The recent security breach at Bybit has sent shockwaves through the cryptocurrency world, marking what is being called one of the largest digital asset thefts in history. CoinJar is not affected by this incident. Here’s a breakdown of what we know and what may have happened.
What Happened at ByBit
Bybit, a major cryptocurrency exchange, experienced a significant security breach resulting in the theft of a massive amount of .
, ByBit reported that approximately $1.5 billion worth of digital assets were compromised.
How the attack unfolded
Based on ByBit’s investigation so far, here is a simplified explanation:
1. Compromised developer computer
A computer belonging to developers at (often referred to as Safe{Wallet}) was hacked.
Safe Global is a provider of cryptocurrency wallets, and it is important to note that CoinJar does not use Safe Global for its crypto storage.
2. Malicious code inserted on AWS
The attackers gained access to Safe’s Amazon Web Services (AWS) S3 bucket, where key files were stored. They injected malicious JavaScript code into these files.
3. Supply chain attack trigger
This harmful code was specifically designed to alter transaction details during the signing process. It was triggered if a transaction originated from ByBit’s contract address.
4. Swift cover-up
Two minutes after executing each malicious transaction, the attackers replaced the compromised code in the S3 bucket with clean versions, erasing direct evidence of the tampering.
5. Impact on ByBit
When users tried to move funds via Safe’s service, the malicious script silently modified the transaction details during approval, affecting only those transactions associated with ByBit.
This underscores that the attack started with Safe’s storage environment, rather than ByBit’s infrastructure.
A number of have pointed out that, in hindsight, certain security measures appear to have been inadequate. They a few points.
ByBit’s security checks
Commentators say that even though the attackers used a sophisticated supply chain approach, ByBit’s internal processes should have caught discrepancies in the transaction instructions.
In particular, when moving large sums (over $1 billion) exchanges typically verify transaction details on a separate, air-gapped machine (a completely isolated computer).
Human vulnerabilities in complex attacks
While some aspects of this hack may appear “basic,” the broader supply chain tactic was sophisticated, using compromised third-party code that would not have been easy to detect in real time. It seems any system can be vulnerable when attackers gain access through indirect avenues.
Missed double-checks
According to industry best practices, large transfers should be verified more than once, especially if initiated by an external service. Some commentators believe ByBit could have implemented stronger fail-safes to confirm transaction details independently of Safe’s code.
ByBit’s response
ByBit’s CEO, Ben Zhou, has pledged to reimburse affected users, reassuring customers that their losses will be covered.
ByBit is reportedly working on securing bridge loans to cover losses, while emphasising its commitment to transparent communication with the community.
ByBit has partnered with blockchain forensic companies to track the stolen funds. Its prompt and open response has been relatively well-received, helping maintain some degree of market confidence despite the severity of the incident.
Conclusion: A lesson on sophisticated supply chain attacks
The ByBit hack, while a devastating blow to the exchange and its users, is a stark reminder of the ever-evolving threats in both traditional and decentralised finance.
Although commentators have criticised ByBit for procedural lapses (such as a lack of transaction-verification methods), this breach also reveals the complexity of supply chain attacks. They often only become clear after the damage is done, because attackers exploit trust relationships with third parties and cover their tracks swiftly.
ByBit’s quick and transparent response, along with its pledge to reimburse users, has helped mitigate the immediate fallout. While some suggest that only a state-sponsored attacker could pull off such a large-scale theft, the exact identity of the perpetrators remains unknown.
What is certain is that criminals continue to refine their methods, and vigilance remains crucial.
The finance industry, whether in the traditional space or the crypto realm, must accept the reality of increasingly sophisticated cyber threats.
For everyone in crypto, the hope is that ByBit can recover the stolen funds.
UK residents: Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 minutes to learn more:
www.coinjar.com/uk/risk-summary
.
Cryptoassets traded on CoinJar UK Limited are largely unregulated in the UK, and you are unable to access the Financial Service Compensation Scheme or the Financial Ombudsman Service. We use third party banking, safekeeping and payment providers, and the failure of any of these providers could also lead to a loss of your assets. We recommend you obtain financial advice before making a decision to use your credit card to purchase cryptoassets or to invest in cryptoassets. Capital Gains Tax may be payable on profits.
CoinJar’s digital currency exchange services are operated in Australia by CoinJar Australia Pty Ltd ACN 648 570 807, a registered digital currency exchange provider with AUSTRAC; and in the United Kingdom by CoinJar UK Limited (company number 8905988), registered by the Financial Conduct Authority as a Cryptoasset Exchange Provider and Custodian Wallet Provider in the United Kingdom under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (Firm Reference No. 928767).
EU residents: CoinJar Europe Limited (CRO 720832) is registered as a VASP and supervised by the Central Bank of Ireland (Registration number C496731) for Anti-Money Laundering and Countering the Financing of Terrorism purposes only.