The case for enterprise-grade custody solutions
Opinion by: Vikash Singh, Principal Investor at Stillmark
The Bybit hack resulted in the largest loss of funds to cyber hackers by a cryptocurrency exchange in history. It served as a wake-up call for those complacent about the state of security threats in the digital assets space. Everyone must learn the lesson from this heist — enterprise-grade custody solutions require tech to be accompanied by transparency.
Unlike many previous incidents, this loss of funds was not due to a faulty smart contract, lost/mismanaged keys or deliberate mismanagement or rehypothecation of user funds, but rather a sophisticated social engineering attack that exploited vulnerabilities in operational security.
This hack differs from earlier eras because it happened to a major global exchange that takes security and compliance seriously. It’s a reminder that, in crypto, there’s no such thing as “good enough” security.
The anatomy of a heist
A technical overview of the Bybit attack is key for understanding how companies can proactively strengthen their security against such attacks. Initially, a developer machine belonging to Safe, an asset management platform offering multisig Ethereum wallets used by Bybit, was compromised. This initial breach granted the attackers unauthorized access to Safe’s Amazon Web Services (AWS) environment, including its S3 storage bucket.
The attackers then pushed a malicious JavaScript file into this bucket, which was subsequently distributed to users via access to the Safe UI. The JS code manipulated the transaction content displayed to the user during the signing process, effectively tricking them into authorizing transfers to the attackers’ wallets while believing they were confirming legitimate transactions.
Recent: CertiK exec explains how to keep crypto safe after Bybit hack
This highlights how even highly robust security at the technical level, like multisig, can be vulnerable if not implemented correctly. They can lull users into a false sense of security that can be fatal.
Layered security
While multisignature security setups have long been considered the gold standard in digital asset security, the Bybit hack underscores the need for further analysis and transparency on the implementation of these systems, including the layers of security that exist to mitigate attacks that exploit operational security and the human layer in addition to verification of the smart contracts themselves.
A robust security framework for safeguarding digital assets should prioritize multi-layered verification and restrict the scope of potential interactions. Such a framework demonstrably enhances protection against attacks.
A well-designed system implements a thorough verification process for all transactions. For example, a triple-check verification system involves the mobile application verifying the server’s data, the server checking the mobile application’s data, and the hardware wallet verifying the server’s data. If any of these checks fail, the transaction will not be signed. This multi-layered approach contrasts with systems that directly interface with onchain contracts, potentially lacking critical server-side checks. These checks are essential for fault tolerance, especially if the user’s interface is compromised.
A secure framework should limit the scope of possible interactions with digital asset vaults. Restricting actions to a minimal set, like sending, receiving and managing signers, reduces potential attack vectors associated with complex smart contract modifications.
Using a dedicated mobile application for sensitive operations, like transaction creation and display, adds another security layer. Mobile platforms often offer better resistance to compromise and spoofing compared to browser-based wallets or multisig interfaces. This reliance on a dedicated application enhances the overall security posture.
Transparency upgrades
To bolster transparency, businesses can leverage the capabilities of proof-of-reserve software. These can defend multisignature custody setups from UI-targeted attacks by providing an independent, self-auditable view of chain state/ownership and verifying that the correct set of keys is available to spend funds in a given address/contract (akin to a health check).
As institutional adoption of Bitcoin (BTC) and digital assets continues, custody providers must transparently communicate such details on the security models of their systems in addition to the design decisions behind them: This is the true “gold standard” of crypto security.
Transparency should extend to how the nature of the underlying protocols alters the attack surface of custody setups, including multisignature wallets. Bitcoin has prioritized human-verifiable transfers where signers confirm destination addresses directly rather than confirm engagement in complex smart contracts, which require additional steps/dependencies to reveal the flow of funds.
In the case of the Bybit hack, this would enable the human signer to detect more easily that the address shown by the hardware wallet did not match the spoofed UI.
While expressive smart contracts expand the application design space, they increase the attack surface and make formal security audits more challenging. Bitcoin’s well-established multisignature standards, including a native multisig opcode, create additional security barriers against such attacks. The Bitcoin protocol has historically favored simplicity in its design, which reduces the attack surface not just at the smart contracting layer but also at the UX/human layer, including hardware wallet users.
Increasing regulatory acceptance shows how far Bitcoin has come since its early era of widespread hacks and frauds, but Bybit shows we must never let our guard slip. Bitcoin represents financial freedom — and the price of liberty is eternal vigilance.
Opinion by: Vikash Singh, Principal Investor at Stillmark.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Reform UK have won the Runcorn and Helsby by-election by just six votes in a blow to Sir Keir Starmer’s premiership.
The narrow victory for new MP Sarah Pochin saw Nigel Farage’s party taking a constituency which Labour won with a majority of almost 14,700 at the general election less than 12 months ago.
Politics Live: Could Reform finally get a toehold of power?
The by-election in the Cheshire seat was called after the previous MP Mike Amesbury resigned following his conviction for punching a constituent.
Ms Pochin won with 12,645 votes, compared to the 12,639 votes secured by Labour candidate Karen Shore, making it the closest by-election result since records began in 1945.
Speaking after the result was declared, Mr Farage told Sky News’ chief political correspondent Jon Craig that “no one knows” what Sir Keir Starmer stands for.
He also blamed Labour’s loss on higher taxes and migration, saying a “sense of fairness bordering on resentment” was noticeable on the doorstep.
He added that the result shows that “if you vote Conservative, you get Labour”, insisting his party is now the opposition to the government.
The vote in Runcorn is Sir Keir Starmer’s first by-election test as prime minister.
A Labour spokesperson said by-elections are “always difficult for the party in government and the events which led to this one being called made it even harder”.
They said: “While Labour has suffered an extremely narrow defeat, the shock is that the Conservative vote has collapsed.
Nigel Farage with Reform’s Runcorn candidate Sarah Pochin
“Moderate voters are clearly appalled by the talk of a Tory-Reform pact.”
Conservative candidate Sean Houlston came in third with 2,341 votes.
The Tories called the result “a damning verdict on Keir Starmer’s leadership which has led to Labour losing a safe seat”.
A spokesperson said: “Just 10 months ago Labour won an enormous majority, including in this seat with 52% of the vote, but their policies have been a punch in the face for the people of Runcorn.
“Snatching Winter Fuel Payments from vulnerable pensioners, pushing farmers to the brink with their vindictive Family Farms Tax and hammering families with a £3500 jobs tax, families are being punished for their disastrous decisions in government. Now we know why Keir Starmer never bothered to visit the area.”
As well as the Runcorn by-election, voters on Thursday took part in contests to elect more than 1,600 councillors across 23 local authorities, along with four regional mayors and two local mayors.
In the first result of the night, Labour held on to the North Tyneside mayoralty by just 444 votes.
It then saw off Reform in the West of England and Doncaster to retain both mayoralties.
However Reform won the mayoralty in Greater Lincolnshire by a majority of 39,584.
Two other mayoralties up grabs are Cambridgeshire and Peterborough, and Hull and East Yorkshire.
Lead politics presenter Sophy Ridge, political editor Beth Rigby, and data and economics editor Ed Conway will be live on Friday morning to report and explain the results.
The US Treasury Department wants to block the Cambodia-based Huione Group from accessing the US banking system, accusing it of helping North Korea’s state-backed Lazarus Group to launder its crypto.
The Treasury’s Financial Crimes Enforcement Network (FinCEN) proposed on May 1 to prohibit US financial institutions from opening or maintaining correspondent or payable-through accounts for or on behalf of the Huione Group.
Huione Group has established itself as the “marketplace of choice for malicious cyber actors” like the Lazarus Group, who have “stolen billions of dollars from everyday Americans,” US Treasury Secretary Scott Bessent said in a May 1 statement.
“Today’s proposed action will sever Huione Group’s access to correspondent banking, degrading these groups’ ability to launder their ill-gotten gains.”
Huione Group has set up a network of businesses, which includes payment service platform Huione Pay PLC, the crypto exchange Huione Crypto, and Haowang Guarantee, an online marketplace offering illicit goods and services.
Although the conglomerate doesn’t have correspondent accounts with US financial institutions, it has accounts with foreign firms with US correspondent accounts, FinCEN noted in its rulemaking submission.
The proposed rule is subject to a 30-day public comment period before it can take effect.
Huione expanded into sophisticated cybercrime network
FinCEN claimed that Huione Group has laundered at least $4 billion worth of illicit proceeds between August 2021 and January 2025, including more than $36 million from crypto pig butchering scams.
At least $37 million worth of the crypto laundered has been linked to North Korea’s “cyber heists,” the Treasury said.
Haowang Guarantee has made Huione Group a “one stop shop” for criminals to launder crypto obtained through illicit activities, and ultimately convert it to fiat currency, the Treasury said.
Related: North Korean crypto attacks rising in sophistication, actors — Paradigm
The conglomerate has also created a US dollar-pegged stablecoin, the US Dollar Huione (USDH), which FinCEN said cannot be frozen and helps to carry out money laundering activities.
The National Bank of Cambodia has stated that payment firms aren’t allowed to deal or trade digital assets in the country and had revoked the company’s local banking license in March.
Magazine: Crypto wanted to overthrow banks, now it’s becoming them in stablecoin fight
The US Securities and Exchange Commission has filed to drop another of its crypto lawsuits, this time its unregistered securities sales case against crypto influencer and YouTuber Ian Balina.
The SEC said in a May 1 joint stipulation with Balina to an Austin federal court that it “believes the dismissal of this case is appropriate,” citing the work of the agency’s Crypto Task Force.
The agency didn’t give a reason for wanting to dismiss its case, but said its decision “does not necessarily reflect the Commission’s position on any other case.”
Balina told Cointelegraph in March that the SEC had informed him it would recommend the court dismiss the case and claimed the agency’s actions were based on a shift in the agency’s priorities.
“Obviously, the new administration is pro-crypto,” Balina said. The SEC has seen a change in leadership under US President Donald Trump, who appointed former crypto lobbyist Paul Atkins to chair the agency.
The joint stipulation argued a dismissal would also conserve the court’s resources “without costs or fees to either party.”
Balina is the CEO of Token Metrics, a crypto influencer with 140,000 followers on X, and a YouTuber whom the SEC accused of improperly promoting crypto projects, particularly during the initial coin offering (ICO) boom circa 2017.
The SEC sued Balina in 2022, alleging that he conducted an unregistered securities offering of Sparkster (SPRK) tokens when he formed an investing pool on Telegram in 2018.
The SEC claimed that US-based investors participated in Balina’s investing pool, using Ether (ETH), which was validated by a network of nodes “which are clustered more densely in the United States than in any other country.”
Related: SEC drops investigation into PayPal’s stablecoin
The court sided with the SEC and, in May 2024, ruled that SPRK was an investment contract under US securities laws, where investors pooled money into a common enterprise expecting profits due to the efforts of others.
Shift in crypto policy
The move is the latest in a long list of crypto-related court actions that the SEC has quashed under the Trump administration’s favorable stance toward the industry.
Over the past month, it has dropped several cases and abandoned multiple investigations against crypto firms, including against Coinbase, Ripple, Kraken, Opensea and PayPal’s stablecoin.
Magazine: Japanese porn star’s coin red flags, Alibaba-linked L2 runs at 100K TPS: Asia Express
-
Sports3 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports1 year agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoGame 1 of WS least-watched in recorded history
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports4 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business3 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway