How North Korean Hackers Stole $1.5 Billion of Cryptocurrency From Bybit Exchange

On the night of Feb. 21, Ben Zhou, the chief executive of the cryptocurrency exchange Bybit, logged on to his computer to approve what appeared to be a routine transaction.

The chief executive of the cryptocurrency exchange Bybit logged on to his computer on the night of Feb. 21 to approve what appeared to be a routine transaction. His company was moving a large sum of Ether, a popular digital currency, from one account to another.

Thirty minutes later, the executive, Ben Zhou, got a call from Bybit’s chief financial officer. In a trembling voice, the executive told Mr. Zhou that their system had been hacked.

“All of the Ethereum is gone,” he said.

When Mr. Zhou approved the transaction, he had inadvertently handed control of an account to hackers backed by the North Korean government, who stole $1.5 billion in cryptocurrencies—the largest heist in the industry’s history.

To pull off the astonishing breach, the hackers exploited a simple flaw in Bybit’s security: its reliance on a free software product. They penetrated Bybit by manipulating a system that the exchange used to safeguard hundreds of millions of dollars in customer deposits. For years, Bybit had used the storage software, developed by a technology provider called Safe, even as other security firms sold more specialized tools for businesses.

The F.B.I. is investigating the theft, which occurred in February and March, according to people familiar with the matter. The agency said in a statement that it was aware of the threat posed by North Korean hackers, known as the Lazarus Group, and was working to identify and disrupt their illicit activities.

“The F.B.I. is actively investigating malicious cyberactivity by the Lazarus Group, which poses a significant threat to individuals, businesses and national security,” the agency said.

The theft began in December, when the Lazarus Group set up a fake cryptocurrency hedge fund to try to gain the trust of employees at several exchanges, according to two people familiar with the matter. They contacted employees on LinkedIn and Telegram, posing as investors seeking to invest billions of dollars in cryptocurrency.

But the employees ignored the overtures, and the Lazarus Group couldn’t penetrate the exchanges’ main defenses, which were designed to deter hackers and prevent them from stealing coins directly from exchange wallets. So the hackers turned to Plan B: They went after the exchanges’ technology vendors.

The Lazarus Group had previously used this tactic to steal $100 million from the cryptocurrency platform Atomic Wallet in August, according to two people familiar with the matter. In that instance, the hackers went after a technology vendor that Atomic Wallet used for software to manage coins in hot wallets, which are digital wallets that hold smaller amounts of cryptocurrency and are used for daily operations.

In the case of Bybit, the hackers went after a technology vendor that the exchange used for software to manage coins in cold wallets, which are digital wallets that hold larger amounts of cryptocurrency and are used for long-term storage.

At the time, Bybit was using a service from a startup called ChainX to manage its hot wallets and a service from Safe to manage its cold wallets. Both startups sell software products that are designed to help businesses manage their cryptocurrency more efficiently.

The hackers went after Safe because it offered a free tier of its cold-wallet management software, according to two people familiar with the matter. They were able to download the software and set up a fake version of the service.

The startup also sells a paid tier of its service that offers more specialized security features, but Bybit wasn’t using this tier of the software. Instead, it was using the free tier of Safe’s service because it was designed for smaller businesses and didn’t require a large setup fee.

The hackers used this fact to their advantage. They created a fake version of Safe’s service and tried to get Bybit employees to use it to transfer coins. At first, the employees ignored the overtures. But then the hackers threatened to report the exchange to regulators if it didn’t cooperate.

The exchange ultimately decided to transfer a small amount of Ether to the account that the hackers set up, hoping to appease them and get them to leave the company alone.

The hackers used this small transfer to gain the trust of a midlevel manager at Bybit, who began transferring larger sums of Ether to the account over several days.

Finally, on Feb. 21, the manager transferred nearly all of Bybit’s Ether holdings—about $1.5 billion—to an account controlled by the hackers.

The hackers then quickly moved the Ether to another cryptocurrency—PChain—and fled the scene.

Bybit executives discovered the theft the next morning when they arrived at the office and saw that all of the exchange’s Ether had vanished. They immediately contacted the F.B.I., which began an investigation.

The F.B.I. is still investigating the theft and hasn’t yet determined how the hackers were able to penetrate Bybit’s security systems. However, two people familiar with the matter said that the hackers may have been able to exploit a vulnerability in one of the startup’