The recent $1.5 billion Bybit hack turned North Korean Lazarus Group into one of the top 15 Ethereum holders in the world. The breach sent shockwaves through the crypto space, alerting users who previously thought Ethereum was among the safest and most decentralized networks.

In a conversation with BeInCrypto, representatives from Holonym, Cartesi, and Komodo Platform discussed the implications of this breach, steps to curb similar situations in the future, and how public trust in Ethereum can be restored.

A Different Kind of Breach

The Bybit hack shook the crypto community not just because of the quantity of funds stolen but also because of the nature of the breach. 

While other crypto exchange breaches, like the 2014 Mt. Gox episode or the 2018 Coincheck hack, involved private keys or direct compromises of exchange wallets, Bybit’s situation was different.

Rather than stealing private keys, the hackers manipulated the transaction signing process, indicating that it was an infrastructure-level attack. The transaction signing process was targeted instead of the asset storage itself.

Forensic analysis of the Bybit hack traced the breach to Safe Wallet, a multi-signature wallet infrastructure provided by a third party. Safe Wallet uses smart contracts and cloud-stored JavaScript files on AWS S3 to process and secure transactions.

Hackers could secretly modify transactions by injecting malicious JavaScript into Safe Wallet’s AWS S3 storage. Therefore, although Bybit’s system was not directly hacked, the hackers altered the destination of transfers that Bybit had approved.

This detail exposed a serious security flaw. Third-party integrations become weak points even if an exchange locks down its systems. 

Lazarus Group Among Ethereum’s Top Holders

‬‭Following the monumental hack, North‬‭ Korea‬‭ is‬ among‬‭ the‬‭ top‬‭ 15‬‭ largest‬‭ Ethereum‬‭ holders.‬‭ 

According‬‭ to‬‭ on-chain‬‭ data,‬‭ Gemini,‬‭ which‬‭ previously‬‭ held‬‭ the‬‭ 15th‬‭ position,‬‭ holds‬‭ 369,498‬‭ ETH‬‭ in‬‭ its‬‭ Ethereum‬‭ wallet.‬‭ Since‬‭ Bybit‬‭ hackers‬‭ stole‬‭ over‬‭ 401,000 ETH,‬‭ they‬‭ now overtook Gemini in ownership.

The‬‭ fact‬‭ that‬‭ an‬‭ infamous‬‭ group‬‭ like‬‭ Lazarus,‬‭ responsible‬‭ for‬‭ several‬‭ high-profile‬‭ hacks‬‭ in‬‭ the‬‭ crypto‬‭ sector,‬‭ now‬‭ holds‬‭ such‬‭ an‬‭ important‬‭ amount‬‭ of‬‭ Ether‬‭ raises‬‭ several‬‭ trust‬‭ issues. While initial speculation pointed toward a weakness in Ethereum’s decentralized nature, Nanak Nihal Khalsa, Co-Founder of Holonym‬, discards this claim. 

Given that Ethereum’s governance and consensus mechanisms rely on validators rather than token holders, the Lazarus Group holding such a substantial amount of ETH does not compromise the network’s overall decentralization. 

“‬‭Lazarus still owns less than 1% of ETH in circulation, so I don’t see it as highly relevant‬‭ beyond simple optics.‬‭ While it’s a lot of ETH, they still own less than 1%. I’m not worried at all,” Khalsa‬ told BeInCrypto.

Kadan Stadelmann, Chief Technology Officer at Komodo Platform, agreed, emphasizing that Ethereum’s infrastructure design is the source of its weakness.

“It proves a vulnerability in‬‭ Ethereum’s architecture: illicit actors could expand their holdings further by targeting exchanges or‬‭ DeFi protocols, and thus wield an influence over market dynamics and possibly change governance‬‭ decisions in Ethereum’s off-chain processes by voting on improvement proposals. While Ethereum’s technical decentralization has not been compromised, Lazarus Group has eroded trust in Ethereum,” Stadelmann told BeInCrypto. ‭

However, while token holders cannot influence Ethereum’s consensus mechanisms, they can manipulate markets.

Potential Impacts and Market Manipulations

Though the Bybit hackers have already finished laundering the stolen ETH, Stadelmann outlined a series of possible scenarios that the Lazarus Group could have carried out with the massive wealth they originally accumulated. One option is staking.

“Ethereum’s Proof-of-Stake security relies on honest validators and resilience of wallets, exchanges, and‬ dApps. While the Lazarus Group’s haul doesn’t threaten the blockchain’s consensus mechanism, since‬‭ their holdings are not known to be staked, it certainly raises the spectre that this could be achieved.‬‭ They’re unlikely to do this, as the funds they’ve stolen have been tracked,” he explained.

Along equally unlikely lines, the Bybit hackers could cause a significant market downturn by selling their holdings altogether.

“‬Their holdings do give them an opportunity to manipulate markets, such as if they dump their holdings.‬ This would be difficult to do since their ETH are flagged. If they try to exchange the ETH via selling, their‬ assets could be frozen,” Stadelmann added.

What Stadelmann is most worried about looking toward the future is the impact hacks can have on Ethereum’s Layer 2 protocols.

“Lazarus and its partners could attempt to attack Layer 2 protocols like Arbitrum and Optimism. A censorship attack on layer 2 could undermine dApps and cause the ecosystem to move towards centralized transaction sequencers. That would underscore Ethereum’s weakness,” he said.

While Ethereum’s network was not compromised, Safe Wallet’s attacks underscored the vulnerabilities in the security of the greater ecosystem. 

“The breach has certainly increased tensions in the ecosystem, and created an uneven token distribution. The question remains: will‬‭ Lazarus or other hacking groups associated with state actors attempt to exploit the Ethereum ecosystem, particularly at layer 2?” Stadelmann concluded.

It also raised questions about the need for better security standards.

Verification Over Trust

Khalsa argued that the Bybit hack, while not a threat to Ethereum’s core security, highlighted the need for improved security standards among users.

“Saying the hack is Ethereum’s problem is like saying death by car accident is the car’s problem when the driver didn’t wear a seatbelt. Could the car‬‭ have more safety measures? Yes, and it should. But as a seatbelt has little to do with the‬ car, the hack had little to do with Ethereum. It’s a protocol and it worked exactly as intended. The problem is the lack of convenience and know-how for securely custodying‬‭ digital assets,” he said. 

Specifically, the incident exposed vulnerabilities within multi-signature wallets, demonstrating that reliance on third-party integrations can introduce significant risks, even with robust internal security. Ultimately, even the most sophisticated wallet security measures become ineffective if the signing process can be compromised.

‭Khalsa emphasized that proven self-custody security measures exist, while multi-signature wallets are not among them. He added that government agencies should have long ago advocated for superior security standards and practices.

“The repercussion we can all hope for is getting serious about stopping North Korea from stealing more funds.‭ While it’s not the government’s place to change how self-custody is carried out, it is absolutely the government’s place to encourage better industry ‘best practices.’ This attack was due to the myth that multisigs of hardware wallets are secure. Sadly it took this attack for it to be acknowledged, but better standards set by‬ government agencies could encourage safer practices without the need for $1.5 billion compromises to wake up the industry,” he asserted. ‭

The incident also exposed the need to verify transactions rather than trust third-party applications.

A Solution to Front-End Vulnerabilities

By injecting malicious JavaScript into vulnerable Safe Wallet cloud servers, the Lazarus Group launched a sophisticated attack, enabling them to mimic the interface and trick users. 

According to Erick de Moura, co-founder of Cartesi, this exploit highlights a critical vulnerability. The issue lies in the reliance on centralized build and deployment pipelines within a system intended for decentralization.

“The SAFE incident‬‭ serves as a stark reminder that Web3 is only as secure as its weakest link. If users cannot verify that the interface they interact with is genuine, decentralization becomes meaningless,” he said.

De Moura also added that a common misconception in Web3 security is that smart contract breaches are among the most effective forms of hacking exchanges. However, he deems that the Lazarus Group’s strategy on Bybit proves otherwise. Injecting malicious code into the‬‭ front-end or other off-chain components is much more seamless. 

“The hackers didn’t need to breach smart contracts or manipulate ByBit’s systems directly. Instead, they injected malicious code into the‬‭ front-end interface, deceiving users into thinking they were engaging with a trusted platform,” he explained. 

Despite these vulnerabilities, a transition from trust-based to verifiable security is possible.

The Case for Reproducible Builds

De Moura views the Bybit hack as a wake-up call for the Web3 community. As exchanges and developers reassess their security, he argues that verifiable, reproducible builds are essential to prevent future attacks.

“At its core, a reproducible build ensures that when source code is compiled, it always produces the same binary output. This guarantees that the software users interact with hasn’t been‬‭ altered by a third party somewhere in the deployment pipeline,” he said.‬

Blockchain technology is vital to ensure that this process takes place.

“Imagine a system where every software build generates binaries and resources in a verifiable way, with their fingerprints (or checksums) stored on-chain. Instead of running such builds on cloud servers or computers that are prone to security breaches, they can be executed on dedicated blockchain co-processors or decentralized computational oracles,” De Moura told BeInCrypto.

Users can compare the checksum of the front-end resources they are loading against on-chain data through a browser plugin or feature. A successful match indicates an authentic build interface, whereas a discrepancy signals a potential compromise.

“If a verifiable reproducible builds approach had been applied to SAFE, the exploit could have been prevented. The malicious front-end would have failed verification against the on-chain‬ record, immediately exposing the attack,” De Moura concluded.

This approach presents a helpful alternative to relying on users with varying levels of self-custody knowledge.

Addressing Gaps in User Knowledge

As attacks grow more sophisticated, the lack of user knowledge about how to securely custody digital assets presents a significant vulnerability. 

The Bybit hack frustrated users who originally thought that reliance on third-party integrations would be enough to safeguard their assets. It also affected the broader perception of cryptocurrency security.

“‬It shows crypto is still in the Wild West and in its growing phase in terms of security. I think in a couple years we will have superior security but in its current state, the public fear is well-justified,” Khalsa said. 

Ultimately, embracing different approaches will be essential for the Web3 community to build a more secure and resilient ecosystem. A good starting point is to demand better industry practices and evaluate the integration of verifiable, reproducible builds.