How on earth is it possible they can cover a 1.5B loss? Are they really sitting on that much profit, or is the goal to ponzi it out from here, MtGox style?
There should be something like a "finalizing transaction", which both the sender and receiver need to sign after the first transaction has been mined, i.e. like an in-built escrow. If it's not signed by both, then funds are returned. This wouldn't protect against key leakage, but in this case, the tx was signed by accident. This would also protect against sending to wrong address.
> The wallet in question appears to have sent 401,346 ETH ($1.1 billion) as well as several other iterations of staked ether (stETH) to a fresh wallet, which is now liquidating mETH and stETH on decentralized exchanges, etherscan shows. The wallet has sold around $200 million worth of stETH so far.
If you showed me a paragraph like this a decade ago and told me it was from 2025, I would have a difficult time believing you.
Crypto shenanigans were happening in 2015, even as far back as 2010, so I would have to absolutely believed you to hear that it continues happening, as crypto is a fundamentally unstable platform.
It's definitely embarrassing that people losing their shirts in crypto didn't see it coming. It's bad that people think a zero sum game is worth playing against incumbents. The marks aren't the worst part, though. Everyone promoting memecoins and utility-free cryptocurrency in general is either ignorant or just a bad person with a warped idea of success. Personal money accumulation is a sad goal compared to actual wealth creation. The parasites who push crypto on the hopeful proto-bag holders are destroying the prosperity that supports them.
Yeah on memecoins isn’t that just a loophole for running naked pyramid schemes? I.e. a pyramid where everyone knows it’s a pyramid.
Like the weird part about a pyramid is that depending on your risk tolerance it may actually make sense to participate in a pyramid even if everyone involved knows it’s a pyramid. So are that many people being scammed as in tricked (seems hard to believe), or is it just a risky form of gambling that is outlawed in legacy formats.
I've never purchased crypto or had any involvement but acquaintances I know have used that exact argument. They know it's a pyramid but believe they can get ahead because they were in early enough.
They are usually a lot more vague when I ask about their realized gains.
A “musked” transaction consists of payload obfuscation and spoofing, more often than not malicious actors create a genuine looking UI with legit transaction details, while being malicious underneath.
It’s basically phishing at a transaction signing level.
I only found the term a few weeks ago and thought I was the one left out, sorry for not defining it earlier.
"Bybit CEO Ben Zhou wrote on X that a hacker "took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address."
From the article. Not that I endorse crypto, in fact I despise it. But at least per this statement, it seems to have been handled offline. How a hacker could get access to this is another story to unpack.
edit: I guess this is the story that "unpacks". One more reason to not believe in crypto.
By "online wallet" they were likely referring to the Bybit website being the wallet of those customers that held their coins there rather than keeping them in their own private wallets, and not whether the hack involved a hot wallet or a cold wallet. Calling it a custodial wallet would have been more accurate.
> have a wallet, work at bybit
> understand backdoor
> steal money from your account, some from others
> bybit pays you back
> still have money you stole
There's some info and speculation in these two (distinct) articles, but I'd love to know technical details of where the gaffs were.
eg. Was client software compromised? Did the multisig keyholders succumb to social engineering? Were the signers using airgapped machines / hardware devices?
A huge problem with signing EVM transactions using hardware wallets is that is common to be blind signing messages. The device has no knowledge of the SAFE EVM contract functions or any other context, it just asks you to sign an gobblygook opaque binary message so you may have no idea what's being signed, is my experience using multiple different vendor HW wallets. Not sure if that's what happened, but possible this type of problem contributed to the exploit. BTC TXs are simple enough that all HW wallets can basically display what's happening, but with turing-complete arbitrary computations in EVM this becomes very difficult.
https://x.com/tayvano_/status/1847877011462901915
This thread has some info about very similar past attacks, should give some insights into the level of sophistication that goes into something like that.
Who says ByBit can cover the loss? The article title says that but the article quotes do not. The CEO only said that their other cold wallets are intact and that withdrawals remain normal.
Bybit claims to be regulated by the Virtual Assets Regulatory Authority of Dubai.[1]
But the lookup page at VARA says they only have "In-principle approval", not a full license. "Applicants holding an IPA are strictly prohibited from initiating operations, conducting any virtual asset activities, or servicing clients until they have obtained their full VASP licence from VARA."
I'm a huge crypto believer but I can admit that we don't have a serious system if a person can just transfer over $1.5B from a well known crypto cold wallet to different accounts with nothing flagging it and no way to reverse it.
In the face of the never-ending list of these kinds of events, the laughably impossible task of average nontechnical individuals protecting their own assets (and the consequence of total financial ruin when they fail to do so), the overwhelming number of and size of scams, rug pulls, fraud, outright Ponzi schemes, and on and on and on… what exactly is left to keep anyone a “huge believer”?
Put differently, it’s been seventeen years of constant and escalating mayhem. What would finally be enough to shake your faith?
> what exactly is left to keep anyone a “huge believer”?
Bias. I expect believers to have earned a profit or still hold significant quantities of crypto assets.
But in their favor, trust in any currency is the foundation of its value. States create it by collecting taxes and paying employees. Crypto currencies generally lack that heavy weight central authority, so they kind of have to believe to the point where they get burned.
You like decentralized money without laws and accountability, but would like to have a central thing (TBD) that is accountable and respect laws? How would that work?
1. Upgrade protocol to include protections for well known cold wallets held by exchanges (ex: API call has to be made to the exchange's security endpoint to validate each transaction out of the wallet. Exchange staff would need to manually allowlist large transactions before they are transmitted).
2. Decentralized voting on reversal of transactions (90-95%+ vote needed to reverse to avoid 51% attacks)
Society has devolved a bit when not long ago a heist like this would involve sieging Nakatomi Plaza, now it takes just finding a bug in someone's defective Python codes.
You don't even have to break into a wierd high-tech vault to get an unreasonably slow (or fast) billion-dollar progress bar with a snazzy custom UI toolkit these days. Not sure if technology or inflation is most to blame!
Cold usually means it needs multiple physical people to sign from offline devices to move it. Hot wallet usually is automated. Here it looks like the «hackers» found a way to trick enough people to sign this transaction
It could still be cold. "took control of the specific ETH cold wallet" sounds like stealing the physical hardware. Like someone stealing the vault key, or the HDCP master key getting leaked.
They could have gotten the recovery phrase off some paper, then imported it wherever. More likely than guessing the pin on a ledger with a short number of tries before wiping.
A crypto exchange WazirX was hacked for ~$300M, roughly 50% of the users fund gone.
There is no action on the CEO since the hack in July 2024. He sits in Dubai. He just got a nod from Supreme Court of SG to just average out the funds and distribute it among the users.
No action has been initiated against the company/ceo for losing the fund. He is geared up to launch another company/exchange.
Can someone even explain what Bybit is actually about? I searched around when the hack was announced, but I'm very confused. Mostly what I saw said "scam" on it.
This isn't your run-of-the-mill Coinbase style exchange, right?
It's the second largest crypto exchange by volume globally, behind Binance. Specialized in derivatives but they have lots of regular retail products that you might find at Coinbase. Basically like a bigger version of Coinbase from Asia.
When even professional companies that have billions of dollars under management can't securely manage their crypto assets, how likely is it that individuals can?
I spent several years pointing out to my last employer that every former employee could have walked off with secrets that allowed them access to our backends. The were already slowly working on hardening write access but read access was still being worked on a couple months before I left, when I got to write about half of the last mile code for the user facing bits.
This is not a unique experience by any means. I’ve seen this sort of thing enough to pay attention when acquaintances bitch about it too.
Are these business-owned exchanges and managed wallets not fundamentally incompatible with making guarantees of security? Is anyone doing it the "right" way and what does the right way even look like?
I don't know the answer to that, I only have guesses.
But one mistake we make over and over is that we write code that just does its best to answer questions as quickly as possible. And when those questions show up 10x as quickly as they have any other time in our company history, they either just plug right along or maybe throw an error.
Someone shouldn't be able to empty a billion dollars out of an exchange in 10 minutes, unless they do $250B in daily traffic. And I suspect most of them can be, and in even less time than that.
Bybit CEO Ben Zhou wrote on X that a hacker "took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address."
"Control" has a specific meaning under UCC Article 12, which was ratified in 2022 and is slowly being adopted by U.S. states. It links some rights to control/possession of keys, even if a blockchain asset may have been stolen before being sold, https://www.clearygottlieb.com//news-and-insights/publicatio...
> Article 12 – dealing directly with the acquisition and disposition of interests (including security interests) in “controllable electronic records,” which would include Bitcoin, Ether, and a variety of other digital assets ... a good faith purchaser for value who obtains control (a “qualifying purchaser”) takes its interest free of conflicting property claims... Control under Article 12 is designed to be a technology-neutral functional equivalent of “possession.” It generally encompasses circumstances when a party has the “private key”
I think (I assume but could be wrong) in the average CEO X-tweet "control" likely only means 'control' nobody was reading through UCC Article 12 while drafting this message
As in: "The hacker gained access to" "The hacker took charge of" "The hacker assumed authority over"
It describes the legal status of stolen cryptocurrency changing after the first sale. This HN story is about stolen cryptocurrency. In particular:
> The wallet has sold around $200 million worth of stETH so far
If some of those sales took place within jurisdiction of a U.S. state that has ratified UCC Article 12, then the buyer of the stolen cryptocurrency is now the new legal owner.
.. “take free” regime introduced by the 2022 UCC Amendments for these assets. Under these rules, a person who acquires a CER for value, in good faith and without notice of any conflicting property claims, is deemed a “qualifying purchaser” and, as such, takes it free from any preexisting property claims.
The 2022 UCC Amendments draw heavily from the UCC Article 3 provisions for negotiable instruments, and these provisions have the effect of making CERs negotiable. It follows that if a secured creditor obtained a security interest in CER inventory and only perfected by filing, that creditor would be at risk of the debtor disposing of the collateral and transferring control to a qualifying purchaser that would take it free from any competing claim.
I think you're saying this is different to theft-of-car. A stolen car could be sold/bought a number of times, but any amount of years later the car belatedly identified as the one stolen from the rightful owner means it is returned. A fraudulently created title isn't enough to protect the bagholder from having to return the car.
It is important everyone is thinking real hard about how this is different from traditional theft: there is no way to actually prove the operators didn't just steal everything themselves vs actual real hack theft.
I wouldn't be surprised if Bybit cuts a deal with the hacker to return the funds. There's no way that $1.46 billion of marked ETH can be liquidated and off-ramped to fiat.
Exchanges will blacklist the addresses that hold the hacked ETH. They won't be able to deposit, or if they can deposit, the ETH will be frozen by the exchange.
The entirety of the cryptocurrency world is so obviously a "Chesterton's Fence" situation.
Every pseudo-intellectual thinks that the fiscal world is "too complicated" and they're going to "simplify" it by making some token, only for people to realize that the monetary world is just complicated, and they have to reinvent everything that already existed in the traditional banking system.
I had to do some work on an ACH system a couple years ago [1], and I read through a large chunk of the ACH standard, which was about 800 pages. It's easy to see and hear that and think "that's way too complicated, what could possibly be so hard about money transfers that necessitates an 700 page specification??", but as I read it and saw how many edge cases it took into account, it was easy to see why it got so huge. It turns out that dealing with money is just a really hard problem at scale.
I fell for the cryptocurrency hype of 2021, and I will fully acknowledge that that came out of a complete lack of understanding of how fiscal systems work. I wish everyone else would just grow up already.
[1] Usually disclaimer: not hard to find my work history, it's not hidden, but I ask that you do not post anything about it (or at least any proper nouns about it) here.
For what it’s worth, I’m a “crypto believer” and I have never considered ease of use to be one of its selling points.
What you are describing are the systems of power which create a stable financial system. That is, one where you can put a nickel into a bank account and expect it to be there in a year or a hundred years.
That indeed requires a complex web of power structures, because its top line goal is to be stable and dependable. And stability within a complex landscape requires an equally complex network of power.
Crypto provides the exact opposite value: it cannot be controlled, no matter how robust your power structure is. It can be insured, at a significant cost, but not controlled.
That means in the face of even totalitarian powers someone could still move crypto across any boundary that is permeable to information, which it turns out is a set that roughly approximates the set of all boundaries.
This is a terrible way to pay for candy bars, because candy bars are not worth insuring.
But what I think the crypto opponents miss is that there is a set of transactions—some criminal, some legal, some immoral, some righteous—which cannot be made in a state controlled financial systems.
And that these transactions are what gives crypto value as a currency.
To me, where I would like the debate to go is not “is crypto a scam?” but “how does society protect people from the violence facilitated by crypto?”
Yes, financial “violence”, which can be insured against, but also real violence: human trafficking, extortion, etc.
We anarchists sometimes like to pretend that without rulers we will be freed to care for each other. But in the shadow of a history of violence, there will be more violence too.
And the “crypto is a scam” argument I fear is a red herring that distracts from this, the real issue.
Power structures can absolutely control crypto. They can make it illegal - it won't eradicate it altogether (see: war on drugs), but it will severely decrease its influence. No one is bragging about investing their retirement savings into cocaine, and Paypal does not offer it to me either.
Or if government is smarter, they can slowly gain control over it. Allow trading traceable currencies via official channels, but with good KYC measures. Do not allow fully anonymous systems. Go after mixers. Prosecute exchanges which do not verify their customers. Once there are plenty of government-sanctioned exchanges in the country, there will be little incentive to create unsanctioned ones, and someone with coins that were marked "North Korean-originated" won't be able to spend them in the country.
Maybe so, but please don't post unsubstantive / snarky / tropey comments here. It leads to generic / repetitive / nasty discussion, and we're hoping to avoid that here.
The genius behind crypto is that it's not just the extremely gullible. I know a fair number of really smart people, academics even, that have bought into the cryptocurrency hype.
It has this kind of veil of "high techness" to it that is appealing to smart-but-uninformed people (like me in 2021). I'm embarrassed that I fell for it, but on the bright side it does make me a bit more sympathetic for other people who also fell for it.
> The genius behind crypto is that it's not just the extremely gullible.
I don't know about you, but I barely follow cryptocurrency news, and I've still been hearing about major players getting "hacked" several times a year for over a decade.
Either it's Mt Gox or FTX or The DAO or Bitfinex or QuadrigaCX or Terra/Luna or rug-pull meme coins or dollar-backed coins that actually aren't or any of a dozen other things.
Anyone who isn't being extremely careful to avoid scams, given the constant drumbeat of reports about how you have to be extremely careful to avoid scams when dealing with cryptocurrency, is pretty gullible.
Ironically I think being more educated might sabotage you more with cryptocurrency.
My parents, both smart people but neither of which know much about distributed systems or concurrent computing or cryptocurrency, see the news reports about Mt Gox or BitConnect and think "that sounds like a scam", avoid it, and put money into a Vanguard or something.
On the other hand, you have people like me (and probably a not-insignificant percentage of people on HN), who have learned a fair amount of distributed and concurrent programming, and see the "neatness" factor of cryptocurrency, and since the crypto is laundered through interesting tech, we fall for it.
I haven't touched any cryptocurrency since I fell for the unregistered security calling itself Gemini Earn [1] (so almost three years now), but I did think that stuff like Filecoin was pretty cool. Hell, I'll still acknowledge the coolness factor of stuff like Filecoin and Storj and Sia. I just think that the currency itself is wishful-thinking-at-best, and fraudulent at worst (probably somewhere in between).
I don't think I'm an especially gullible person, but no one thinks that they're gullible, so I'll acknowledge that I probably am, but I think a lot of the educated people who got into crypto got into it because they kind of had horse-blinders on when looking at the interesting tech.
I don't think most academics would fall for the "Nigerian Prince" chain emails, or the "Romance Scams" you see on YouTube, which are things I usually associate with extremely gullible people.
Sure, I'll totally acknowledge that some of the distributed algorithms that have spun out of the blockchain are pretty cool, and I'll even go as far as to say that maybe someday we'll find some very cool high-value uses from them.
Pretend money, at least in my opinion, is not one of those uses.
I don't know, I think some of the papers for distributed consensus might lead to something cool; if nothing else it does seem to be increasing the use of formal methods, which I think is neat.
These things can take time; it might be thirty years or more before someone does anything actually useful with the stuff learned from the crypto world.
Thinking you can store your crypto with some 3rd party that _definitely_ won't get hacked (or """hacked"""), also thinking your crypto won't become worthless from a singular unusual event. Actually the most gullible are the people who think of cryptocurrency as an "investment" XD
I don't know. I always store my crypto offline. I bought $1000 worth of bitcoin when it was less than $100 per bitcoin because it seemed like something that could get big at some point, and I was willing to risk $1000 on that thought.
My thought was it will some day either be worth a lot or be worth 0 and I'm OK with both of those possibilities. I don't really think I was gullible about anything and yes I thought about it as a risky investment that turned out to pay off quite well.
It’s an investment the same way that playing the lottery is. I had a family member win ~$30MM back in the 80s, but he had played the same numbers for decades; someone who knew of this stole the winning tickets and he ended up only getting 7.5MM of the winnings after a protracted court case.
Crypto is the same thing. You put money in and you may cash out quickly with a big number, but someone who knows can swoop in and steal your money in a way that is much easier than if you used more traditional investment and banking vehicles.
When you decentralize finance like this what becomes okay to do according to system rules is exactly what is possible to do according to system rules. We don't have humans in that loop anymore to enforce moral judgments about what constitutes unlawful theft (except for 1 or 2 rare "hard-forks" of various blockchains to reverse devastating transactions).
I feel bad for people who lose large volumes of cryptocurrency to malicious actors in the same way I feel bad for people who lose large volumes of real money to a casino.
It is 2025 now and we all know that anyone who can somehow get your private-key to whatever blockchain backed assets you have "owns" those assets just as much as you do and they are permitted to take them under the rules of the system so whatever you do do not lose that key.
There is no higher arbiter of justice in this space so use it at your own risk.
In this case yes - everything went by the design and law of the underlying code. There was no exploited bug or vulnerability flaw besides human laziness here.
1) Their multi-signature wallet signing employees lazily clicked through in unison to approve a new smart contract without examining the contents to see if it was unusual.
2) Bad security architecture to keep too much in a single wallet that wasn't properly kept cold. There should have been a few fully cold wallets, that only rarely transact with mostly-cold intermediary "airlock" wallets which are also separated from the exchange operations and wallets. The signers also need to be different combinations of people for each of those wallets - preferably some of those signers being additionally liable 3rd party technical experts.
I see this quote repeated here often, but working in the industry I've never heard it said unironically by any of my peers or thought leaders in the space. Best I can tell it is a sort of lazy straw man repeated by skeptics. Does it have an origin?
So salty! And yet...How's ETH Classic doing? It was the right move at the time to fork. And pretty obviously would be the wrong move today.
For context, guluarte is referring to a moderately contentious hardfork done by the Ethereum developers and mining community to reverse TheDAO Hack in 2016 or so. The stakes were much larger then -- Ethereum was newer, not yet battle tested, and TheDAO had something like 10% of all ETH in it.
A fork was formed -- "ETH Classic" -- ticker ETC -- which did not reverse the DAO hack, and you can see from valuations that the public preferred the reversal.
I mean, the public comprised of the developers of Ethereum who had significant financial incentive to pretend the hack did not happen and to forever publicize their chain of history.
it was actually up to the node operators to update their clients or not, which resulted in a contentious chain split. just like Bitcoin. decentralization worked as intended.
Old man yells at cloud vibes every time a crypto post comes on HN.
No interesting discussions ever. Just axes being sharpened and people who dislike it taking the opportunity to gloat. I would characterize the pro crypto people but I don’t see any. Which is said because over the last 5 years I have found crypto, bitcoin, and stable coins to be extremely useful when helping family members in emerging markets.
But hey it’s all trash, the west doesn’t need it so let’s all dance on its grave.. i guess we will keep dancing for another 15 years.
How on earth is it possible they can cover a 1.5B loss? Are they really sitting on that much profit, or is the goal to ponzi it out from here, MtGox style?
There should be something like a "finalizing transaction", which both the sender and receiver need to sign after the first transaction has been mined, i.e. like an in-built escrow. If it's not signed by both, then funds are returned. This wouldn't protect against key leakage, but in this case, the tx was signed by accident. This would also protect against sending to wrong address.
This would also protect againts dusting attacks.
Illicit addresses sending to thousands of random recipients and making them all marked by automated KYC systems.
From the article:
> The wallet in question appears to have sent 401,346 ETH ($1.1 billion) as well as several other iterations of staked ether (stETH) to a fresh wallet, which is now liquidating mETH and stETH on decentralized exchanges, etherscan shows. The wallet has sold around $200 million worth of stETH so far.
If you showed me a paragraph like this a decade ago and told me it was from 2025, I would have a difficult time believing you.
Crypto shenanigans were happening in 2015, even as far back as 2010, so I would have to absolutely believed you to hear that it continues happening, as crypto is a fundamentally unstable platform.
Just crazy. Bank heists fully online...
MT Gox got famously hacked over 10 years ago .. anyone keeping this much money in an online wallet would have to be functionally retarded.
Yet here we are.
It's definitely embarrassing that people losing their shirts in crypto didn't see it coming. It's bad that people think a zero sum game is worth playing against incumbents. The marks aren't the worst part, though. Everyone promoting memecoins and utility-free cryptocurrency in general is either ignorant or just a bad person with a warped idea of success. Personal money accumulation is a sad goal compared to actual wealth creation. The parasites who push crypto on the hopeful proto-bag holders are destroying the prosperity that supports them.
> memecoins and utility-free cryptocurrency
As opposed to what?
Yeah on memecoins isn’t that just a loophole for running naked pyramid schemes? I.e. a pyramid where everyone knows it’s a pyramid.
Like the weird part about a pyramid is that depending on your risk tolerance it may actually make sense to participate in a pyramid even if everyone involved knows it’s a pyramid. So are that many people being scammed as in tricked (seems hard to believe), or is it just a risky form of gambling that is outlawed in legacy formats.
EDIT: Ponzi -> Pyramid
I've never purchased crypto or had any involvement but acquaintances I know have used that exact argument. They know it's a pyramid but believe they can get ahead because they were in early enough.
They are usually a lot more vague when I ask about their realized gains.
It was an offline multi-sig wallet. Hackers seem to have musked the transaction when the owners signed it as it looked good to them.
Wow it must have been really musked then, huh?
A “musked” transaction consists of payload obfuscation and spoofing, more often than not malicious actors create a genuine looking UI with legit transaction details, while being malicious underneath.
It’s basically phishing at a transaction signing level.
I only found the term a few weeks ago and thought I was the one left out, sorry for not defining it earlier.
It’s got an eerie ring to it though, right?
And only a few weeks ago the lawsuit started payout the 'early lump sum' repayment option for creditors.
"Bybit CEO Ben Zhou wrote on X that a hacker "took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address."
From the article. Not that I endorse crypto, in fact I despise it. But at least per this statement, it seems to have been handled offline. How a hacker could get access to this is another story to unpack.
edit: I guess this is the story that "unpacks". One more reason to not believe in crypto.
https://x.com/benbybit/status/1892963530422505586
By "online wallet" they were likely referring to the Bybit website being the wallet of those customers that held their coins there rather than keeping them in their own private wallets, and not whether the hack involved a hot wallet or a cold wallet. Calling it a custodial wallet would have been more accurate.
> have a wallet, work at bybit > understand backdoor > steal money from your account, some from others > bybit pays you back > still have money you stole
There's some info and speculation in these two (distinct) articles, but I'd love to know technical details of where the gaffs were.
eg. Was client software compromised? Did the multisig keyholders succumb to social engineering? Were the signers using airgapped machines / hardware devices?
https://archive.ph/YMZrq
https://blockworks.co/news/bybit-hack-raises-security-questi...
A huge problem with signing EVM transactions using hardware wallets is that is common to be blind signing messages. The device has no knowledge of the SAFE EVM contract functions or any other context, it just asks you to sign an gobblygook opaque binary message so you may have no idea what's being signed, is my experience using multiple different vendor HW wallets. Not sure if that's what happened, but possible this type of problem contributed to the exploit. BTC TXs are simple enough that all HW wallets can basically display what's happening, but with turing-complete arbitrary computations in EVM this becomes very difficult.
Thanks for spelling this out, the explanation makes a lot of sense.
You'd think they could at least show a blockie representing the contract, or reputational party who cryptographically vouched for it.
https://x.com/tayvano_/status/1847877011462901915 This thread has some info about very similar past attacks, should give some insights into the level of sophistication that goes into something like that.
Who says ByBit can cover the loss? The article title says that but the article quotes do not. The CEO only said that their other cold wallets are intact and that withdrawals remain normal.
Bybit claims to be regulated by the Virtual Assets Regulatory Authority of Dubai.[1] But the lookup page at VARA says they only have "In-principle approval", not a full license. "Applicants holding an IPA are strictly prohibited from initiating operations, conducting any virtual asset activities, or servicing clients until they have obtained their full VASP licence from VARA."
Uh oh.
[1] https://www.vara.ae/en/licenses-and-register/public-register...
I'm a huge crypto believer but I can admit that we don't have a serious system if a person can just transfer over $1.5B from a well known crypto cold wallet to different accounts with nothing flagging it and no way to reverse it.
In the face of the never-ending list of these kinds of events, the laughably impossible task of average nontechnical individuals protecting their own assets (and the consequence of total financial ruin when they fail to do so), the overwhelming number of and size of scams, rug pulls, fraud, outright Ponzi schemes, and on and on and on… what exactly is left to keep anyone a “huge believer”?
Put differently, it’s been seventeen years of constant and escalating mayhem. What would finally be enough to shake your faith?
> what exactly is left to keep anyone a “huge believer”?
Bias. I expect believers to have earned a profit or still hold significant quantities of crypto assets.
But in their favor, trust in any currency is the foundation of its value. States create it by collecting taxes and paying employees. Crypto currencies generally lack that heavy weight central authority, so they kind of have to believe to the point where they get burned.
> What would finally be enough to shake your faith?
Crypto scams run by top government officials? Oh, wait...
You like decentralized money without laws and accountability, but would like to have a central thing (TBD) that is accountable and respect laws? How would that work?
I'm not too sure but few things come to mind:
1. Upgrade protocol to include protections for well known cold wallets held by exchanges (ex: API call has to be made to the exchange's security endpoint to validate each transaction out of the wallet. Exchange staff would need to manually allowlist large transactions before they are transmitted).
2. Decentralized voting on reversal of transactions (90-95%+ vote needed to reverse to avoid 51% attacks)
This is getting pretty close to the banking system, at which point one needs to ask - maybe just improve existing protocols?
> let's reinvent the banking system except worse in every way
Solutions have existed for years (eg Gnosis Safe), they just aren’t being used by that exchange.
Can’t tell if you’re trolling here or not, but good one either way!
Bybit was quite literally using Gnosis Safe for the compromised wallet.
I can't believe someone posted that without knowing they actually used Gnosis Safe
Society has devolved a bit when not long ago a heist like this would involve sieging Nakatomi Plaza, now it takes just finding a bug in someone's defective Python codes.
You don't even have to break into a wierd high-tech vault to get an unreasonably slow (or fast) billion-dollar progress bar with a snazzy custom UI toolkit these days. Not sure if technology or inflation is most to blame!
I wonder how many programmers resort to crime after they were laid off and couldn't find a job. Like soldiers after a war.
Relevant comedy sketch? "Secret agent squad, but they're all just the hacking guy."
https://youtu.be/cL7lhbtWwbY?feature=shared
That might make for a good book or movie plot.
Starring Rami Malek, Tom Holland, Kyla Pratt, and George Clooney?
You just gotta trust the wrong people.
Don’t forget FTX willingly hired the Ultimate Bet “god mode” guy.
It's obviously not a cold wallet if it's connected to the exchange.
It's also not reassuring that the CEO claims cold wallets are safe and secure, just after losing 1.46B
Perhaps their servers have cryogenic cooling
Cold usually means it needs multiple physical people to sign from offline devices to move it. Hot wallet usually is automated. Here it looks like the «hackers» found a way to trick enough people to sign this transaction
It could still be cold. "took control of the specific ETH cold wallet" sounds like stealing the physical hardware. Like someone stealing the vault key, or the HDCP master key getting leaked.
They could have gotten the recovery phrase off some paper, then imported it wherever. More likely than guessing the pin on a ledger with a short number of tries before wiping.
Yeah this makes no sense whatsoever.
> [The hacker] took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address.
Did the hacker physically break into their office or what?
Possibly yes
Or some part of their system failed and the key was compromised without them realising it (like the Debian insecure keys debacle or whatever)
A crypto exchange WazirX was hacked for ~$300M, roughly 50% of the users fund gone.
There is no action on the CEO since the hack in July 2024. He sits in Dubai. He just got a nod from Supreme Court of SG to just average out the funds and distribute it among the users.
No action has been initiated against the company/ceo for losing the fund. He is geared up to launch another company/exchange.
Can someone even explain what Bybit is actually about? I searched around when the hack was announced, but I'm very confused. Mostly what I saw said "scam" on it.
This isn't your run-of-the-mill Coinbase style exchange, right?
It's the second largest crypto exchange by volume globally, behind Binance. Specialized in derivatives but they have lots of regular retail products that you might find at Coinbase. Basically like a bigger version of Coinbase from Asia.
When even professional companies that have billions of dollars under management can't securely manage their crypto assets, how likely is it that individuals can?
It's a different ball game. The resources that went into executing this kind of hack were probably far higher than most wallets are worth anyway.
Maybe not - a number of high-value past hacks have been very low effort
I have yet to see a thorough explanation of what specifically was hacked here anyhow
In case of a state actor just imagine the weapons that could be bought with this kind of money and the potential lives lost due to this mess
What are the chances that a Bybit insider is behind this?
Or former insider.
I spent several years pointing out to my last employer that every former employee could have walked off with secrets that allowed them access to our backends. The were already slowly working on hardening write access but read access was still being worked on a couple months before I left, when I got to write about half of the last mile code for the user facing bits.
This is not a unique experience by any means. I’ve seen this sort of thing enough to pay attention when acquaintances bitch about it too.
Are these business-owned exchanges and managed wallets not fundamentally incompatible with making guarantees of security? Is anyone doing it the "right" way and what does the right way even look like?
I don't know the answer to that, I only have guesses.
But one mistake we make over and over is that we write code that just does its best to answer questions as quickly as possible. And when those questions show up 10x as quickly as they have any other time in our company history, they either just plug right along or maybe throw an error.
Someone shouldn't be able to empty a billion dollars out of an exchange in 10 minutes, unless they do $250B in daily traffic. And I suspect most of them can be, and in even less time than that.
10000%. You would have to be soft in the head to not conclude that's the case.
"Please rest assured that all other cold wallets are secure."
Unreal.
> Article 12 – dealing directly with the acquisition and disposition of interests (including security interests) in “controllable electronic records,” which would include Bitcoin, Ether, and a variety of other digital assets ... a good faith purchaser for value who obtains control (a “qualifying purchaser”) takes its interest free of conflicting property claims... Control under Article 12 is designed to be a technology-neutral functional equivalent of “possession.” It generally encompasses circumstances when a party has the “private key”
I think (I assume but could be wrong) in the average CEO X-tweet "control" likely only means 'control' nobody was reading through UCC Article 12 while drafting this message
As in: "The hacker gained access to" "The hacker took charge of" "The hacker assumed authority over"
Those are all equivalent to exclusive control of the private key, which is the meaning within UCC Article 12.
What is the purpose of this comment?
It describes the legal status of stolen cryptocurrency changing after the first sale. This HN story is about stolen cryptocurrency. In particular:
> The wallet has sold around $200 million worth of stETH so far
If some of those sales took place within jurisdiction of a U.S. state that has ratified UCC Article 12, then the buyer of the stolen cryptocurrency is now the new legal owner.
The hacked coins are not "free of conflicting property claims."
> The hacked coins are not "free of conflicting property claims."
2023, American Bar Association, https://www.americanbar.org/groups/business_law/resources/bu...
I think you're saying this is different to theft-of-car. A stolen car could be sold/bought a number of times, but any amount of years later the car belatedly identified as the one stolen from the rightful owner means it is returned. A fraudulently created title isn't enough to protect the bagholder from having to return the car.
It is important everyone is thinking real hard about how this is different from traditional theft: there is no way to actually prove the operators didn't just steal everything themselves vs actual real hack theft.
There is. ZachXBT has already gotten a bounty for unambiguously pinning this on the Lazarus Group (North Korea).
Given how many of these exchanges have been hacked (or were fraudulent), how is it that people still use them?
I wouldn't be surprised if Bybit cuts a deal with the hacker to return the funds. There's no way that $1.46 billion of marked ETH can be liquidated and off-ramped to fiat.
That’s well within the daily trading volume.
Well within real daily trading volume is less clear.
https://www.forbes.com/sites/javierpaz/2022/08/26/more-than-...
Exchanges will blacklist the addresses that hold the hacked ETH. They won't be able to deposit, or if they can deposit, the ETH will be frozen by the exchange.
It is on eth and they can use decentralized exchanges.
I am sure there are still plenty of suckers who believe the whole "cryptocurrencies are fungible" narrative, and would get those ETHs with a discount.
woops
Remember the golden rule that when it comes to crypto it is a scam 100% of the time. Congrats to the Bybit CEO on his newfound wealth.
Terrifying to imagine how much funding terrorist states might be getting by hacks like this.
One in particular gets about 1 billion dollars a year. Already hit their quota in February
More like byebit.
Unregulated asset exchanges. Haven't we been there before a loong time ago?
The entirety of the cryptocurrency world is so obviously a "Chesterton's Fence" situation.
Every pseudo-intellectual thinks that the fiscal world is "too complicated" and they're going to "simplify" it by making some token, only for people to realize that the monetary world is just complicated, and they have to reinvent everything that already existed in the traditional banking system.
I had to do some work on an ACH system a couple years ago [1], and I read through a large chunk of the ACH standard, which was about 800 pages. It's easy to see and hear that and think "that's way too complicated, what could possibly be so hard about money transfers that necessitates an 700 page specification??", but as I read it and saw how many edge cases it took into account, it was easy to see why it got so huge. It turns out that dealing with money is just a really hard problem at scale.
I fell for the cryptocurrency hype of 2021, and I will fully acknowledge that that came out of a complete lack of understanding of how fiscal systems work. I wish everyone else would just grow up already.
[1] Usually disclaimer: not hard to find my work history, it's not hidden, but I ask that you do not post anything about it (or at least any proper nouns about it) here.
I don’t know anyone working in crypto who complains about the physical world being too complex. Imaginary dragons are easily slayed.
For what it’s worth, I’m a “crypto believer” and I have never considered ease of use to be one of its selling points.
What you are describing are the systems of power which create a stable financial system. That is, one where you can put a nickel into a bank account and expect it to be there in a year or a hundred years.
That indeed requires a complex web of power structures, because its top line goal is to be stable and dependable. And stability within a complex landscape requires an equally complex network of power.
Crypto provides the exact opposite value: it cannot be controlled, no matter how robust your power structure is. It can be insured, at a significant cost, but not controlled.
That means in the face of even totalitarian powers someone could still move crypto across any boundary that is permeable to information, which it turns out is a set that roughly approximates the set of all boundaries.
This is a terrible way to pay for candy bars, because candy bars are not worth insuring.
But what I think the crypto opponents miss is that there is a set of transactions—some criminal, some legal, some immoral, some righteous—which cannot be made in a state controlled financial systems.
And that these transactions are what gives crypto value as a currency.
To me, where I would like the debate to go is not “is crypto a scam?” but “how does society protect people from the violence facilitated by crypto?”
Yes, financial “violence”, which can be insured against, but also real violence: human trafficking, extortion, etc.
We anarchists sometimes like to pretend that without rulers we will be freed to care for each other. But in the shadow of a history of violence, there will be more violence too.
And the “crypto is a scam” argument I fear is a red herring that distracts from this, the real issue.
Power structures can absolutely control crypto. They can make it illegal - it won't eradicate it altogether (see: war on drugs), but it will severely decrease its influence. No one is bragging about investing their retirement savings into cocaine, and Paypal does not offer it to me either.
Or if government is smarter, they can slowly gain control over it. Allow trading traceable currencies via official channels, but with good KYC measures. Do not allow fully anonymous systems. Go after mixers. Prosecute exchanges which do not verify their customers. Once there are plenty of government-sanctioned exchanges in the country, there will be little incentive to create unsanctioned ones, and someone with coins that were marked "North Korean-originated" won't be able to spend them in the country.
The crypto community continues to speed run the history of traditional finance. [1] https://news.ycombinator.com/item?id=31777761
It's only a matter of time until we get a railroad track laying network secured by proof of railroad track (PoRT) and recreate the panic of 1873.
another "exchange was hacked" story, why I am not surprised.
"Oops, we were hacked, hehe, guess we'll have to shutdown. Oh and our CEO will be moving to another country."
[flagged]
Maybe so, but please don't post unsubstantive / snarky / tropey comments here. It leads to generic / repetitive / nasty discussion, and we're hoping to avoid that here.
https://news.ycombinator.com/newsguidelines.html
The genius behind crypto is that it's not just the extremely gullible. I know a fair number of really smart people, academics even, that have bought into the cryptocurrency hype.
It has this kind of veil of "high techness" to it that is appealing to smart-but-uninformed people (like me in 2021). I'm embarrassed that I fell for it, but on the bright side it does make me a bit more sympathetic for other people who also fell for it.
> The genius behind crypto is that it's not just the extremely gullible.
I don't know about you, but I barely follow cryptocurrency news, and I've still been hearing about major players getting "hacked" several times a year for over a decade.
Either it's Mt Gox or FTX or The DAO or Bitfinex or QuadrigaCX or Terra/Luna or rug-pull meme coins or dollar-backed coins that actually aren't or any of a dozen other things.
Anyone who isn't being extremely careful to avoid scams, given the constant drumbeat of reports about how you have to be extremely careful to avoid scams when dealing with cryptocurrency, is pretty gullible.
Ironically I think being more educated might sabotage you more with cryptocurrency.
My parents, both smart people but neither of which know much about distributed systems or concurrent computing or cryptocurrency, see the news reports about Mt Gox or BitConnect and think "that sounds like a scam", avoid it, and put money into a Vanguard or something.
On the other hand, you have people like me (and probably a not-insignificant percentage of people on HN), who have learned a fair amount of distributed and concurrent programming, and see the "neatness" factor of cryptocurrency, and since the crypto is laundered through interesting tech, we fall for it.
I haven't touched any cryptocurrency since I fell for the unregistered security calling itself Gemini Earn [1] (so almost three years now), but I did think that stuff like Filecoin was pretty cool. Hell, I'll still acknowledge the coolness factor of stuff like Filecoin and Storj and Sia. I just think that the currency itself is wishful-thinking-at-best, and fraudulent at worst (probably somewhere in between).
I don't think I'm an especially gullible person, but no one thinks that they're gullible, so I'll acknowledge that I probably am, but I think a lot of the educated people who got into crypto got into it because they kind of had horse-blinders on when looking at the interesting tech.
[1] Not my opinion, but the SEC's for what it's worth: https://www.sec.gov/newsroom/press-releases/2023-7
This essay scared me away from Ethereum, among other coins, for good:
https://www.paradigm.xyz/2020/08/ethereum-is-a-dark-forest
Being smart or academic does absolutely not mean these people aren't gullible.
I know, but it is inversely correlated.
I don't think most academics would fall for the "Nigerian Prince" chain emails, or the "Romance Scams" you see on YouTube, which are things I usually associate with extremely gullible people.
To be honest, a distributed logic execution engine is an interesting tech, it just isn't something to build any high value economy on top of.
Sure, I'll totally acknowledge that some of the distributed algorithms that have spun out of the blockchain are pretty cool, and I'll even go as far as to say that maybe someday we'll find some very cool high-value uses from them.
Pretend money, at least in my opinion, is not one of those uses.
It’s been about 15 years now. The killer app for blockchain is Bitcoin.
I don't know, I think some of the papers for distributed consensus might lead to something cool; if nothing else it does seem to be increasing the use of formal methods, which I think is neat.
These things can take time; it might be thirty years or more before someone does anything actually useful with the stuff learned from the crypto world.
Crypto: where Kernighan’s Law meets con artistry.
What is the gullibility here?
Thinking you can store your crypto with some 3rd party that _definitely_ won't get hacked (or """hacked"""), also thinking your crypto won't become worthless from a singular unusual event. Actually the most gullible are the people who think of cryptocurrency as an "investment" XD
I don't know. I always store my crypto offline. I bought $1000 worth of bitcoin when it was less than $100 per bitcoin because it seemed like something that could get big at some point, and I was willing to risk $1000 on that thought.
My thought was it will some day either be worth a lot or be worth 0 and I'm OK with both of those possibilities. I don't really think I was gullible about anything and yes I thought about it as a risky investment that turned out to pay off quite well.
It’s an investment the same way that playing the lottery is. I had a family member win ~$30MM back in the 80s, but he had played the same numbers for decades; someone who knew of this stole the winning tickets and he ended up only getting 7.5MM of the winnings after a protracted court case.
Crypto is the same thing. You put money in and you may cash out quickly with a big number, but someone who knows can swoop in and steal your money in a way that is much easier than if you used more traditional investment and banking vehicles.
¯\_(ツ)_/¯
https://www.web3isgoinggreat.com/
[flagged]
^Yep
When you decentralize finance like this what becomes okay to do according to system rules is exactly what is possible to do according to system rules. We don't have humans in that loop anymore to enforce moral judgments about what constitutes unlawful theft (except for 1 or 2 rare "hard-forks" of various blockchains to reverse devastating transactions).
I feel bad for people who lose large volumes of cryptocurrency to malicious actors in the same way I feel bad for people who lose large volumes of real money to a casino.
It is 2025 now and we all know that anyone who can somehow get your private-key to whatever blockchain backed assets you have "owns" those assets just as much as you do and they are permitted to take them under the rules of the system so whatever you do do not lose that key.
There is no higher arbiter of justice in this space so use it at your own risk.
Yes!
A "cleverly masked exploit that altered the smart contract logic"[1] = congratulations!! the contract gives you $1.46B free money!!
I anticipate that the defi community will celebrate the inexorable operation of their logical contracts.
[1] https://cryptonews.com/news/bybit-crypto-exchange-faces-1-5-...
In this case yes - everything went by the design and law of the underlying code. There was no exploited bug or vulnerability flaw besides human laziness here.
1) Their multi-signature wallet signing employees lazily clicked through in unison to approve a new smart contract without examining the contents to see if it was unusual.
2) Bad security architecture to keep too much in a single wallet that wasn't properly kept cold. There should have been a few fully cold wallets, that only rarely transact with mostly-cold intermediary "airlock" wallets which are also separated from the exchange operations and wallets. The signers also need to be different combinations of people for each of those wallets - preferably some of those signers being additionally liable 3rd party technical experts.
>There was no bug or vulnerability flaw
when code is law, there can't be any bugs or vulnerabilities, only features.
I see this quote repeated here often, but working in the industry I've never heard it said unironically by any of my peers or thought leaders in the space. Best I can tell it is a sort of lazy straw man repeated by skeptics. Does it have an origin?
https://blockchain-society.science/?p=218
https://ethereumclassic.org/blog/2024-04-03-ethereum-classic...
Are those appropriate sources?
“skibidi is toilet”
what r u talkin ab?
[flagged]
So salty! And yet...How's ETH Classic doing? It was the right move at the time to fork. And pretty obviously would be the wrong move today.
For context, guluarte is referring to a moderately contentious hardfork done by the Ethereum developers and mining community to reverse TheDAO Hack in 2016 or so. The stakes were much larger then -- Ethereum was newer, not yet battle tested, and TheDAO had something like 10% of all ETH in it.
A fork was formed -- "ETH Classic" -- ticker ETC -- which did not reverse the DAO hack, and you can see from valuations that the public preferred the reversal.
I mean, the public comprised of the developers of Ethereum who had significant financial incentive to pretend the hack did not happen and to forever publicize their chain of history.
Code is law, up until it costs me.
it was actually up to the node operators to update their clients or not, which resulted in a contentious chain split. just like Bitcoin. decentralization worked as intended.
let’s not forget that Satoshi rolled back Bitcoin in 2010, whereas Ethereum was a surgical state change within a smart contract
What are you talking about in 2010?
https://en.bitcoin.it/wiki/Value_overflow_incident
Other transactions besides the one that created 184 billion BTC in that block was effectively “rolled back” on the working chain.
Thank you.
Old man yells at cloud vibes every time a crypto post comes on HN.
No interesting discussions ever. Just axes being sharpened and people who dislike it taking the opportunity to gloat. I would characterize the pro crypto people but I don’t see any. Which is said because over the last 5 years I have found crypto, bitcoin, and stable coins to be extremely useful when helping family members in emerging markets.
But hey it’s all trash, the west doesn’t need it so let’s all dance on its grave.. i guess we will keep dancing for another 15 years.
There's no interesting discussion to be had. That's the simple reason you always miss.