Learning from the Bybit Hack

Written By Kleid Security

Key Learnings & Secure Practices

Bybit recently faced a major security breach, with reported losses reaching $1.4 billion. Suspicions point to the Lazarus Group from North Korea.

Bybit’s CEO has also addressed the incident publicly - https://x.com/Cointelegraph/status/1892993640080851132

Lessons Learned

  1. Adopt MPC (Multi-Party Computation)
    MPC splits private keys among multiple parties in an interactive way, making it much tougher for attackers to gain full control. This can be more secure than older multisig or hardware-wallet {single point of failure} methods.

  2. Regular Device Checks
    Malware on laptops and phones is a serious threat; it can record/hijack passwords or steal private keys. Scan all devices ongoing, update software, and be cautious with browser extensions and downloads. Use clean devices for sensitive operations such as crypto transaction signing.

  3. Limit and Approve Withdrawals
    Set daily or per-transaction limits. Require multiple approvals for bigger amounts. Use anomaly detection (and mainly prevention) systems to spot suspicious activity quickly - and block it.

  4. Secure Your API Keys
    Treat API keys with the same care you would a private key. Store them in encrypted vaults, rotate them often, tie them to specific IPs (API key IP whitelisting) and never leave them unprotected.

  5. Regular Audits and Pen Tests
    Scheduled security checks and simulated attacks help you catch flaws before actual hackers do.

Role of a Web3/Crypto CSO (Chief Security Officer)

Finally, there’s no substitute for having a dedicated Web3/Crypto security expert, dedicated security leadership. A CSO / CISO or Chief {Information} Security Officer that specializes in Web3/Crypto will bring a holistic approach that combines technical, compliance, and operational expertise to the unique Web3/Crypto environments and business operations. They’ll coordinate security strategies across the organization, ensuring the right tools, processes, and people are in place to protect against evolving threats.

As this Bybit breach shows, strong security isn’t optional in Web3/Crypto—it’s essential.

By applying these measures and having an integral and seasoned Security Leader, we can drastically lower the risk of major losses.

Stay vigilant!

Kleid Security

CISO Services - Web3 and Web 2.0

https://kleid.xyz/
Previous

Shiran Kleiderman on Navigating Web3 Cyber Threats

Next

The Importance of Tabletop Exercises for Web 2.0 and Web3 Companies