Connect with us

Published

on

The case for enterprise-grade custody solutions

Opinion by: Vikash Singh, Principal Investor at Stillmark

The Bybit hack resulted in the largest loss of funds to cyber hackers by a cryptocurrency exchange in history. It served as a wake-up call for those complacent about the state of security threats in the digital assets space. Everyone must learn the lesson from this heist — enterprise-grade custody solutions require tech to be accompanied by transparency.

Unlike many previous incidents, this loss of funds was not due to a faulty smart contract, lost/mismanaged keys or deliberate mismanagement or rehypothecation of user funds, but rather a sophisticated social engineering attack that exploited vulnerabilities in operational security. 

This hack differs from earlier eras because it happened to a major global exchange that takes security and compliance seriously. It’s a reminder that, in crypto, there’s no such thing as “good enough” security.

The anatomy of a heist 

A technical overview of the Bybit attack is key for understanding how companies can proactively strengthen their security against such attacks. Initially, a developer machine belonging to Safe, an asset management platform offering multisig Ethereum wallets used by Bybit, was compromised. This initial breach granted the attackers unauthorized access to Safe’s Amazon Web Services (AWS) environment, including its S3 storage bucket. 

The attackers then pushed a malicious JavaScript file into this bucket, which was subsequently distributed to users via access to the Safe UI. The JS code manipulated the transaction content displayed to the user during the signing process, effectively tricking them into authorizing transfers to the attackers’ wallets while believing they were confirming legitimate transactions. 

Recent: CertiK exec explains how to keep crypto safe after Bybit hack

This highlights how even highly robust security at the technical level, like multisig, can be vulnerable if not implemented correctly. They can lull users into a false sense of security that can be fatal.

Layered security

While multisignature security setups have long been considered the gold standard in digital asset security, the Bybit hack underscores the need for further analysis and transparency on the implementation of these systems, including the layers of security that exist to mitigate attacks that exploit operational security and the human layer in addition to verification of the smart contracts themselves. 

A robust security framework for safeguarding digital assets should prioritize multi-layered verification and restrict the scope of potential interactions. Such a framework demonstrably enhances protection against attacks.

A well-designed system implements a thorough verification process for all transactions. For example, a triple-check verification system involves the mobile application verifying the server’s data, the server checking the mobile application’s data, and the hardware wallet verifying the server’s data. If any of these checks fail, the transaction will not be signed. This multi-layered approach contrasts with systems that directly interface with onchain contracts, potentially lacking critical server-side checks. These checks are essential for fault tolerance, especially if the user’s interface is compromised.

A secure framework should limit the scope of possible interactions with digital asset vaults. Restricting actions to a minimal set, like sending, receiving and managing signers, reduces potential attack vectors associated with complex smart contract modifications.

Using a dedicated mobile application for sensitive operations, like transaction creation and display, adds another security layer. Mobile platforms often offer better resistance to compromise and spoofing compared to browser-based wallets or multisig interfaces. This reliance on a dedicated application enhances the overall security posture.

Transparency upgrades

To bolster transparency, businesses can leverage the capabilities of proof-of-reserve software. These can defend multisignature custody setups from UI-targeted attacks by providing an independent, self-auditable view of chain state/ownership and verifying that the correct set of keys is available to spend funds in a given address/contract (akin to a health check). 

As institutional adoption of Bitcoin (BTC) and digital assets continues, custody providers must transparently communicate such details on the security models of their systems in addition to the design decisions behind them: This is the true “gold standard” of crypto security. 

Transparency should extend to how the nature of the underlying protocols alters the attack surface of custody setups, including multisignature wallets. Bitcoin has prioritized human-verifiable transfers where signers confirm destination addresses directly rather than confirm engagement in complex smart contracts, which require additional steps/dependencies to reveal the flow of funds. 

In the case of the Bybit hack, this would enable the human signer to detect more easily that the address shown by the hardware wallet did not match the spoofed UI.

While expressive smart contracts expand the application design space, they increase the attack surface and make formal security audits more challenging. Bitcoin’s well-established multisignature standards, including a native multisig opcode, create additional security barriers against such attacks. The Bitcoin protocol has historically favored simplicity in its design, which reduces the attack surface not just at the smart contracting layer but also at the UX/human layer, including hardware wallet users. 

Increasing regulatory acceptance shows how far Bitcoin has come since its early era of widespread hacks and frauds, but Bybit shows we must never let our guard slip. Bitcoin represents financial freedom — and the price of liberty is eternal vigilance.

Opinion by: Vikash Singh, Principal Investor at Stillmark.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Continue Reading

Politics

UK joins US in strike on Houthi target in Yemen for first time since Donald Trump re-elected

Published

on

By

UK joins US in strike on Houthi target in Yemen for first time since Donald Trump re-elected

The UK has joined US forces in attacking a Houthi target in Yemen for the first time since Donald Trump was re-elected.

The Ministry of Defence (MoD) confirmed the strikes took place on Tuesday as part of the government’s response to Houthi attacks on international shipping in the Red Sea and Gulf of Aden.

The ministry said careful intelligence analysis identified a cluster of buildings used by the Houthis to manufacture the sort of drones used to attack ships, located 15 miles south of the capital Sanaa.

RAF Typhoon FGR4s conducted strikes on several buildings using Paveway IV precision-guided bombs.

The planes had air refuelling support from Voyager tankers.

The ministry said the strike was conducted after dark to reduce the likelihood of civilians being in the area.

All the aircraft returned safely.

John Healey during the press conference.
Pic: Reuters
Image:
John Healey. Pic: Reuters

Defence Secretary John Healey said: “This government will always act in the interests of our national and economic security.

“Royal Air Force Typhoons have successfully conducted strikes against a Houthi military target in Yemen and all UK aircraft and personnel have returned safely to base.

“We conducted these strikes, supported by the US, to degrade Houthi capabilities and prevent further attacks against UK and international shipping.”

Read more from Sky News:
Kneecap’s Eden Project gig cancelled amid ‘kill MPs’ row
Israel releases medic detained after IDF attack on aid workers
Crush fly-tippers’ vans, government tells councils

Houthis a ‘persistent threat’ to ‘freedom of navigation’

Mr Healey said Houthi activities in the Red Sea are a “persistent threat” to “freedom of navigation”.

“A 55% drop in shipping through the Red Sea has already cost billions, fuelling regional instability and risking economic security for families in the UK,” he said.

“The government is steadfast in our commitment to reinforcing global stability and protecting British working people. I am proud of the dedication and professionalism shown by the service men and women involved in this operation.”

Follow The World
Follow The World

Listen to The World with Richard Engel and Yalda Hakim every Wednesday

Tap to follow

US intensifies strikes on Houthis

It was the first time UK forces have struck a target in Yemen since May last year, the ministry confirmed.

The US has intensified its strikes on the Iran-backed Houthis under Mr Trump’s presidency, after his re-election in November 2024.

The group began launching attacks on shipping routes in November 2023 saying they were in solidarity with Palestinians over Israel’s war with Hamas in Gaza.

Please use Chrome browser for a more accessible video player

Houthi rebels allege US airstrike hit prison

The strike came after a Houthi-controlled TV channel claimed a US strike killed 68 people at a detention centre for African migrants in Yemen on Monday.

Continue Reading

Politics

The mayoral election results in full

Published

on

By

The mayoral election results in full

Six mayors are being elected in England, with most of the mayoralties last contested in 2021.

These include four combined authority mayors , otherwise known as metro mayors, as well as two city mayors.

Two of the mayors will take up new positions in the Hull and East Yorkshire, and Greater Lincolnshire combined authorities. The other mayoralties were all last contested in 2021.

Metro mayors

• Cambridgeshire and Peterborough
• Greater Lincolnshire
• Hull and East Yorkshire
• West of England

City mayors

• Doncaster
• North Tyneside

Polls closed on Thursday night. Greater Lincolnshire, West of England, and Doncaster are counting results overnight while the other areas will report results on Friday.

The map below shows which mayoral candidates have won in their area by political party.

All of these mayoralties will be elected under a first-past-the-post electoral system, which is also used for Westminster parliamentary elections.

See below for more detailed breakdowns of results for each race.

Metro mayors

There are four metro mayors being elected in combined authorities. These mayors are elected by voters from several different areas and counting will take place at local council level. Tables will be updated as each local area reports its result.

Cambridgeshire and Peterborough

First established in 2017, the combined authority covers six areas. These are Peterborough, Fenland, Huntingdonshire, East Cambridgeshire, South Cambridgeshire, and Cambridge local council areas.

Labour won the mayoralty from the Conservatives when it was last contested in 2021.

Greater Lincolnshire

This is a new mayoralty, being elected for the first time in 2025.

The combined authority covers nine areas. These are North Lincolnshire, North East Lincolnshire, Boston, Lincoln, East Lindsey, West Lindsey, North Kesteven, South Kesteven, and South Holland local council areas.

Hull and East Yorkshire

This is a new mayoralty, being elected for the first time in 2025.

The combined authority area covers both Hull City and East Riding of Yorkshire local council areas.

West of England

The combined authority covers three areas: Bristol City, South Gloucestershire, and Bath and North East Somerset local council areas. The authority was established in 2017.

Labour won the mayoralty from the Conservatives when it was last contested in 2021.

City mayors

There are two city mayors being elected, one for Doncaster and one for North Tyneside.

Labour’s Ros Jones has been the Mayor of Doncaster since 2013, and is running for re-election this year.

The mayor of North Tyneside has been held by Labour since 2013, though incumbent Nora Redfearn is not standing for re-election this year.

Continue Reading

Politics

Tether CEO defends decision to skip MiCA registration for USDT

Published

on

By

Tether CEO defends decision to skip MiCA registration for USDT

Tether CEO defends decision to skip MiCA registration for USDT

Paolo Ardoino, CEO of stablecoin issuer Tether, addressed criticism over the company’s decision not to seek registration under the European Union’s Markets in Crypto-Assets (MiCA) framework, arguing that the regulations were risky for stablecoins.

Speaking to Cointelegraph at the Token2049 conference in Dubai, Ardoino reiterated that Tether had no plans to apply for its US dollar-pegged stablecoin USDt — the largest by market capitalization — to be compliant under MiCA in European countries, potentially forcing exchanges to delist the stablecoin. He added that though crypto firms had to follow regulations, there was a “fear of compliance” among companies in the EU.

“[…] MiCA license is very dangerous when it comes to stablecoins, and I believe that is even more dangerous for the small, medium banking system in Europe,” said the Tether CEO, adding that banks in the region could “go belly up” in the next few years thanks to MiCA’s requirements, such as keeping 60% of stablecoins reserves in insured cash deposits in European banks. Ardoino added:

“I decided to not apply to the MiCA license because I need to protect the 400 million+ users that we have around the world. They are not as lucky as Europeans. I love Europe, but I think that unfortunately European Central Bank is more interested [in pushing] the digital euro as a way to control people and control how they spend their money.”

Related: Paolo Ardoino: Competitors and politicians intend to ‘kill Tether’

After years of planning and research, EU officials began to implement requirements under MiCA in December 2024. Tether, which is regulated and headquartered in El Salvador, is required to comply with MiCA regulatory requirements if offering products or services in EU member states.

Since the regulations went into effect, many crypto exchanges acted to ensure their platforms listed MiCA-compliant tokens. Kraken delisted 5 stablecoins, including USDt, and Crypto.com announced plans to delist 10 stablecoins as of January.

On nations establishing crypto reserves

Speaking on its intentions for operating in the United States, Ardoino said the country “would require a different type of product,” given the competition with local stablecoin issuers. He added that the US’s and other countries’ efforts to establish a Bitcoin (BTC) stockpile were “just inevitable.”

“In the medium to long term, the more Bitcoin education, the more companies will set the example […] then everyone else will follow,” said the Tether CEO. “It’s never too late to buy Bitcoin.”

Ardoino’s statements came the same day that Tether announced roughly $120 billion in exposure to US Treasurys as of the first quarter of 2025. As of May 1, USDt had a market capitalization of roughly $149 billion.

Magazine: Crypto wanted to overthrow banks, now it’s becoming them in stablecoin fight

Continue Reading

Trending