Opinion by: Vikash Singh, Principal Investor at Stillmark

The Bybit hack resulted in the largest loss of funds to cyber hackers by a cryptocurrency exchange in history. It served as a wake-up call for those complacent about the state of security threats in the digital assets space. Everyone must learn the lesson from this heist — enterprise-grade custody solutions require tech to be accompanied by transparency.

Unlike many previous incidents, this loss of funds was not due to a faulty smart contract, lost/mismanaged keys or deliberate mismanagement or rehypothecation of user funds, but rather a sophisticated social engineering attack that exploited vulnerabilities in operational security. 

This hack differs from earlier eras because it happened to a major global exchange that takes security and compliance seriously. It’s a reminder that, in crypto, there’s no such thing as “good enough” security.

The anatomy of a heist 

A technical overview of the Bybit attack is key for understanding how companies can proactively strengthen their security against such attacks. Initially, a developer machine belonging to Safe, an asset management platform offering multisig Ethereum wallets used by Bybit, was compromised. This initial breach granted the attackers unauthorized access to Safe’s Amazon Web Services (AWS) environment, including its S3 storage bucket. 

The attackers then pushed a malicious JavaScript file into this bucket, which was subsequently distributed to users via access to the Safe UI. The JS code manipulated the transaction content displayed to the user during the signing process, effectively tricking them into authorizing transfers to the attackers’ wallets while believing they were confirming legitimate transactions. 

Recent: CertiK exec explains how to keep crypto safe after Bybit hack

This highlights how even highly robust security at the technical level, like multisig, can be vulnerable if not implemented correctly. They can lull users into a false sense of security that can be fatal.

Layered security

While multisignature security setups have long been considered the gold standard in digital asset security, the Bybit hack underscores the need for further analysis and transparency on the implementation of these systems, including the layers of security that exist to mitigate attacks that exploit operational security and the human layer in addition to verification of the smart contracts themselves. 

A robust security framework for safeguarding digital assets should prioritize multi-layered verification and restrict the scope of potential interactions. Such a framework demonstrably enhances protection against attacks.

A well-designed system implements a thorough verification process for all transactions. For example, a triple-check verification system involves the mobile application verifying the server’s data, the server checking the mobile application’s data, and the hardware wallet verifying the server’s data. If any of these checks fail, the transaction will not be signed. This multi-layered approach contrasts with systems that directly interface with onchain contracts, potentially lacking critical server-side checks. These checks are essential for fault tolerance, especially if the user’s interface is compromised.

A secure framework should limit the scope of possible interactions with digital asset vaults. Restricting actions to a minimal set, like sending, receiving and managing signers, reduces potential attack vectors associated with complex smart contract modifications.

Using a dedicated mobile application for sensitive operations, like transaction creation and display, adds another security layer. Mobile platforms often offer better resistance to compromise and spoofing compared to browser-based wallets or multisig interfaces. This reliance on a dedicated application enhances the overall security posture.

Transparency upgrades

To bolster transparency, businesses can leverage the capabilities of proof-of-reserve software. These can defend multisignature custody setups from UI-targeted attacks by providing an independent, self-auditable view of chain state/ownership and verifying that the correct set of keys is available to spend funds in a given address/contract (akin to a health check). 

As institutional adoption of Bitcoin (BTC) and digital assets continues, custody providers must transparently communicate such details on the security models of their systems in addition to the design decisions behind them: This is the true “gold standard” of crypto security. 

Transparency should extend to how the nature of the underlying protocols alters the attack surface of custody setups, including multisignature wallets. Bitcoin has prioritized human-verifiable transfers where signers confirm destination addresses directly rather than confirm engagement in complex smart contracts, which require additional steps/dependencies to reveal the flow of funds. 

In the case of the Bybit hack, this would enable the human signer to detect more easily that the address shown by the hardware wallet did not match the spoofed UI.

While expressive smart contracts expand the application design space, they increase the attack surface and make formal security audits more challenging. Bitcoin’s well-established multisignature standards, including a native multisig opcode, create additional security barriers against such attacks. The Bitcoin protocol has historically favored simplicity in its design, which reduces the attack surface not just at the smart contracting layer but also at the UX/human layer, including hardware wallet users. 

Increasing regulatory acceptance shows how far Bitcoin has come since its early era of widespread hacks and frauds, but Bybit shows we must never let our guard slip. Bitcoin represents financial freedom — and the price of liberty is eternal vigilance.

Opinion by: Vikash Singh, Principal Investor at Stillmark.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Love it or leave it, New York State has been a force in crypto regulation.

Ten years ago, the state created the United States’ first comprehensive regulatory framework for firms dealing in cryptocurrencies, including key consumer protection, anti-money laundering compliance and cybersecurity guidelines.

In September 2015, the New York Department of Financial Services (NYDFS) issued its first BitLicense to Circle Internet Financial, enabling the company to conduct digital currency business activity in the state. Ripple Markets received the second BitLicense in 2016. Circle and Ripple went on to become giant players in the global cryptocurrency and stablecoin industry.

Today, the NYDFS regulates one of the largest pools of crypto firms in the world, and it is often cited as the gold standard for crypto regulation in the US.

It’s against that background that Ken Coghill, NYDFS’s deputy superintendent for virtual currencies, appeared at Cornell Tech’s blockchain conference on April 25 to discuss “A New Era of U.S. Innovation in Crypto.” 

“We set the guardrails”

Most of the firms that have come to the NYDFS for a BitLicense are crypto-native firms, and often, they are new to the financial world and not used to dealing with regulators. Many times they don’t fully understand that they are in control of someone else’s asset, noted Coghill at the New York City conference, adding:

If you want to start a business and the only person you’re putting at risk is your own business, that’s not really our concern. We only exist because you’re selling something to somebody else, and you’re maintaining control over that product for someone else.

“We set the guardrails,” Coghill said, and it’s the industry’s job to figure out how to stay within those guardrails. The NYDFS can’t possibly contemplate every element that’s going to go wrong in a business.

These days, more conventional financial institutions are becoming interested in crypto as well, added Coghill. Large banks are beginning to offer crypto custody services, and others are starting to provide settlement services. “The conventional [bank] model is being brought into the crypto [sphere] primarily because it makes people feel comfortable,” said Coghill.

Related: Trump’s first 100 days ‘worst in history’ despite crypto promises

And while the NYDFS has only issued 22 BitLicenses to date, it appears to be ready to handle a tide of applications from TradFi firms if and when they materialize. “On a per capita basis, we have more supervisory resources focused on crypto businesses than we do for all of those other [non-crypto] businesses,” said Coghill. This includes 3,000 banks, insurance companies and other financial institutions. 

Dubai’s crypto regulator

It wasn’t a direct route that brought Coghill to the NYDFS in July 2024. He spent the previous 12 years in the Middle East working for the Dubai Financial Services Authority, eventually becoming the agency’s head of innovation and technology risk supervision.

It was a “whim” that took him to the Middle East in the first place, he recalled. “I went for three years and stayed for 12 years,” spending that time primarily as an official regulating global systemically important banks, or G-SIBs. There, he was called upon to develop a cryptocurrency supervision model, and so he “spent the last six years regulating cryptocurrency in the Middle East.”

Eventually, an opportunity arose to return to the US, where he had worked earlier as a manager in the department of market regulation at the Chicago Board Options Exchange. Before that he was an options trader. He took the new assignment with the NYDFS, among other reasons, because “the world looks to New York, and the world looks to the DFS” when it comes to regulation, he told the Cornell Tech audience.

Panel moderator Neil DeSilva asked Coghill what good regulation looks like. “Good regulation is regulation that doesn’t prohibit activity but that applies appropriate guardrails that reduces risk to clients,” he answered. One can’t eliminate risk entirely; to do so would quash all business activity.

Related: Institutions break up with Ethereum but keep ETH on the hook

He compares regulation to a pendulum constantly swinging between two extremes: too lenient and too restrictive. “The pendulum swung too far to one end of the regulation in the last few years [i.e., too restrictive]. Now it’s swinging back.”

What does the state regulator make of the fevered regulatory activity in Washington, DC at the federal level these days? There seem to be some “positive tailwinds” behind cryptocurrencies and stablecoins, noted DeSilva, himself a former chief financial officer for PayPal’s Digital Currencies and Remittances business. 

A pipeline to Washington

“For DFS, it’s largely business as usual,” Coghill commented. That’s because New York State has long had crypto rules in place. In fact, “much of what’s happening now in Washington” — at the federal level — “is influenced by what we’ve done over the last 10 years” at the state level.

The state agency has regularly communicated with the powers-that-be in the US capital regarding digital currencies. “We have a team that practically sits in Washington and has discussions with Congressional members, talking about what we think will work and what won’t work.”

The NYDFS’ crypto initiatives have influenced other US states. California’s crypto reform legislation (AB 1934), signed into law in late September 2024, for instance, builds on New York State’s BitLicense and its limited-purpose trust charter regulations for digital currency businesses — even though BitLicense’s licensing requirements are relatively strict.

Not all in the crypto industry have been enamored with the state’s crypto licensing regime, either, declaring BitLicenses too expensive. Its application fee is $5,000 — too strict with its detailed anti-money laundering protocols and required audits and generally too much of an obstacle for innovative crypto-native firms. Crypto exchange Kraken exited the state when New York implemented its BitLicense requirement, for instance. 

Coghill was asked by DeSilva how the NYDFS actually looks at decentralized protocols compared with how it views the centralized financial institutions that it has historically regulated. 

It’s important to look at the actual purpose of the product, Coghill answered. What’s its underlying intent? Who does it serve, and what are its good and bad impacts? “There are lots of innovations that are created for no purpose other than making a lot of money off of its customers,” said Coghill. “And so it’s incumbent on us to filter those out.” 

“We’re paid to look at everything in a dark, dark way. It’s not our job to look at and say, ‘Yes, this is fantastic.’” Rather, they examine a potential product and ask, “How is this bad for efficiency?” or “How is this bad for inclusion?” 

How does he think things will play out at the federal level this year regarding crypto and stablecoin legislation?

What’s going to ultimately happen [in Washington, DC]? Who knows? We could know six months from now. We could know things next week. Things have been changing very rapidly recently.

In the meantime, “we’re still accepting applications. We’re still processing those applications. We’re still focusing on our underlying objectives: protecting the market, protecting the consumers, supporting innovation.”

Magazine: Crypto wanted to overthrow banks, now it’s becoming them in stablecoin fight

Bitcoin’s expanding institutional adoption may provide the “structural” inflows necessary to surpass gold’s market capitalization and push its price beyond $1 million by 2029, according to Bitwise’s head of European research, André Dragosch.

“Our in-house prediction is $1 million by 2029. So that Bitcoin will match gold’s market cap and total addressable market by 2029,” he told Cointelegraph during the Chain Reaction daily X spaces show on April 30.

Corporations are coming for your bitcoin (feat. André Dragosch, Head of Research at Bitwise) #CHAINREACTION https://t.co/5F3cRWBHzq

— Cointelegraph (@Cointelegraph) April 30, 2025

Gold is currently the world’s largest asset, valued at over $21.7 trillion. In comparison, Bitcoin’s market capitalization sits at $1.9 trillion, making it the seventh-largest asset globally, according to CompaniesMarketCap data.

Related: Bitcoin treasury firms driving $200T hyperbitcoinization — Adam Back

For the 2025 market cycle, Bitcoin may surpass $200,000 in the “base case” and $500,000 with more governmental adoption, Dragosch said.

“But once you see sovereign bias like the US government stepping in, all this will change to $500,000.”

“So the base case is $200,000, conditional on the US government not stepping in. If they step in, it will move closer toward $500,000,” said Dragosch, referring to the US government’s plan to potentially make direct Bitcoin acquisitions through “budget-neutral” strategies.

The US is looking at “many creative ways” to fund its Bitcoin investments, including from tariff revenue and by reevaluating the US Treasury’s gold certificates, creating a paper surplus to fund the BTC reserve without selling gold, Bo Hines of the Presidential Council of Advisers for Digital Assets said in an interview on April 14.

Related: Crypto sentiment recovers, but weekend liquidity risks remain

“Structural” ETF inflows, institutional adoption prolong Bitcoin cycle

The US-based spot Bitcoin exchange-traded funds (ETFs) have surpassed all expectations during their first year of trading, exceeding record trading volumes as BlackRock’s iShares Bitcoin Trust ETF became the fastest-growing ETF in history.

The first year is usually the “slowest” for ETFs, Dragosch said, highlighting the launch of the gold ETF:

“That alone implies that in the second and third year, we will see growing inflows. In terms of the four four-year cycle, implies that, this cycle will be prolonged by these structural inflows.”

The Bitcoin cycle may also be prolonged when US wirehouses start gaining exposure to Bitcoin and ETFs.

“In the US, the major distribution channels go via Wirehouses, which are essentially the big banks like Merrill Lynch or Morgan Stanley. […] Not even half of these wirehouses have opened up their distribution channels to US Bitcoin ETFs,” the analyst said.

Adoption from US wirehouses may bring a “huge amount of capital,” since these control over $10 trillion worth of customer assets, Dragosch added.

Magazine: Altcoin season to hit in Q2? Mantra’s plan to win trust: Hodler’s Digest, April 13 – 19