Bybit’s $1.5 Billion Crypto Heist Sparks Debate on Centralized Exchange Security | HackerNoon

Security is something I have been dealing with for the past 15–17 years. No matter how much you know, there will always be someone smarter, faster, or stronger. Yet, there is a set of rules and principles that should never be violated.

The Bybit experience was particularly illustrative for me because the exchange’s employees neglected all major security approaches—from fundamental and abstract principles to concrete, detailed measures.

Thus, I will analyze several key aspects based on this hack.

The Zero Principle of Security

Years ago, I formulated this principle for myself: “Any system can be hacked. The only question is time, money, and effort.” If hacking your system yields $1M while costing the attacker only $10K, the system will definitely be hacked. However, if hacking requires $1.1M, then the question becomes: why bother? Unless, of course, the motive is to harm a competitor or conduct a state-sponsored cyberattack.

This principle was precisely what Bybit’s employees violated. According to initial interviews, they believed their system was invulnerable. But the $1.4B price tag changed everything.

Wherever you work, you must understand that anything can be hacked, anytime, and anyway. The only variables are money, time, and effort. Knowing this, let’s move forward…

Is a Hardware Wallet + Multisig Safe?

Yes and no. Hardware wallets have always been attacked—Ledger and Trezor are prime examples. Other brands fare even worse.

However, you can mitigate risks and reduce negative impacts when using hardware/multisig wallets.

Here are some recommendations compiled from researchers and personal experience:

• Verify what you’re signing: Always ensure that what you see matches what you’re actually signing or transferring. If you notice discrepancies, stop, pause, and evaluate the situation carefully.
• Browser-based wallet connections are safer than direct ones: Why? Browser wallets have extensive contract databases and can sometimes provide false positives, but they highlight interactions with new and, especially, unverified contracts (which was relevant in this case).
• Update your wallet firmware: Install only official firmware, unless you’re into ethical hacking. You can verify this on the manufacturer’s website or via hash sums.
• Simulate transactions before signing: Always check for unexpected changes. The key concepts here are pre-check and interrupt.
• Use alternative verification sources: Some useful tools include:
• Safe has also introduced alternative interfaces:
• Add.:

These precautions are just a start. Now, let’s compare them with lessons learned from the Radiant hack:

• Multilayer signature verification: Any anomaly, even minor, should trigger a security review.
• Independent transaction verification device: Generates verification codes that match hardware wallet data.
• Enhanced Ledger/Trezor security: Avoid blind signing for critical transactions.
• Audit repeated transaction failures: Recurrent issues should trigger a full transaction audit.
• Manual transaction data verification: Extract and decode transaction data before signing, ensuring functions and addresses match expectations.
• Dual message hash confirmation: Use Gnosis’ guide to verify transactions on hardware wallets.

Did Bybit implement any of these? According to available data—no.

The Human Factor: The Weakest Link

Phishing, social engineering, and spam account for 80% of cyberattacks. The Bybit and Radiant cases prove this clearly.

To mitigate risks, implement role separation:

• If you have multiple signers, they must have independent verification channels.
• Ownership changes should be more complex than transaction approvals.
• Cold wallets should never store more than acceptable loss thresholds (e.g., $1.5B is excessive for any exchange).
• Any transaction discrepancies should default to cancellation, not approval.
• Staff must receive ongoing security training—at least monthly.
• Appoint at least one security verifier with expertise in multisig wallets and advanced security tools.

Again, public data does not confirm that Bybit followed any of these steps.

Researcher Opinions

Many experts have weighed in on this hack. Here are some key perspectives:

The key takeaway? While the attack appeared highly technical, it ultimately succeeded due to human error rather than technological vulnerabilities.

Therefore, I highly recommend studying the Radiant and WazirX cases as well. It’s clear that script kiddies are adopting these techniques, meaning that not only exchanges but a wider range of crypto projects will be targeted next.

Stay safe!