How North Korea cracked Bybit’s crypto safe to steal $1.5 billion in a record heist

“It was such a huge amount,” Ben Zhou, the cofounder and CEO of Bybit, said in an interview following the robbery.

Less than one week after the hack, the Federal Bureau of Investigation declared that North Korea was responsible for the breach. It’s also since emerged that, even by the standards of cybercrime, this was no ordinary hack: It was a calculated, creative, and highly advanced exploit that targeted a fundamental layer of Bybit’s infrastructure.

“This is a level up from any attack I’ve previously seen,” Omer Goldberg, founder and CEO of Chaos Labs, a crypto risk management firm, told Fortune.

Here’s how North Korea tricked Bybit, according to preliminary findings from the crypto exchange and one of its tech providers, Safe.

Bybit and Safe

Safe is one of many companies that develops tech to help people manage their cryptocurrency, like Bitcoin. Specifically, the firm builds open-source software that companies like Bybit use to create online wallets to store their crypto. The wallets are akin to bank vaults that need multiple keys to be unlocked.

Bybit used Safe to safeguard at least $1.5 billion of Ethereum, the world’s second largest cryptocurrency by market capitalization. Any time an employee from Bybit wanted to move the exchange’s Ethereum to another location, he or she signed into Safe’s website. Because Safe’s software is open-source, the company and Bybit had no formal business relationship, Stefan George, one of the original developers behind Safe’s technology, told Fortune.

Malware download

Even as Bybit was placing stores of Ethereum in Safe’s digital vault, North Korea’s group of elite hackers lay in wait, watching their moves. “They prepared it over a very long period of time, like definitely more than a month … probably many months,” George said.

Then they pounced. The Safe team has about 30 engineers, and a handful of them are “sys admins,” or system administrators. Sys admins are senior developers who are able to update Safe’s live website and code.

North Korean hackers targeted one admin in what was likely a phishing attack, George said, probably by tricking them into downloading an application or divulging personal info. The FBI has called the tactic North Korean hackers use “TraderTraitor.” George wouldn’t disclose any more details about how a Safe employee was tricked, citing an ongoing investigation.

Site update

After hackers duped the Safe system admin, they used their access to the person’s controls to download malware to the developer’s machine, which gave North Korea control over the admin’s computer, George said. From there, hackers updated Safe’s website with a snippet of code designed exclusively for Bybit, like a virus that activates when in contact with the right host.

In late February, the dormant code detected that a Bybit employee had opened its Safe account and was about to authorize a transaction. At the last moment, hackers swapped in a new command to drain Bybit’s crypto holdings. The employee unknowingly authorized the command, and North Korea was suddenly flush with $1.5 billion in crypto. Two minutes after the heist, Safe’s website was updated to hide the hackers’ tracks and erase the code snippet, according to a security investigation Bybit commissioned.

The investigation into how North Korea compromised a Safe developer’s computer is still ongoing, George told Fortune.

Goldberg, the CEO of Chaos Labs, told Fortune that the hack of Bybit is indicative of a broader problem in software. The vast majority of programmers use code from other programmers, who reference apps built by yet another batch of developers. “We’re building on houses of cards, and you know what you build,” he said. “You don’t know what’s going on underneath.”