In the last AMA, there was a brief discussion with @ benbybit boss about whether it was a potential APT advanced penetration attack, but there was no clear conclusion on whether it was an internal penetration attack. But if the investigation results show, according to the latest report from SlowMist, how did the North Korean hacker group Lazarus Group achieve precise APT penetration attacks on exchanges? Below is a brief explanation of the logic: -Social engineering attack: 1) Hackers first disguise themselves as project parties, investors, third-party partners, etc. to contact the company's developers; (This type of social work method is very common) 2) Inducing employees to run malicious programs under the pretext of debugging code or recommending development testing tools, market analysis programs, etc; (There is a possibility of being deceived or being betrayed) 3) After completing the intrusion of malicious programs, remote code execution permissions can be obtained, and further employees can be induced to obtain permission escalation and horizontal penetration; -Internal network penetration process: 1) Using a single point breakthrough internal network node to scan the internal network system, steal SSH keys from key servers, and use whitelist trust relationships to horizontally move, gain more control permissions, and expand malicious program coverage; (The suspicion is that if the exchange has a strict protection system, why were no abnormalities detected during the entire penetration process? The conclusion of SlowMist is to use the internal infrastructure of the enterprise to bypass most security device detection. It seems that the internal network system still needs to strengthen red and blue anti penetration drills.) 2) By continuously infiltrating the internal network, the target wallet associated server is ultimately obtained, and the backend smart contract program and multi signature UI frontend are modified to achieve seamless integration; (Both the front-end and back-end have been tampered with, and the mystery lies in how the entire log data was bypassed. In addition, how did hackers accurately identify the recent large-scale transfer to be collected in the wallet? There are many doubts, which easily make people suspect that there is an "insider" cooperating?) Lazarus APT Advanced Persistent Penetration Attack Principle, Popular Version: Imagine the cryptocurrency cold wallet of the exchange as a special vault located on the top floor of a high-end office building. Under normal circumstances, this vault has strict security measures: there is a display screen used to display each transfer information, and multiple executives need to be present at the same time for each operation to confirm the information on the display screen together (such as "transferring XXX amount of ETH to XX address"). The transfer can only be completed after all executives confirm that it is correct. However, through carefully planned infiltration attacks, hackers first used social work methods to obtain the building's "access card" (i.e. hacked into the initial computer), successfully infiltrated the building, and then managed to copy a core developer's "office key" (obtained important permissions). With this' key ', hackers can quietly infiltrate more' offices' (conducting horizontal penetration within the system to gain control of more servers). Finally, we found the core system that controls the vault. Hackers not only changed the display screen program (tampered with the multi signature UI interface), but also modified the internal transfer program of the vault (changed the smart contract), so that when executives see the information on the display screen, they actually see tampered false information, while the real funds are transferred to the hacker controlled address. Note： The above are just the common APT penetration attack methods used by the Lazarus hacker group@ There is currently no conclusive analysis report for the Bybit'Official incident, so it is only for reference and should not be taken into account! However, in the end, I would like to give a suggestion to the boss @ benbybit. Safe, a more suitable asset management method for DAO organizations, only focuses on normal call execution and does not verify the legitimacy of calls. There are many better local internal control system management solutions on the market, such as FireBlocks and RigSec, which will have better supporting performance in asset security, permission control, operation auditing, and other aspects.