The case for enterprise-grade custody solutions
Opinion by: Vikash Singh, Principal Investor at Stillmark
The Bybit hack resulted in the largest loss of funds to cyber hackers by a cryptocurrency exchange in history. It served as a wake-up call for those complacent about the state of security threats in the digital assets space. Everyone must learn the lesson from this heist — enterprise-grade custody solutions require tech to be accompanied by transparency.
Unlike many previous incidents, this loss of funds was not due to a faulty smart contract, lost/mismanaged keys or deliberate mismanagement or rehypothecation of user funds, but rather a sophisticated social engineering attack that exploited vulnerabilities in operational security.
This hack differs from earlier eras because it happened to a major global exchange that takes security and compliance seriously. It’s a reminder that, in crypto, there’s no such thing as “good enough” security.
The anatomy of a heist
A technical overview of the Bybit attack is key for understanding how companies can proactively strengthen their security against such attacks. Initially, a developer machine belonging to Safe, an asset management platform offering multisig Ethereum wallets used by Bybit, was compromised. This initial breach granted the attackers unauthorized access to Safe’s Amazon Web Services (AWS) environment, including its S3 storage bucket.
The attackers then pushed a malicious JavaScript file into this bucket, which was subsequently distributed to users via access to the Safe UI. The JS code manipulated the transaction content displayed to the user during the signing process, effectively tricking them into authorizing transfers to the attackers’ wallets while believing they were confirming legitimate transactions.
Recent: CertiK exec explains how to keep crypto safe after Bybit hack
This highlights how even highly robust security at the technical level, like multisig, can be vulnerable if not implemented correctly. They can lull users into a false sense of security that can be fatal.
Layered security
While multisignature security setups have long been considered the gold standard in digital asset security, the Bybit hack underscores the need for further analysis and transparency on the implementation of these systems, including the layers of security that exist to mitigate attacks that exploit operational security and the human layer in addition to verification of the smart contracts themselves.
A robust security framework for safeguarding digital assets should prioritize multi-layered verification and restrict the scope of potential interactions. Such a framework demonstrably enhances protection against attacks.
A well-designed system implements a thorough verification process for all transactions. For example, a triple-check verification system involves the mobile application verifying the server’s data, the server checking the mobile application’s data, and the hardware wallet verifying the server’s data. If any of these checks fail, the transaction will not be signed. This multi-layered approach contrasts with systems that directly interface with onchain contracts, potentially lacking critical server-side checks. These checks are essential for fault tolerance, especially if the user’s interface is compromised.
A secure framework should limit the scope of possible interactions with digital asset vaults. Restricting actions to a minimal set, like sending, receiving and managing signers, reduces potential attack vectors associated with complex smart contract modifications.
Using a dedicated mobile application for sensitive operations, like transaction creation and display, adds another security layer. Mobile platforms often offer better resistance to compromise and spoofing compared to browser-based wallets or multisig interfaces. This reliance on a dedicated application enhances the overall security posture.
Transparency upgrades
To bolster transparency, businesses can leverage the capabilities of proof-of-reserve software. These can defend multisignature custody setups from UI-targeted attacks by providing an independent, self-auditable view of chain state/ownership and verifying that the correct set of keys is available to spend funds in a given address/contract (akin to a health check).
As institutional adoption of Bitcoin (BTC) and digital assets continues, custody providers must transparently communicate such details on the security models of their systems in addition to the design decisions behind them: This is the true “gold standard” of crypto security.
Transparency should extend to how the nature of the underlying protocols alters the attack surface of custody setups, including multisignature wallets. Bitcoin has prioritized human-verifiable transfers where signers confirm destination addresses directly rather than confirm engagement in complex smart contracts, which require additional steps/dependencies to reveal the flow of funds.
In the case of the Bybit hack, this would enable the human signer to detect more easily that the address shown by the hardware wallet did not match the spoofed UI.
While expressive smart contracts expand the application design space, they increase the attack surface and make formal security audits more challenging. Bitcoin’s well-established multisignature standards, including a native multisig opcode, create additional security barriers against such attacks. The Bitcoin protocol has historically favored simplicity in its design, which reduces the attack surface not just at the smart contracting layer but also at the UX/human layer, including hardware wallet users.
Increasing regulatory acceptance shows how far Bitcoin has come since its early era of widespread hacks and frauds, but Bybit shows we must never let our guard slip. Bitcoin represents financial freedom — and the price of liberty is eternal vigilance.
Opinion by: Vikash Singh, Principal Investor at Stillmark.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Opinion by: Andre Omietanski, General Counsel, and Amal Ibraymi, Legal Counsel at Aztec Labs
What if you could prove you’re over 18, without revealing your birthday, name, or anything else at all? Zero-knowledge proofs (ZKPs) make this hypothetical a reality and solve one of the key challenges online: verifying age without sacrificing privacy.
The need for better age verification today
We’re witnessing an uptick in laws being proposed restricting minors’ access to social media and the internet, including in Australia, Florida, and China. To protect minors from inappropriate adult content, platform owners and governments often walk a tightrope between inaction and overreach.
For example, the state of Louisiana in the US recently enacted a law meant to block minors from viewing porn. Sites required users to upload an ID before viewing content. The Free Speech Coalition challenged the law as unconstitutional, making the case that it infringed on First Amendment rights.
The lawsuit was eventually dismissed on procedural grounds. The reaction, however, highlights the dilemma facing policymakers and platforms: how to block minors without violating adults’ rights or creating new privacy risks.
Traditional age verification fails
Current age verification tools are either ineffective or invasive. Self-declaration is meaningless, since users can simply lie about their age. ID-based verification is overly invasive. No one should be required to upload their most sensitive documents, putting themselves at risk of data breaches and identity theft.
Biometric solutions like fingerprints and face scans are convenient for users but raise important ethical, privacy, and security concerns. Biometric systems are not always accurate and may generate false positives and negatives. The irreversible nature of the data, which can’t be changed like a regular password can, is also less than ideal.
Other methods, like behavioral tracking and AI-driven verification of browser patterns, are also problematic, using machine learning to analyze user interactions and identify patterns and anomalies, raising concerns of a surveillance culture.
ZKPs as the privacy-preserving solution
Zero-knowledge proofs present a compelling solution. Like a government ID provider, a trusted entity verifies the user’s age and generates a cryptographic proof confirming they are over the required age.
Websites only need to check the proof, not the excess personal data, ensuring privacy while keeping minors at the gates. No centralized data storage is required, alleviating the burden on platforms such as Google, Meta, and WhatsApp and eliminating the risk of data breaches.
Recent: How zero-knowledge proofs can make AI fairer
Adopting and enforcing ZKPs at scale
ZKPs aren’t a silver bullet. They can be complex to implement. The notion of “don’t trust, verify,” proven by indisputable mathematics, may cause some regulatory skepticism. Policymakers may hesitate to trust cryptographic proofs over visible ID verification.
There are occasions when companies may need to disclose personal information to authorities, such as during an investigation into financial crimes or government inquiries. This would challenge ZKPs, whose very intention is for platforms not to hold this data in the first place.
ZKPs also struggle with scalability and performance, being somewhat computationally intensive and tricky to program. Efficient implementation techniques are being explored, and breakthroughs, such as the Noir programming language, are making ZKPs more accessible to developers, driving the adoption of secure, privacy-first solutions.
A safer, smarter future for age verification
Google’s move to adopt ZKPs for age verification is a promising signal that mainstream platforms are beginning to embrace privacy-preserving technologies. But to fully realize the potential of ZKPs, we need more than isolated solutions locked into proprietary ecosystems.
Crypto-native wallets can go further. Open-source and permissionless blockchain-based systems offer interoperability, composability, and programmable identity. With a single proof, users can access a range of services across the open web — no need to start from scratch every time, or trust a single provider (Google) with their credentials.
ZKPs flip the script on online identity — proving what matters, without exposing anything else. They protect user privacy, help platforms stay compliant, and block minors from restricted content, all without creating new honeypots of sensitive data.
Google’s adoption of ZKPs shows mainstream momentum is building. But to truly transform digital identity, we must embrace crypto-native, decentralized systems that give users control over what they share and who they are online.
In an era defined by surveillance, ZKPs offer a better path forward — one that’s secure, private, and built for the future.
Opinion by: Andre Omietanski, General Counsel, and Amal Ibraymi, Legal Counsel at Aztec Labs.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Politics
Gisele Pelicot’s daughter says chemical castration ‘could be part of the solution’ for sex offenders
The daughter of Gisele Pelicot has suggested chemical castration could be “one part of the solution” when there is “nothing else you can do” for sex offenders – like her father.
Caroline Darian’s father Dominique Pelicot admitted repeatedly drugging and raping his wife Gisele between 2011 and 2020, and inviting dozens of other men to their home in southern France to do the same.
Gisele decided to waive her right to anonymity to hold the trial of her husband and 50 other men in public, saying: “It is not for us to be ashamed, but for those men.”
Politics latest: Farage says ‘yes’ he can be PM
Speaking to Ali Fortescue on The Politics Hub, Ms Darian said the UK government’s plans to consider mandatory chemical castration could be “one part of the solution” for men like her father.
Gisele Pelicot. Pic: Reuters
She said: “It’s probably one part of the solution because you know when you’re at that level of crime, that level of criminal, there is nothing else you can do.”
Asked if she believed “men like your father” could be rehabilitated, Ms Darian said “no” and “never”.
For ten years, Pelicot repeatedly sedated his wife and invited strangers to abuse her after advertising sex with her on a French swinging website.
Some denied the rape charges, claiming they believed Gisele had agreed to be drugged and was a willing participant in a sex game between the couple.
But all the men charged were found guilty of at least one offence, with nearly all convicted of rape, after a trial that shocked France and made headlines around the world.
The defendants were sentenced to a total of more than 400 years, with Pelicot being sentenced to 20 years in prison.
Listen to The World with Richard Engel and Yalda Hakim every Wednesday
Pelicot also took photos of his daughter Caroline semi-naked while she was asleep.
Ms Darian is pressing charges against her father, having accused him of drugging and raping her. Pelicot has denied this.
Speaking to French media, Beatrice Zavarro, Pelicot’s lawyer, said Ms Darian’s decision to press charges was “unsurprising”.
She added that prosecutors had said there were insufficient “objective elements” to accuse Pelicot of raping and using chemical submission on Ms Darian.
Justice Secretary Shabana Mahmood said last week that she will pursue “a nationwide rollout” of a scheme being piloted in southwest England to use medication to suppress the sexual drive of sex offenders.
Please use Chrome browser for a more accessible video player
‘It’s a moment that will remain etched in my memory forever,’ David tells Sky News’ Siobhan Robbins.
Read more:
How Gisele Pelicot went from victim to feminist hero
Inside the depraved mind of ‘career criminal’ Dominique
It came after an independent review, led by the former justice secretary David Gauke, was commissioned by the government amid an overcrowding crisis in prisons in England and Wales.
The review recommended that chemical castration “may assist in management of suitable sex offenders both in prison and in the community”.
Ms Mahmood said she is “exploring whether mandating the approach is possible”. The trial is currently voluntary.
South Korean authorities have arrested one of three Russian nationals accused of an attempted robbery during a fake crypto deal in Seoul. The suspects allegedly lured Korean investors to a hotel, where they tried to steal 1 billion won (approximately $730,000) in cash.
The Gangseo Police Precinct in Seoul detained a man in his 20s in Busan on May 27, according to a report by local news outlet JoongAng Daily. The suspect faces charges of assault and attempted robbery. The other two suspects reportedly fled South Korea shortly after the incident.
According to investigators, the robbery attempt occurred on May 21 at a hotel in Seoul’s Gangseo District. The suspects posed as participants in a peer-to-peer crypto transaction and invited 10 Korean men to the hotel.
Two were called to the room while the others waited in the lobby. Inside the room, the suspects — wearing protective vests — ambushed the victims with a replica handgun and a telescopic baton, tying their hands with cable ties.
Related: Another suspect to surrender in NYC crypto torture case: Reports
Police seize weapons, launch global manhunt
Per the report, one of the victims managed to escape and raise the alarm, prompting the suspects to flee without the cash. Police responded to an emergency call and found one man bleeding in the lobby.
Officers discovered a cache of equipment in the suspects’ hotel room, including a replica firearm, batons, vests and a money counter. Police suspect the robbery had been carefully planned.
A request to prevent the suspects from leaving the country was filed the next morning, but two had already departed. “We have requested assistance from Interpol to track down the suspects who fled overseas,” a police official reportedly said.
Authorities are now questioning the detained suspect and preparing to seek a pretrial detention warrant.
Related: Crypto investor loses $2.6M in stablecoins in double phishing scam
Rise in crypto crime incidents
The incident comes amid a recent uptick in crypto-related violent crimes, including kidnapping and ransom cases.
A Manhattan crypto investor faces serious charges after allegedly kidnapping and torturing an Italian man in a bid to extract access to digital assets.
On May 13, the family of Pierre Noizat, the co-founder and CEO of French crypto exchange Paymium, was targeted in an attempted kidnapping.
In response, executives and investors in the crypto industry are increasingly seeking personal security services. On May 18, private firm Infinite Risks International reported a rise in requests for bodyguards and protection contracts from high-profile figures in the crypto space.
Magazine: TradFi is building Ethereum L2s to tokenize trillions in RWAs: Inside story
-
Sports3 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports1 year agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoGame 1 of WS least-watched in recorded history
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports4 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business3 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway