Bybit Hack：深入研究安全措施和经验教训

考虑到价值$ 1.4B的Bybit Exchange Hack成为历史上最大的，它要求我们学习有关该平台的可靠性以及整个加密行业的安全性的关键课程。

Considering that the Bybit exchange hack worth $1.4B became the largest in history, it requires us to learn crucial lessons about the reliability of this platform and the security of the whole crypto industry.

考虑到价值$ 1.4B的Bybit Exchange Hack成为历史上最大的，它要求我们学习有关该平台的可靠性以及整个加密行业的安全性的关键课程。

Here, we will delve deeply into Bybit’s system security measures, as well as funds and customer protection, to better understand how one of the biggest crypto platforms with millions of users worldwide became a victim of a successful cyber attack.

在这里，我们将深入研究BYBIT的系统安全措施，以及资金和客户保护，以更好地了解最大的加密平台之一，全球数百万用户成为成功的网络攻击的受害者。

Was Bybit Hacked?

拜百比被黑客入侵吗？

First things first, and let’s get a clear definition of “hack” and determine whether Bybit hacked. Hack means that some system has a vulnerability, and bad actors explored and exploited it earlier than the security team could fix it.

首先，首先，让我们清楚地定义“黑客”，并确定Bybit是否被黑客入侵。 HACK意味着某些系统具有脆弱性，而坏演员比安全团队更早地探索和利用了它。

Thus, from a purely technical standpoint, a system can be considered hacked if:It has a known or zero-day vulnerability that was exploited by an attacker.The attacker gained unauthorized access to the system's internals or data.

因此，从纯技术的角度来看，如果它具有攻击者利用的已知或零日漏洞，则可以将系统视为黑客入侵。攻击者获得了对系统内部或数据的未经授权访问。

Let’s evaluate this from a technical perspective, with the recent research from two cybersecurity firms, Verichains and Sygnia Labs, being particularly helpful. Specifically, Verichains’ report clarifies that the issue was not on Bybit’s side but rather in the multi-sign service Safe:Proxy wallet management compromiseSpoofs the logic of the proxy contractFunds withdrawal

让我们从技术角度评估这一点，这是来自两家网络安全公司Verichains和Sygnia Labs的最新研究，特别有用。具体而言，Verichains的报告澄清说，该问题不是在Bybit的一边，而是在Multi-Sign Service安全中：代理钱包管理损害了代理合同文件撤回的逻辑

Does This Mean That Bybit Was Not Hacked?

这是否意味着Bybit没有被黑客入侵？

First, let’s answer another question: Can a hack only occur due to technical reasons? Not really, because today’s systems are mostly too complex, meaning an attacker must develop a sophisticated attack that includes both technical vulnerabilities in the target system or its integrations, as well as social engineering, where the targets are internal staff, vendors, etc.

首先，让我们回答另一个问题：仅由于技术原因而出现黑客攻击？并非如此，因为今天的系统大多太复杂了，这意味着攻击者必须开发出复杂的攻击，其中包括目标系统中的技术漏洞或其集成以及目标是内部人员，供应商，等等的社会工程学。

Therefore, dividing attack tactics and scenarios into technical and non-technical categories does not provide a clear-cut definition, and it’s better to assess it based on the outcome.

因此，将攻击策略和场景分为技术和非技术类别并不能提供明确的定义，并且最好根据结果对其进行评估。

One of the classic and precise ways to evaluate this is the CIA triad, which states that a system should be designed to ensure that its information maintains three key principles: Confidentiality, Integrity, and Availability.

CIA三合会的经典和精确的方法之一是，该方法应设计系统以确保其信息保持三个关键原则：机密性，完整性和可用性。

Confidentiality – Not Compromised Overall

机密性 - 总体上不妥协

Integrity – Compromised, But Not in Bybit’s Infrastructure

诚信 - 受到妥协，但不在Bybit的基础架构中

Availability – Not Compromised Overall

可用性 - 总体上不妥协

After reviewing this situation from multiple perspectives, we can conclude that, strictly speaking, Bybit was not hacked, but it was subjected to a sophisticated and successful attack by the Lazarus Group, as discovered ZachXBT. Although the investigation is still ongoing, the latest reports indicate that Bybit’s systems, infrastructure, and data were not compromised, further confirming my initial assumption.

在从多个角度审查了这种情况之后，我们可以得出结论，严格来说，bybit并未被黑客入侵，但正如发现的Zachxbt所发现的那样，Lazarus集团受到了复杂而成功的攻击。尽管调查仍在进行中，但最新报告表明，BYBIT的系统，基础架构和数据没有受到损害，进一步证实了我的最初假设。

Bybit Security Measures

BYBIT安全措施

Let’s use an analogy: suppose a criminal decides to rob a bank. If the bank lacks proper security, they can simply walk in, make threats, and leave with the stolen money. However, with many cameras and guards, the attacker will be forced to look for alternative ways to carry out the heist—otherwise, the risk would be too high.

让我们使用一个类比：假设犯罪分子决定抢劫银行。如果银行缺乏适当的安全性，他们可以简单地走进去，威胁并以被盗的钱离开。但是，有了许多摄像头和警卫，攻击者将被迫寻找替代方法来执行抢劫 - 否则，风险将太高。

Now, this leads us to the logical conclusion that since the attackers chose not to conduct a direct attack but instead carried out a more complex and costly operation, it indicates that Bybit is well-protected against direct intrusions.

现在，这使我们得出了一个合乎逻辑的结论：由于攻击者选择不进行直接攻击，而是进行了更复杂和昂贵的操作，因此表明BYBIT在直接侵入中受到了良好的保护。

Let’s look at the specific security mechanisms and protective measures Bybit has in place, which forced the attackers to compromise intermediaries rather than the platform itself.

让我们看一下Bybit拥有的特定安全机制和保护措施，这迫使攻击者妥协中介而不是平台本身。

Asset Protection: Cold Wallets and Cryptographic Security

资产保护：冷钱包和加密安全

Bybit places significant emphasis on the secure storage of assets, and ironically, this was not enough to prevent the incident. Specifically, they store the majority of funds in cold wallets, withdrawing a portion every three weeks to facilitate user withdrawals and other platform operations. In this context, they implement a triple-layer security system:Multi-Signature Authentication – Requiring multiple independent signatures for withdrawals from cold wallets, preventing unauthorized access.Trusted Execution Environment (TEE) – A secure execution environment that protects critical operations from external attacks.Threshold Signature Schemes (TSS) – Distributing signing authority among multiple independent participants to eliminate single points of failure.

Bybit对资产的安全存储非常重视，具有讽刺意味的是，这还不足以防止这一事件。具体来说，他们将大部分资金存储在冷钱包中，每三周撤回一部分，以促进用户提取和其他平台操作。在这种情况下，他们实现了三层安全系统：多符号身份验证 - 需要多个独立签名来从冷钱包中提取撤回，以防止未经授权的访问权限（TEE） - 一个安全的执行环境（一个安全的执行环境），可以保护关键操作，从而在外部攻击中侵害了外部攻击，以触发多个独立的参与者，以分配多个独立的参与者。

However, as we now know, the third-party Multi-Signature Authentication service turned out to be one of the weak points. Yet, everything under Bybit’s direct control remained secure—otherwise, we would have seen all of the exchange’s funds be stored in hot wallets, exposed to direct attacks, and putting not just some wallets but the entire platform at risk.

但是，众所周知，第三方多签名身份验证服务被证明是弱点之一。但是，Bybit下的直接控制下的一切都保持安全 - 否则，我们会看到交易所的所有资金都存储在热钱包中，暴露于直接攻击中，不仅将某些钱包置于风险的危险中。

Real-Time Transaction Monitoring and Control

实时交易监控和控制

As a part of its risk control system, Bybit implements continuous analysis of user activity and transactions.

作为其风险控制系统的一部分，Bybit对用户活动和交易进行了连续分析。

User Behavior Analysis – The exchange detects and analyzes suspicious activities such as logins from new devices, abnormal transaction volumes, or IP address changes.Automated Authentication Enhancement – If the system detects deviations from normal behavior, such as an attempt to withdraw large amounts of funds, the user will be required to undergo additional identity verification.Notification and Logging System – Any changes to the account, login attempts, API key modifications, or large withdrawals are instantly recorded and reported to

用户行为分析 - 交换检测和分析可疑活动，例如新设备的登录，异常交易量或IP地址的更改。立即记录并报告进行修改或大型提款