ByBit hacked for 1.4Bln. Funds are Safu?

[bitmover]

The video is damning evidence of a childish schoolboy error made by a competent CEO of a company trading in USD$ billions every month. How can he hold on to his job after this debacle that took place on his watch? Even though it has been ascertained Ledger were not to blame, many online have cited it should not be used for a massive company. If there are other CEOs using it they will be rushing to retire them. As for Lazarus, they probably are planning the next big hack.

We are talking about ETH and all the shitcoins that bring with it. Ledger advertises itself as the most secure wallet for any coin (lol), especially for cold storage usage. I won't argue his incompetence or Ledger's vulnerability and "safety measures" but where he will have to store them? Which ETH wallet you or anyone else will choose for such an amount/ business? I'm not supporting his choice but I can't blame him for it either.

This was not ledger fault.  Anyone can continue using ledger, which hackers didn't exploit vulnerabilities

He was victim of kind of phising..

He thought it was a routine transaction,  and approved a wrong tx in his ledger. But it wasn't.

https://www.certik.com/resources/blog/3wI26AFKF1UtSDjJEXNEDM-bybit-incident-technical-analysis

[JollyGood]

It has already been clarified that this was not a ledger fault therefore nobody should be trying to put the blame there.

Keeping that aside, it seems EU regulators are investigating OKX as they have been implicated in possibly laundering $100 million of the stolen funds. Malta is contemplating whether the OKX licence should be revoked.

The excellent work carried out by Verichains should be acknowledged too, not only with regards to the assistance given to ByBit but also for their much wider contributions in other hacks. In the ByBit hack they exposed the problem was with the Safe Wallet multi-signature process.

This was not ledger fault.  Anyone can continue using ledger, which hackers didn't exploit vulnerabilities

He was victim of kind of phising..

He thought it was a routine transaction,  and approved a wrong tx in his ledger. But it wasn't.

https://www.certik.com/resources/blog/3wI26AFKF1UtSDjJEXNEDM-bybit-incident-technical-analysis

[bias]

This was not ledger fault.  Anyone can continue using ledger, which hackers didn't exploit vulnerabilities

He was victim of kind of phising..

So for giving some fault credits to Ledger, hackers must show vulnerabilities?  Isn't vulnerability when you get phising transactions in a so-called "safest wallet"? When do scammers send fake tokens and coins? When they wash their hands by simply say it's our fault for not identifying the sender? Their wallet is a phising sea full of scams and they don't do a thing for this. That's a big vulnerability and until they fix this (and other things as well), nobody should use it.

[bitmover]

This was not ledger fault.  Anyone can continue using ledger, which hackers didn't exploit vulnerabilities

He was victim of kind of phising..

So for giving some fault credits to Ledger, hackers must show vulnerabilities?  Isn't vulnerability when you get phising transactions in a so-called "safest wallet"? When do scammers send fake tokens and coins? When they wash their hands by simply say it's our fault for not identifying the sender? Their wallet is a phising sea full of scams and they don't do a thing for this. That's a big vulnerability and until they fix this (and other things as well), nobody should use it.

I think you lack basic understanding of wallet security.

A good wallet cannot baby sit the customer. Only a custodial wallet can do that.

People like to saY "your keys your coins", but you are responsible for every transaction.

Your keys, your coins, your responsibility

If you decide to approve a transaction,  that is on you. The wallet won't babysit you "you shouldn't approve that transaction.  Send me your docs, kyc, etc". This is a custodial wallet procedure.

[bias]

I think you lack basic understanding of wallet security.

A good wallet cannot baby sit the customer. Only a custodial wallet can do that.

People like to saY "your keys your coins", but you are responsible for every transaction.

Your keys, your coins, your responsibility

If you decide to approve a transaction,  that is on you. The wallet won't babysit you "you shouldn't approve that transaction.  Send me your docs, kyc, etc". This is a custodial wallet procedure.

Who's talking about keys? A phishing transaction isn't baby-shitting, is a vulnerability of their system. How a fake transaction, coin, or token, can appear in my wallet without their system can do anything? They advertise that is the safest of all wallets. So, where is it? Why not store my coins in Metamask, Trust, Kraken etc, etc? They are all the same and these, at least, are not advertised as the safest. Oh yes, Ledger is a hard wallet provider, but without any real usage for safety. Just more money for... nothing.

[Cossyblack]

I think you lack basic understanding of wallet security.

A good wallet cannot baby sit the customer. Only a custodial wallet can do that.

People like to saY "your keys your coins", but you are responsible for every transaction.

Your keys, your coins, your responsibility

If you decide to approve a transaction,  that is on you. The wallet won't babysit you "you shouldn't approve that transaction.  Send me your docs, kyc, etc". This is a custodial wallet procedure.

Who's talking about keys? A phishing transaction isn't baby-shitting, is a vulnerability of their system. How a fake transaction, coin, or token, can appear in my wallet without their system can do anything? They advertise that is the safest of all wallets. for safety.

In my own opinion I think the safest wallet cannot be 100% secured and  sometimes can still be vulnerable to phishing scams. This is  why consistent upgrades is important to keep the system updated and more effective to detect scam and block any infiltrated attempts into the system.
Few days ago,the same Lazarus group made an attempt to hack OKX DEX Aggregator, an attempt that was unsuccessful and this prohibited act lead OKX to suspend their DEX Aggregator services to implement security upgrades on their system.Read here
My points is that no wallets is 100% safe but continuous system upgrades can help the system detect scam and repels any infiltrated attempts from hackers.

[bitmover]

Who's talking about keys? A phishing transaction isn't baby-shitting, is a vulnerability of their system.

If there is someone who decides which transaction you can or cannot do with your own wallet, that is baby sitting, that is what custodial wallets do.

How a fake transaction, coin, or token, can appear in my wallet without their system can do anything? They advertise that is the safest of all wallets. So, where is it?

A phising isn't  a vulnerability in the wallet, but in other systems. This is a social engineering attack.

The phising attack affected safe wallet UI(https://app.safe.global/), which showed the correct address in Safe wallet.

The only software which showed that address was altered was Ledger, but the signers didn't verify ledger screen, and approved the transaction anyway.

You can read about the attack here.

According to Bybit CEO Ben Zhou, who explained in his livestream on X two hours after the exploit, the Bybit team was performing a routine cold-to-warm wallet asset transfer, and he was the last signer for the Safe multi-sig transaction. He stated that this specific transaction was masked; all the signers saw the masked UI, which displayed the correct address and transaction data in Safe{Wallet}'s UI, and the URL was indeed verified from Safe{Wallet}. The data on the Safe UI appeared correct, but when sent to the Ledger for signing, it was altered. He mentioned that he didn't verify the transaction data on the Ledger hardware wallet UI before signing. How the attacker modified Safe{Wallet}'s UI remains unknown. Based on information shared by Arkham, @zachxbt submitted definitive proof that the attack on Bybit was carried out by the DPRK's LAZARUS GROUP.
https://www.certik.com/resources/blog/3wI26AFKF1UtSDjJEXNEDM-bybit-incident-technical-analysis

He was using  as the UI.

Why not store my coins in Metamask, Trust, Kraken etc, etc? They are all the same and these, at least, are not advertised as the safest.

Because those wallet aren't safe without some serious hardware wallet secure behind them, like trezor or ledger.


https://x.com/_TomHoward/status/1894778995977093544

In the end, you are blaming ledger for something that happened in safe wallet UI.

[bias]

~snip~

Firstly and without any hint of irony, thank you for helping me understand what was the issue.
Secondly (and I'm not talking for this specific case), until Ledger is indeed the safest wallet as it advertises itself, I will blame them for their incompetence in truly protecting their clients. Because for my point of view, selling a product with your brand on it, brings responsibilities for the people that pay you for it. I don't say and of course, I'm not near in favor of custodial "wallets" and 3rd party control but something must be done from and for them.

[NeuroticFish]

Secondly (and I'm not talking for this specific case), until Ledger is indeed the safest wallet as it advertises itself, I will blame them for their incompetence in truly protecting their clients. Because for my point of view, selling a product with your brand on it, brings responsibilities for the people that pay you for it. I don't say and of course, I'm not near in favor of custodial "wallets" and 3rd party control but something must be done from and for them.

While I do not like Ledger, who betrayed my trust and made me lose the money I've paid for their HW (i.e. it stays unused now and I bought something else), I don't agree fully with your statement. You seem to imply that if one has an Asus laptop with Windows on, gets malware and loses some money, then both Microsoft and Asus are responsible.
However, I've noticed back then that my ledger nano needed quite some scrolling for the data to be read and, even more, iirc the change address, although it was from the wallet, it was not displayed (and I think that it may be exploitable).

But here the problem was different. The problem was that the people didn't checked properly that what is on HW screen is the same as what's on their computer screen. Plus I think that the ETH tx also had a malicious script. And you know, you can have best HW in the world, if you don't read what you sign, then you'll get burned sooner or later.

[bias]

While I do not like Ledger, who betrayed my trust and made me lose the money I've paid for their HW (i.e. it stays unused now and I bought something else), I don't agree fully with your statement. You seem to imply that if one has an Asus laptop with Windows on, gets malware and loses some money, then both Microsoft and Asus are responsible.
However, I've noticed back then that my ledger nano needed quite some scrolling for the data to be read and, even more, iirc the change address, although it was from the wallet, it was not displayed (and I think that it may be exploitable).

Sorry, but your example is wrong. Neither Asus nor Microsoft state that are the safest in their field. Neither do they make specific products to safely store your money. Plus they trying to make something against this, like antivirus apps/ systems, warnings, etc. Something that you would at least expect from a company that specializes (LOL) in the security of our money. Ledger doesn't do a thing.

But here the problem was different. The problem was that the people didn't checked properly that what is on HW screen is the same as what's on their computer screen. Plus I think that the ETH tx also had a malicious script. And you know, you can have best HW in the world, if you don't read what you sign, then you'll get burned sooner or later.

What defines the best product that is made to safely secure your coins? Safety and security. Ledger misses them both, simple as that.
And you are right, if you sign something, it's "your fault". However, if this guy got a big red flashing warning in his wallet that the address was different, then 1000% sure he wouldn't have made this mistake. Just because is your responsibility to move/ sign your funds, it doesn't mean you can't or shouldn't be protected. That was Ledger's job and they failed.

[NeuroticFish]

Sorry, but your example is wrong. Neither Asus nor Microsoft state that are the safest in their field. Neither do they make specific products to safely store your money.

Heh, I've seen banking services doing pretty much as bad as Ledger. However, I do get your point now; probably if you would have expressed it this good from start I wouldn't have complained. Even more, this post of yours now deserves some more merit.

Ledger doesn't do a thing.

They do. But not in the right direction. Remember the list of customers going to whoever wanted it?

However, if this guy got a big red flashing warning in his wallet that the address was different, then 1000% sure he wouldn't have made this mistake.

I think that this is not technically achievable. Keep in mind that the wallet has reported the bad tx to Ledger for signing. What should Ledger do? Make a capture of the screen and parse it with AI?! A lazy operator will press skip...
Imho your expectations are too high. Imho a HW can probably give (much) more details in a much more friendly manner. But the human operator MUST do his part. There's no other way, I think.

[bias]

Heh, I've seen banking services doing pretty much as bad as Ledger. However, I do get your point now; probably if you would have expressed it this good from start I wouldn't have complained. Even more, this post of yours now deserves some more merit.

I didn't even mention banking services because of that, lol. I'm sorry for not explaining it better but in the end, I always like to see the bright side of the moon. So, your "complaint" was the reason for writing it better, explaining it as I should from the start. IMO, that's the point of a discussion, open our minds and become better.

They do. But not in the right direction. Remember the list of customers going to whoever wanted it?

Oh yes, I do...

I think that this is not technically achievable. Keep in mind that the wallet has reported the bad tx to Ledger for signing. What should Ledger do? Make a capture of the screen and parse it with AI?! A lazy operator will press skip...
Imho your expectations are too high. Imho a HW can probably give (much) more details in a much more friendly manner. But the human operator MUST do his part. There's no other way, I think.

My tech skills are limited, so I don't know how it can be done. Maybe not a capture but a kind of match-up? I probably say bs but I'm throwing "ideas" on the lake...
I agree with you, human operator is a must. But can they find a way of informing him better? Earlier? Putting more warning signs? Invest in prevention and precaution? Ok, it will probably take more time (minutes I guess) to do a transaction with a lot of security measures but you won't lose 1.4 billion because you missed verifying the address with your human eyes.

P.S: We need to have higher expectations if we want to achieve great things.

[Cossyblack]

The video is damning evidence of a childish schoolboy error made by a competent CEO of a company trading in USD$ billions every month. How can he hold on to his job after this debacle that took place on his watch? Even though it has been ascertained Ledger were not to blame, many online have cited it should not be used for a massive company. If there are other CEOs using it they will be rushing to retire them. As for Lazarus, they probably are planning the next big hack.

We are talking about ETH and all the shitcoins that bring with it. Ledger advertises itself as the most secure wallet for any coin (lol), especially for cold storage usage. I won't argue his incompetence or Ledger's vulnerability and "safety measures" but where he will have to store them? Which ETH wallet you or anyone else will choose for such an amount/ business? I'm not supporting his choice but I can't blame him for it either.

This was not ledger fault.  Anyone can continue using ledger, which hackers didn't exploit vulnerabilities

He was victim of kind of phising..

He thought it was a routine transaction,  and approved a wrong tx in his ledger. But it wasn't.

https://www.certik.com/resources/blog/3wI26AFKF1UtSDjJEXNEDM-bybit-incident-technical-analysis

If you say it's wasn't ledger fault then whose fault is it. As long I know,this is the fault of ledger and nobody is gonna take the blame but ledger,I know he was a victim but the truth of it is that,it was an error on his sides as it is the responsibility of ledger to always keep the Wallet on a security proof  at all times but since it was an error on his side,it's understandable but a lesson should be learned to avert similar  breaches on the system from every re occuring again. Ledger wallet is still safe for usage for any user who's still interested in using it, we shouldn't totally comdem ledger because of the previous attacks but we should continue to support them to see them improve on their system for the overall benefits of all users.

[bitmover]

https://www.certik.com/resources/blog/3wI26AFKF1UtSDjJEXNEDM-bybit-incident-technical-analysis

If you say it's wasn't ledger fault then whose fault is it. As long I know,this is the fault of ledger and nobody is gonna take the blame but ledger,I know he was a victim but the truth of it is that,it was an error on his sides as it is the responsibility of ledger to always keep the Wallet on a security proof  at all times but since it was an error on his side,it's understandable but a lesson should be learned to avert similar  breaches on the system from every re occuring again. Ledger wallet is still safe for usage for any user who's still interested in using it, we shouldn't totally comdem ledger because of the previous attacks but we should continue to support them to see them improve on their system for the overall benefits of all users.

If after i post the link to the document which explained how the hack occurred,  you just ignored it wrote all that it is ledger fault... omg

Ledger shouldn't babysit users. If ledger could control your transactions in order to avoid phising,  it would be a custodial wallet.

[bias]

Ledger shouldn't babysit users. If ledger could control your transactions in order to avoid phising,  it would be a custodial wallet.

Not necessarily. Being protective of your clients doesn't mean that you have to control their transactions, but you should at least warn them how dangerous it can be to transfer their funds to any malicious, shady, or "different" address. So, instead of Ledger (and any Ledger) always using the term "non-custodial" for anything that happens in its application that may negatively affect its users' funds and disclaiming any responsibility that it has (and IT HAS), they should focus on finding ways to protect their clients' funds.

If after i post the link to the document which explained how the hack occurred,  you just ignored it wrote all that it is ledger fault... omg

I can't disagree with you about that...

[JollyGood]

You have clearly not been reading the thread otherwise you would have known the answer to the question (or not even have asked in the first place). If there was a list of nonsensical posts being made for the sake of post count, yours would be included. You should consider paying attention to the posts before adding your comments/views.

If you say it's wasn't ledger fault then whose fault is it. As long I know,this is the fault of ledger and nobody is gonna take the blame but ledger,I know he was a victim but the truth of it is that,it was an error on his sides as it is the responsibility of ledger to always keep the Wallet on a security proof  at all times but since it was an error on his side,it's understandable but a lesson should be learned to avert similar  breaches on the system from every re occuring again. Ledger wallet is still safe for usage for any user who's still interested in using it, we shouldn't totally comdem ledger because of the previous attacks but we should continue to support them to see them improve on their system for the overall benefits of all users.

[bitmover]

Ledger shouldn't babysit users. If ledger could control your transactions in order to avoid phising,  it would be a custodial wallet.

Not necessarily. Being protective of your clients doesn't mean that you have to control their transactions, but you should at least warn them how dangerous it can be to transfer their funds to any malicious, shady, or "different" address. So, instead of Ledger (and any Ledger) always using the term "non-custodial" for anything that happens in its application that may negatively affect its users' funds and disclaiming any responsibility that it has (and IT HAS), they should focus on finding ways to protect their clients' funds.

But if the user paste the address in the software to make the transaction.
Then he looks at the address in the screen , confirms it again.
Then he clicks sign transaction.

Then he broadcast (seeing the address again)

What can ledger do after so many confirmations?
If the user can't send funds to whoever he wants, it is a custodial wallet.

Adding more confirm screens will just make people ignore them

[bias]

But if the user paste the address in the software to make the transaction.
Then he looks at the address in the screen , confirms it again.
Then he clicks sign transaction.

Then he broadcast (seeing the address again)

What can ledger do after so many confirmations?
If the user can't send funds to whoever he wants, it is a custodial wallet.

Adding more confirm screens will just make people ignore them

It seems that seeing the addresses when you copy and paste them isn't enough or/ and safe. Proved more than 1mil times. Maybe when the user looks at his screen (PC or the tiny Ledger screen that you can't see shit?) and sees a warning, an alert, it will continue to do so? 99.9% the answer is no.
I think that you still don't understand the meaning here. I don't want a wallet to decide where and from where I will have my coins, but for sure, I want from "it" to warn me and protect me and my funds. That's their business, and they get paid for it. Other wallets, like Trust, at least make some effort. They call it "Proactive alerts for risky transactions" and yes, they do it without getting paid for it and without babysitting anyone.