For years, Bybit offered peanuts for identifying critical vulnerabilities. Now, the crypto exchange has taken a turn in its bounty approach after the $1.4 billion ETH hack it suffered, which was orchestrated by the North Korean Lazarus Group as I wrote in my previous article . If you’ve been following crypto heist sagas, you’ve probably heard of Lazarus. The group has been behind some of the biggest DeFi and CeFi attacks. Bybit’s latest bounty program promises up to 10% of the stolen funds, amounting to $150 million payday. It’s a life-changing bounty that could motivate the top cybersecurity researchers to work to retrieve the funds.
From $4K to $150M
Bybit’s bug bounty table capped critical vulnerability rewards at a laughable amount of $4,000. That’s right, four thousand! In an industry where competitors like Coinbase, Crypto.com, and Binance are offering hundreds of thousands to millions of dollars payouts for the identification of critical vulnerabilities.
Bybit’s new $150 million bounty, is the perfect time for chain analysts like ZachXBT to step up. To his merits: ZachXBT has been tracking the stolen ETH as it has moved between different wallets and exchanges, identifying laundering patterns, and plotting out connected addresses. This new bounty, will make him extra motivated to keep working in helping retrieve some of the stolen funds.
Security Isn’t a Side Hustle
This entire fiasco underscores a golden rule in crypto: security is not an afterthought. Exchanges that once buried security issues under small payouts and dubious NDAs are finally waking up to the danger. A $4,000 payout might’ve seemed reasonable more than a decade ago when most hacks were smaller and the crypto space was still nascent. But with billions on the line and hacking collectives like Lazarus growing more sophisticated you have to prioritize security. If Bybit manages to recover a portion of the stolen ETH, it sends a signal to security researchers that they’re crucial allies, even though in a mercenary-for-hire fashion, against hackers and scammers.
Posted Using INLEO