The Largest Cyber-Heist You May Have Missed
You might have been busy, and not noticed, but on February 21st this year, approximately $1.46 billion in crypto assets were stolen from Bybit, a Dubai-based crypto exchange. Indeed, you can be forgiven for being de-sensitized to the largest cyber-heist in the history of the world, because apart from a few extra zeros, that is the only thing that really distinguishes it from any other mass cyber-heist that seems to emerge on a regularly occurring schedule.
Avoiding Speculation: Understanding the Facts
Unlike the media and security industry, I resisted speculation. I waited for the dust to settle, why you’re getting this from me now. Like, “OMG, did 133t North Korean h4xOr hang from ceiling like Tom Cruise and deftly insert themselves into a zero-day “cold” wallet flaw?”
The Breach: How a ‘Cold’ Wallet Was Compromised
Wait! But there is some techno-coolness! Our North Korean antagonists managed to drain a so-called “cold” crypto storage wallet, a piece of hardware used to hold the private key needed to access funds. Such wallets are kept mostly isolated from online networks and so were considered to be almost impervious to attacks. So, how?
The Attack Vector: Exploiting the Basics
OK, maybe not “click here for free coffee” email stuff, but turns out, all still rooted in the basics. Safe{Wallet}, producers of a crypto wallet provider that Bybit uses to approve transactions, had one of their developers’ machines penetrated. We’re not sure of the original basic infrastructure and/or phishing vector, or if “free coffee” was even involved.

The Execution: Malicious Code Injection
However, from this compromised employee device, Sygnia, a forensic investigation firm hired by Bybit, found malicious JavaScript code was injected into Safe{Wallet}’s AWS S3 bucket. The injected code was designed to manipulate transaction data during the signing process. It activated only when the transaction originated from known Bybit Ether wallets, waiting to perform a routine transaction from the “cold” crypto wallet to a “warm” one that could then be hijacked.
The Aftermath: A Predefined Target for the Exploit
This suggests that the attacker had predefined targets for the exploit. Three people, including the CEO of Bybit, “signed” the routine transfer before the malicious JavaScript kicked in, and the hackers took control of the wallet to overwrite the order, funneling in about 515K Ether and various derivatives of the token to a wallet they own. The entire Bybit ETH “cold” wallet was emptied.
What This Means for You
So perhaps you are thinking, ‘Luckily, I don’t deal with billions in cryptocurrency daily!’ However, securing and testing third-party development and partner environments, dealing with malicious JavaScript vulnerabilities, and potential impact of AWS S3 bucket information poisoning is something we deal with every day in application vulnerability assessments.
These are core processes and software tools involved throughout the internet application universe, and they are undoubtedly involved in your applications and your business partners’ applications today.
Our way of dealing with them is far, far cheaper.