to recover the losses, yet they are looking at implementing crypto as legal tender FOR the US. There is no FDIC insurance for crypto, and people can, and are, literally bankrupted in a milisecond and the FBI cannot do a thing about it. I know, it happened to me.
Hacky bumpy.
I don’t get it.
First I must admit my knowledge of crypto was limited.
But I have often heard , how crypto is supposed to be so safe. Because the block chain is stored in multiple computer systems world wide, and every specific transaction is tracked in those multiple systems.
From my limited knowledge, it should be impossible for crypto to just be stolen, because of how the block chain tracks every single transaction in multiple places.
When did this happen? The link just says "after 2022."
So is that Nork money?
But the script they ran and the fact that it is this f-----g easy, means a true systemic global Mt. Gox that decapitates BTC and triggers the complete implosion of all crypto is just around the corner. And sh!t is going to get real weird real fast when that happens...
You save lots of cash by letting your people starve unless they join the army. Then you got money to hire hackers to make more money. Black market organ transplants from felons and political prisoners to rich foreigners very big money maker, too. Who says I can’t balance budget.
This sneaky pete passive aggressive crap will only end when we put the world on notice that cyber crime is now an act of cyber war.
Then we start sinking ships, cratering planes, and seizing assets anywhere in the world by keyboard, quill and kinetic weapons.
A couple dozen prize ships docking in NYC crewed by the USN would send a message.
Hoist the Jolly Roger, the Clean Sweep Broom, and break out the kill stencils and rattle cans!
The only thing that changes during a transaction or a theft is the new residence of those particular Bitcoins.
The people who own Bitcoins have a unique 64 bit alpha-numeric pass code into their Bitcoin account, or multiple accounts.
Misplace your pass codes? Bye, bye, Bitcoins, at least until quantum computers can hunt them down.
Anyway, that is my anecdotal understanding.
My wife likes to tell me that I’m very smart, and indeed it takes some brains to be a master electrician.
But after reading through this thread I’m once again slapped with just how ignorant I really am.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.