Bybit's $1.5 Billion Crypto Heist Sparks Debate on Centralized Exchange Security

Security is something I have been dealing with for the past 15–17 years. No matter how much you know, there will always be someone smarter, faster, or stronger. Yet, there is a set of rules and principles that should never be violated.

\ The Bybit experience was particularly illustrative for me because the exchange's employees neglected all major security approaches—from fundamental and abstract principles to concrete, detailed measures.

\ Thus, I will analyze several key aspects based on this hack.

Years ago, I formulated this principle for myself: "Any system can be hacked. The only question is time, money, and effort." If hacking your system yields $1M while costing the attacker only $10K, the system will definitely be hacked. However, if hacking requires $1.1M, then the question becomes: why bother? Unless, of course, the motive is to harm a competitor or conduct a state-sponsored cyberattack.

\

This principle was precisely what Bybit's employees violated. According to initial interviews, they believed their system was invulnerable. But the $1.4B price tag changed everything.

\ Wherever you work, you must understand that anything can be hacked, anytime, and anyway. The only variables are money, time, and effort. Knowing this, let's move forward…

Yes and no. Hardware wallets have always been attacked—Ledger and Trezor are prime examples. Other brands fare even worse.

However, you can mitigate risks and reduce negative impacts when using hardware/multisig wallets.

\ Here are some recommendations compiled from researchers and personal experience:

• Verify what you're signing: Always ensure that what you see matches what you're actually signing or transferring. If you notice discrepancies, stop, pause, and evaluate the situation carefully.
• Browser-based wallet connections are safer than direct ones: Why? Browser wallets have extensive contract databases and can sometimes provide false positives, but they highlight interactions with new and, especially, unverified contracts (which was relevant in this case).
• Update your wallet firmware: Install only official firmware, unless you're into ethical hacking. You can verify this on the manufacturer's website or via hash sums.
• Simulate transactions before signing: Always check for unexpected changes. The key concepts here are pre-check and interrupt.
• Use alternative verification sources: Some useful tools include:
• Etherscan Input Data Decoder
• PalmeraDAO Safe Interface (used after the Bybit hack)
• CirclesTools SafeViewer (explained in the linked page)
• Safe has also introduced alternative interfaces:
• PalmeraDAO App
• EternalSafe
• Onchainden App
• Add.:
• Safe API
• Safe Documentation
• Trezor features

\ These precautions are just a start. Now, let’s compare them with lessons learned from the Radiant hack:

• Multilayer signature verification: Any anomaly, even minor, should trigger a security review.
• Independent transaction verification device: Generates verification codes that match hardware wallet data.
• Enhanced Ledger/Trezor security: Avoid blind signing for critical transactions.
• Audit repeated transaction failures: Recurrent issues should trigger a full transaction audit.
• Manual transaction data verification: Extract and decode transaction data before signing, ensuring functions and addresses match expectations.
• Dual message hash confirmation: Use Gnosis’ guide to verify transactions on hardware wallets.

\

Did Bybit implement any of these? According to available data—no.

Phishing, social engineering, and spam account for 80% of cyberattacks. The Bybit and Radiant cases prove this clearly.

\ To mitigate risks, implement role separation:

• If you have multiple signers, they must have independent verification channels.
• Ownership changes should be more complex than transaction approvals.
• Cold wallets should never store more than acceptable loss thresholds (e.g., $1.5B is excessive for any exchange).
• Any transaction discrepancies should default to cancellation, not approval.
• Staff must receive ongoing security training—at least monthly.
• Appoint at least one security verifier with expertise in multisig wallets and advanced security tools.

\

Again, public data does not confirm that Bybit followed any of these steps.

Many experts have weighed in on this hack. Here are some key perspectives:

• @dhkleung
• @blainemalone
• @pcaversaccio
• SlowMist Report
• @koeppelmann
• Chainabuse Report
• Radiant Post-Mortem

\ The key takeaway? While the attack appeared highly technical, it ultimately succeeded due to human error rather than technological vulnerabilities.

\ Therefore, I highly recommend studying the Radiant and WazirX cases as well. It’s clear that script kiddies are adopting these techniques, meaning that not only exchanges but a wider range of crypto projects will be targeted next.

\ Stay safe!