The Biggest Crypto Heist Ever: $1.4 Billion Taken From ByBitSecurity News This Week

Apple disabled end-to-end encrypted iCloud backups in the UK following pressure to install a backdoor, and two spyware apps leaked victim data — and the identities of people who used the apps.

Now, amid the carnage that the so-called Department of Government Efficiency is wreaking on the United States government by slashing the federal workforce, it has become the subject of multiple lawsuits claiming that the group’s access to sensitive data is in violation of the Watergate-inspired Privacy Act of 1974 and that it must stop. At the same time, DOGE this week winnowed its team at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and even reached into CISA’s digital systems after the agency had already unplugged its eight-year-old efforts to help secure elections late last week.

 

The National Institute of Standards and Technology was also preparing this week for the firing of about 500 staff members, which could have a far-reaching impact on NIST’s cybersecurity standards and software vulnerability tracking work. Last week’s cuts at the US Digital Service also included the cybersecurity lead for the central portal at Veterans Affairs, VA.gov, potentially making VA systems and data more vulnerable without someone in his role.

 

No US departments have said TP-Link products are banned, although several, including the government departments, are now considering banning routers made in China due to recent aggressive campaigns of Chinese digital espionage. (The company denies that it has ties to cyberattacks.) A WIRED investigation showed that the users of Google’s ad tech are able to target categories that should not be allowed under the company’s policies, like people who have chronic diseases or those who are in debt. Advertisers could also target national security “decision makers” and those involved in the development of classified defense technology.

 

Google researchers said this week that hackers working for the Russian government have duped Ukrainian soldiers into joining hackers’ Signal groups, using fraudulent QR codes for invites that took advantage of a vulnerability allowing the attackers to read messages from targets. Signal has pushed updates to prevent the abuse. And a WIRED deep dive looks at just how hard it can be for even the most in-the-know web users to get intimate images and videos of themselves taken down from the web, without their consent.

 And there's more. Every week we collect a few of the security and privacy stories that we didn’t cover in depth ourselves. Tap the headlines to read the full stories. And stay safe out there.

 

Biggest Crypto Theft Ever: $1.4 Billion Stolen From ByBit

 
Operating a cryptocurrency exchange can be a risky business, as hacking victims like Mt. Gox, Bitfinex, FTX, and a whole slew of others can confirm. But there never has been a marketplace for crypto forking over a 10-figure dollar amount in a single heist. That new title goes to ByBit, which on Friday disclosed that hackers invaded the firm’s Ethereum-based holdings. According to an estimate by the cryptocurrency trading firm Elliptic, the hackers ended up making off with a sum that adds up to $1.4 billion — the largest crypto theft ever by some measures.

 

The hackers had manipulated the exchange with a “musked transaction”—almost certainly a typo for “masked transaction”—to coax it into cryptographically signing a code change in the smart contract that runs a wallet holding the exchange’s stockpile of Ethereum, the ByBit C E O Ben Zhou wrote on X. “Rest assured that all other cold wallets are safe,” Zhou wrote while implying that the exchange was solvent. “All withdraws are NORMAL.” In a later note on X, Zhou added the exchange would be able to cover the loss, which if true means no users will lose their funds.

 

The haul dwarfs other historic hacks of crypto exchanges, such as Mt. Gox and FTX, both of which had losses in cryptocurrency that were worth hundreds of millions of dollars on the date of the thefts. Even the loot taken in a 2016 heist of the Bitfinex exchange was valued at around $4.5 billion when the thieves were identified and most of the funds recovered in 2022 — the thieves’ woolly  $72 million back in 2016. By that measure, $1.4 billion is a much bigger loss for ByBit and, given that all crypto thefts in 2024 came to $2.2 billion, a staggering new high mark for crypto crime, according to blockchain analysis firm Chainalysis.

 

Apple Temporarily Disables iCloud End-to-End Encryption in the U.K.

 
The British government set off privacy alarms around the world earlier this month when it ordered Apple to give it access to users’ end-to-end encrypted iCloud data. That data was safeguarded by a protective measure from Apple called Advanced Data Protection, which encrypts stored user data to the point where it can be decrypted only by the user, not even Apple. So now Apple has buckled to the UK’s ultimatum, disabling that end-to-end encryption option for iCloud across the country. Although it disabled that protection, Apple conveyed its disdain in a statement: “The need for enhance security around the storage of data in the cloud, using end-to-end encryption, is more urgent than it has ever been before,” the company said. “Apple is committed to providing our users with the highest level of security for their personal data and hopes to continue to do so in the UK in the future.” Privacy advocates across the globe have argued that the move — and Britain’s push to make it happen — would have damaging consequences for the security and privacy of British citizens, exposing tech companies to similar demands for surveillance from governments around the world.

 

Millions of Victims’ Data Sloshes Online From Stalkerware Apps Cocospy and Spyic

 
The only thing worse than the scourge of stalkerware apps—malware that snooping spouses or other hands-on interlopers install on one of their targets’ phones to track basically every one of their movements and communications—is that those apps are so poorly secured that they also spill victims’ details and private data onto the public internet. Two stalkerware apps called Cocospy and Spyic — apparently developed by the same organization in China and using largely the same source code — exposed stolen data from millions of victims, due to a vulnerability in both apps, a security researcher who first discovered the flaw and contacted TechCrunch said. The exposed data included messages, phone logs, and images, TechCrunch reported. And in a karmic twist, it also contained millions of email addresses tied to the stalkerware’s registered users, who had themselves downloaded the apps and used them to spy on victims.