朝鮮黑客如何從Bybit Exchange偷走了15億美元的加密貨幣

2月21日晚上，加密貨幣交易所Bybit的首席執行官Ben Zhou登錄了他的計算機，批准了似乎是常規交易的。

The chief executive of the cryptocurrency exchange Bybit logged on to his computer on the night of Feb. 21 to approve what appeared to be a routine transaction. His company was moving a large sum of Ether, a popular digital currency, from one account to another.

加密貨幣交易所Bybit的首席執行官於2月21日晚上登錄到他的計算機，批准了似乎是常規交易。他的公司正在將大量流行的數字貨幣以太幣從一個帳戶移到另一個帳戶。

Thirty minutes later, the executive, Ben Zhou, got a call from Bybit’s chief financial officer. In a trembling voice, the executive told Mr. Zhou that their system had been hacked.

三十分鐘後，執行官本週（Ben Zhou）接到拜比特（Bybit）首席財務官的電話。高管以顫抖的聲音告訴周先生，他們的系統已經被黑客入侵。

“All of the Ethereum is gone,” he said.

他說：“所有以太坊都消失了。”

When Mr. Zhou approved the transaction, he had inadvertently handed control of an account to hackers backed by the North Korean government, who stole $1.5 billion in cryptocurrencies—the largest heist in the industry’s history.

周先生批准交易時，他無意中將對帳戶的控制權交給了由朝鮮政府支持的黑客，後者偷走了15億美元的加密貨幣，這是該行業歷史上最大的搶劫案。

To pull off the astonishing breach, the hackers exploited a simple flaw in Bybit’s security: its reliance on a free software product. They penetrated Bybit by manipulating a system that the exchange used to safeguard hundreds of millions of dollars in customer deposits. For years, Bybit had used the storage software, developed by a technology provider called Safe, even as other security firms sold more specialized tools for businesses.

為了解決驚人的違規行為，黑客在Bybit的安全性中利用了一個簡單的缺陷：它依賴免費軟件產品。他們通過操縱該系統以維護數億美元的客戶存款來滲透Bybit。多年來，Bybit一直使用該存儲軟件，該軟件是由一個名為Safe的技術提供商開發的，即使其他安全公司為企業出售了更多專業工具。

The F.B.I. is investigating the theft, which occurred in February and March, according to people familiar with the matter. The agency said in a statement that it was aware of the threat posed by North Korean hackers, known as the Lazarus Group, and was working to identify and disrupt their illicit activities.

據知情人士稱，聯邦調查局正在調查盜竊案，該盜竊案發生在2月和3月。該機構在一份聲明中說，它意識到朝鮮黑客（被稱為拉撒路集團）構成的威脅，並正在努力識別和破壞其非法活動。

“The F.B.I. is actively investigating malicious cyberactivity by the Lazarus Group, which poses a significant threat to individuals, businesses and national security,” the agency said.

該機構說：“聯邦調查局正在積極調查拉撒路集團的惡意網絡行動，這對個人，企業和國家安全構成了重大威脅。”

The theft began in December, when the Lazarus Group set up a fake cryptocurrency hedge fund to try to gain the trust of employees at several exchanges, according to two people familiar with the matter. They contacted employees on LinkedIn and Telegram, posing as investors seeking to invest billions of dollars in cryptocurrency.

盜竊案始於12月，當時拉撒路集團成立了一個假的加密貨幣對沖基金，以試圖在幾次交流中獲得員工的信任。他們與LinkedIn和Telegram的員工聯繫，認為投資者尋求投資數十億美元的加密貨幣。

But the employees ignored the overtures, and the Lazarus Group couldn’t penetrate the exchanges’ main defenses, which were designed to deter hackers and prevent them from stealing coins directly from exchange wallets. So the hackers turned to Plan B: They went after the exchanges’ technology vendors.

但是員工忽略了這些提議，拉撒路集團無法穿透交換的主要防禦，這些防御旨在阻止黑客並阻止他們直接從交換錢包中竊取硬幣。因此，黑客轉向計劃B：他們追隨交流技術供應商。

The Lazarus Group had previously used this tactic to steal $100 million from the cryptocurrency platform Atomic Wallet in August, according to two people familiar with the matter. In that instance, the hackers went after a technology vendor that Atomic Wallet used for software to manage coins in hot wallets, which are digital wallets that hold smaller amounts of cryptocurrency and are used for daily operations.

據兩個熟悉此事的人說，拉撒路集團此前曾使用這種策略從加密貨幣平台原子錢包中竊取了1億美元。在這種情況下，黑客追隨了一個技術供應商，該技術供應商是原子錢包用軟件來管理熱錢包中的硬幣的技術供應商，這些錢包是數字錢包，這些錢包持有較少的加密貨幣，用於日常操作。

In the case of Bybit, the hackers went after a technology vendor that the exchange used for software to manage coins in cold wallets, which are digital wallets that hold larger amounts of cryptocurrency and are used for long-term storage.

就BYBIT而言，黑客追隨了一個技術供應商，該供應商用於軟件中的交換來管理冷錢包中的硬幣，這些供應商是數字錢包，這些錢包持有大量的加密貨幣，可用於長期存儲。

At the time, Bybit was using a service from a startup called ChainX to manage its hot wallets and a service from Safe to manage its cold wallets. Both startups sell software products that are designed to help businesses manage their cryptocurrency more efficiently.

當時，拜比特（Bybit）使用了一家名為Chainx的初創公司的服務來管理其熱錢包，並從Safe管理冷藏錢包的服務。兩家初創公司都出售旨在幫助企業更有效地管理其加密貨幣的軟件產品。

The hackers went after Safe because it offered a free tier of its cold-wallet management software, according to two people familiar with the matter. They were able to download the software and set up a fake version of the service.

據兩個熟悉此事的人說，黑客之所以追求安全，是因為它提供了其冷藏式管理軟件的免費層。他們能夠下載該軟件並設置了該服務的假版。

The startup also sells a paid tier of its service that offers more specialized security features, but Bybit wasn’t using this tier of the software. Instead, it was using the free tier of Safe’s service because it was designed for smaller businesses and didn’t require a large setup fee.

該初創公司還出售其服務的付費層，該服務提供了更專業的安全功能，但是Bybit並沒有使用該軟件的這一層。取而代之的是，它使用了Safe服務的免費層，因為它是為較小的企業設計的，並且不需要大量的設置費。

The hackers used this fact to their advantage. They created a fake version of Safe’s service and tried to get Bybit employees to use it to transfer coins. At first, the employees ignored the overtures. But then the hackers threatened to report the exchange to regulators if it didn’t cooperate.

黑客利用了這一事實來發揮他們的優勢。他們創建了一個偽造的Safe Service版本，並試圖讓Bybit員工使用它來轉移硬幣。起初，員工忽略了提議。但是隨後黑客威脅說，如果不合作，就會向監管機構報告交易所。

The exchange ultimately decided to transfer a small amount of Ether to the account that the hackers set up, hoping to appease them and get them to leave the company alone.

交易所最終決定將少量以太轉移到黑客設置的帳戶中，希望安撫他們並讓他們獨自離開公司。

The hackers used this small transfer to gain the trust of a midlevel manager at Bybit, who began transferring larger sums of Ether to the account over several days.

黑客使用了這種小的轉移來獲得拜比特的中層經理的信任，拜比特開始將較大的以太幣轉移到帳戶幾天內。

Finally, on Feb. 21, the manager transferred nearly all of Bybit’s Ether holdings—about $1.5 billion—to an account controlled by the hackers.

最終，在2月21日，經理將幾乎所有的以太股份（約15億美元）轉移到了由黑客控制的帳戶中。

The hackers then quickly moved the Ether to another cryptocurrency—PChain—and fled the scene.

然後，黑客迅速將以太移到了另一種加密貨幣（偽造）中，然後逃離了現場。

Bybit executives discovered the theft the next morning when they arrived at the office and saw that all of the exchange’s Ether had vanished. They immediately contacted the F.B.I., which began an investigation.

拜比特高管於第二天早上發現盜竊，當時他們到達辦公室，發現所有交易所的以太都消失了。他們立即聯繫了FBI，該聯邦調查局開始了調查。

The F.B.I. is still investigating the theft and hasn’t yet determined how the hackers were able to penetrate Bybit’s security systems. However, two people familiar with the matter said that the hackers may have been able to exploit a vulnerability in one of the startup’

聯邦調查局仍在調查盜竊案，尚未確定黑客如何滲透拜比特的安全系統。但是，有兩個熟悉此事的人說，黑客可能已經能夠利用一家初創公司的漏洞。