朝鲜黑客如何从Bybit Exchange偷走了15亿美元的加密货币

2月21日晚上，加密货币交易所Bybit的首席执行官Ben Zhou登录了他的计算机，批准了似乎是常规交易的。

The chief executive of the cryptocurrency exchange Bybit logged on to his computer on the night of Feb. 21 to approve what appeared to be a routine transaction. His company was moving a large sum of Ether, a popular digital currency, from one account to another.

加密货币交易所Bybit的首席执行官于2月21日晚上登录到他的计算机，批准了似乎是常规交易。他的公司正在将大量流行的数字货币以太币从一个帐户移到另一个帐户。

Thirty minutes later, the executive, Ben Zhou, got a call from Bybit’s chief financial officer. In a trembling voice, the executive told Mr. Zhou that their system had been hacked.

三十分钟后，执行官本周（Ben Zhou）接到拜比特（Bybit）首席财务官的电话。高管以颤抖的声音告诉周先生，他们的系统已经被黑客入侵。

“All of the Ethereum is gone,” he said.

他说：“所有以太坊都消失了。”

When Mr. Zhou approved the transaction, he had inadvertently handed control of an account to hackers backed by the North Korean government, who stole $1.5 billion in cryptocurrencies—the largest heist in the industry’s history.

周先生批准交易时，他无意中将对帐户的控制权交给了由朝鲜政府支持的黑客，后者偷走了15亿美元的加密货币，这是该行业历史上最大的抢劫案。

To pull off the astonishing breach, the hackers exploited a simple flaw in Bybit’s security: its reliance on a free software product. They penetrated Bybit by manipulating a system that the exchange used to safeguard hundreds of millions of dollars in customer deposits. For years, Bybit had used the storage software, developed by a technology provider called Safe, even as other security firms sold more specialized tools for businesses.

为了解决惊人的违规行为，黑客在Bybit的安全性中利用了一个简单的缺陷：它依赖免费软件产品。他们通过操纵该系统以维护数亿美元的客户存款来渗透Bybit。多年来，Bybit一直使用该存储软件，该软件是由一个名为Safe的技术提供商开发的，即使其他安全公司为企业出售了更多专业工具。

The F.B.I. is investigating the theft, which occurred in February and March, according to people familiar with the matter. The agency said in a statement that it was aware of the threat posed by North Korean hackers, known as the Lazarus Group, and was working to identify and disrupt their illicit activities.

据知情人士称，联邦调查局正在调查盗窃案，该盗窃案发生在2月和3月。该机构在一份声明中说，它意识到朝鲜黑客（被称为拉撒路集团）构成的威胁，并正在努力识别和破坏其非法活动。

“The F.B.I. is actively investigating malicious cyberactivity by the Lazarus Group, which poses a significant threat to individuals, businesses and national security,” the agency said.

该机构说：“联邦调查局正在积极调查拉撒路集团的恶意网络行动，这对个人，企业和国家安全构成了重大威胁。”

The theft began in December, when the Lazarus Group set up a fake cryptocurrency hedge fund to try to gain the trust of employees at several exchanges, according to two people familiar with the matter. They contacted employees on LinkedIn and Telegram, posing as investors seeking to invest billions of dollars in cryptocurrency.

盗窃案始于12月，当时拉撒路集团成立了一个假的加密货币对冲基金，以试图在几次交流中获得员工的信任。他们与LinkedIn和Telegram的员工联系，认为投资者寻求投资数十亿美元的加密货币。

But the employees ignored the overtures, and the Lazarus Group couldn’t penetrate the exchanges’ main defenses, which were designed to deter hackers and prevent them from stealing coins directly from exchange wallets. So the hackers turned to Plan B: They went after the exchanges’ technology vendors.

但是员工忽略了这些提议，拉撒路集团无法穿透交换的主要防御，这些防御旨在阻止黑客并阻止他们直接从交换钱包中窃取硬币。因此，黑客转向计划B：他们追随交流技术供应商。

The Lazarus Group had previously used this tactic to steal $100 million from the cryptocurrency platform Atomic Wallet in August, according to two people familiar with the matter. In that instance, the hackers went after a technology vendor that Atomic Wallet used for software to manage coins in hot wallets, which are digital wallets that hold smaller amounts of cryptocurrency and are used for daily operations.

据两个熟悉此事的人说，拉撒路集团此前曾使用这种策略从加密货币平台原子钱包中窃取了1亿美元。在这种情况下，黑客追随了一个技术供应商，该技术供应商是原子钱包用软件来管理热钱包中的硬币的技术供应商，这些钱包是数字钱包，这些钱包持有较少的加密货币，用于日常操作。

In the case of Bybit, the hackers went after a technology vendor that the exchange used for software to manage coins in cold wallets, which are digital wallets that hold larger amounts of cryptocurrency and are used for long-term storage.

就BYBIT而言，黑客追随了一个技术供应商，该供应商用于软件中的交换来管理冷钱包中的硬币，这些供应商是数字钱包，这些钱包持有大量的加密货币，可用于长期存储。

At the time, Bybit was using a service from a startup called ChainX to manage its hot wallets and a service from Safe to manage its cold wallets. Both startups sell software products that are designed to help businesses manage their cryptocurrency more efficiently.

当时，拜比特（Bybit）使用了一家名为Chainx的初创公司的服务来管理其热钱包，并从Safe管理冷藏钱包的服务。两家初创公司都出售旨在帮助企业更有效地管理其加密货币的软件产品。

The hackers went after Safe because it offered a free tier of its cold-wallet management software, according to two people familiar with the matter. They were able to download the software and set up a fake version of the service.

据两个熟悉此事的人说，黑客之所以追求安全，是因为它提供了其冷藏式管理软件的免费层。他们能够下载该软件并设置了该服务的假版。

The startup also sells a paid tier of its service that offers more specialized security features, but Bybit wasn’t using this tier of the software. Instead, it was using the free tier of Safe’s service because it was designed for smaller businesses and didn’t require a large setup fee.

该初创公司还出售其服务的付费层，该服务提供了更专业的安全功能，但是Bybit并没有使用该软件的这一层。取而代之的是，它使用了Safe服务的免费层，因为它是为较小的企业设计的，并且不需要大量的设置费。

The hackers used this fact to their advantage. They created a fake version of Safe’s service and tried to get Bybit employees to use it to transfer coins. At first, the employees ignored the overtures. But then the hackers threatened to report the exchange to regulators if it didn’t cooperate.

黑客利用了这一事实来发挥他们的优势。他们创建了一个伪造的Safe Service版本，并试图让Bybit员工使用它来转移硬币。起初，员工忽略了提议。但是随后黑客威胁说，如果不合作，就会向监管机构报告交易所。

The exchange ultimately decided to transfer a small amount of Ether to the account that the hackers set up, hoping to appease them and get them to leave the company alone.

交易所最终决定将少量以太转移到黑客设置的帐户中，希望安抚他们并让他们独自离开公司。

The hackers used this small transfer to gain the trust of a midlevel manager at Bybit, who began transferring larger sums of Ether to the account over several days.

黑客使用了这种小的转移来获得拜比特的中层经理的信任，拜比特开始将较大的以太币转移到帐户几天内。

Finally, on Feb. 21, the manager transferred nearly all of Bybit’s Ether holdings—about $1.5 billion—to an account controlled by the hackers.

最终，在2月21日，经理将几乎所有的以太股份（约15亿美元）转移到了由黑客控制的帐户中。

The hackers then quickly moved the Ether to another cryptocurrency—PChain—and fled the scene.

然后，黑客迅速将以太移到了另一种加密货币（伪造）中，然后逃离了现场。

Bybit executives discovered the theft the next morning when they arrived at the office and saw that all of the exchange’s Ether had vanished. They immediately contacted the F.B.I., which began an investigation.

拜比特高管于第二天早上发现盗窃，当时他们到达办公室，发现所有交易所的以太都消失了。他们立即联系了FBI，该联邦调查局开始了调查。

The F.B.I. is still investigating the theft and hasn’t yet determined how the hackers were able to penetrate Bybit’s security systems. However, two people familiar with the matter said that the hackers may have been able to exploit a vulnerability in one of the startup’

联邦调查局仍在调查盗窃案，尚未确定黑客如何渗透拜比特的安全系统。但是，有两个熟悉此事的人说，黑客可能已经能够利用一家初创公司的漏洞。