People-centered crypto security: Lessons from the Bybit hack

Author: Ben Charoenwong, Associate Professor of Finance, NSEAD Source: coindesk Translation: Shan Ouba, Golden Finance

Key Points Overview:

• The recent security breach suffered by Bybit (the world’s second largest cryptocurrency exchange) involved the self-built Web3 implementation of the Gnosis Safe solution, resulting in approximately 350,000 withdrawal requests.

• The main vulnerabilities in cryptocurrency security incidents often stem from human error rather than technical flaws in the blockchain protocol itself. Many institutions fail to properly protect their systems due to a lack of accountability or over-reliance on customized solutions.

• Future security designs should be human-centric, using mechanisms such as abnormal behavior detection and multi-factor authentication to remain secure despite possible user errors.

Bybit recently suffered a major security breach involving funds of up to $1.5 billion, which caused a stir in the digital asset industry. The exchange, which manages $20 billion in customer assets, was attacked by attackers using security control vulnerabilities during a regular transfer from an offline "cold wallet" to a "hot wallet" used for daily transactions.

Preliminary investigations show that the vulnerability involves Gnosis Safe's self-built Web3 solution - this multi-signature wallet uses off-chain expansion technology and has an upgradeable centralized architecture and user signature interface. The attacker used the upgradeable architecture to inject malicious code, turning a seemingly normal transfer into a tampered contract, which ultimately triggered about 350,000 withdrawal requests, and users moved funds to protect themselves.

Although the amount of money affected by this incident is huge, compared with the total market value of the global cryptocurrency market (less than 0.01%), its impact is still within controllable range. Bybit quickly promised to fully compensate for the unrecovered funds through reserve funds or partner loans, demonstrating its mature operational capabilities.

However, since the birth of cryptocurrency, the biggest security risk has always come from human error, rather than vulnerabilities in the blockchain protocol itself. Research shows that in the past decade or so, almost all of the major cryptocurrency security incidents have been attributed to human factors. In 2024 alone, about $2.2 billion of funds were stolen due to such incidents.

What is more noteworthy is that the reasons for these repeated attacks are surprisingly similar: many institutions fail to effectively protect their systems, often because they are unwilling to clearly assume security responsibilities, or blindly rely on customized security solutions, mistakenly believing that their needs are "completely different" from existing security frameworks. This practice of reinventing security measures instead of adopting proven solutions continues to create new vulnerabilities.

Although blockchain and cryptography technologies have been proven to be highly secure, the biggest security risk is still humans themselves. This trend has remained unchanged from individual users in the early days of cryptocurrency to today's institutional-level applications, and is highly similar to the cybersecurity challenges of traditional industries.

Common human errors include:

• Poor private key management: Loss, misuse or disclosure of private keys leads to theft of assets.

• Social engineering attacks: Hackers use phishing, impersonation and other means to deceive victims into revealing sensitive information.

This incident once again reminds the industry that encryption security cannot rely solely on technology, but should build a security system with people at the core to deal with inevitable human errors.

People-centric security solutions

Purely technical solutions cannot solve problems that are fundamentally human. While the industry has invested billions of dollars in technical security measures, relatively little has been invested in addressing the human factors that continue to cause vulnerabilities.

One ​​barrier to effective security is a reluctance to acknowledge ownership and responsibility for vulnerable systems. When organizations fail to clearly define what they control (or insist that their environment is too unique to apply established security principles), they create blind spots that attackers can easily exploit.

This exemplifies what security expert Bruce Schneier calls the Law of Security: Systems designed independently by teams that believe in their uniqueness almost always contain critical vulnerabilities that established security practices can address. The cryptocurrency industry has fallen into this trap repeatedly, often rebuilding security frameworks from scratch rather than adopting proven methods from traditional finance and information security.

The shift to a human-centric security design model is critical. Ironically, while traditional finance evolved from single factor (password) to multi-factor authentication (MFA), early cryptocurrencies simplified security to single factor authentication via private keys or seed phrases, with security achieved through encryption alone. This oversimplification is dangerous, leading the industry to quickly exploit various vulnerabilities and vulnerabilities. Billions of dollars in losses later, we have discovered that traditional finance has adopted more complex security methods.

Rather than assuming that humans fully adhere to security protocols, modern solutions and regulatory technology should acknowledge that human errors are inevitable and design systems that remain secure even when these errors occur. Importantly, this technology does not change the underlying incentive structure. Implementing it incurs direct costs, while avoiding it risks reputational damage.

Security mechanisms must evolve to not only protect technical systems, but also anticipate human errors and protect against common pitfalls. Static credentials such as passwords and authentication tokens are not sufficient to protect against attackers who exploit predictable human behavior. Security systems should integrate behavioral anomaly detection to flag suspicious activity.

Storing private keys in a single, easily accessible location poses significant security risks. Storing keys between offline and online environments mitigates the risk of full key compromise. For example, storing part of a key on a hardware security module while keeping the other part offline can enhance security by requiring multiple verifications to gain full access—reintroducing the principle of multi-factor authentication to cryptocurrency security.

Actionable Steps for a People-Centered Security Approach

A comprehensive, people-centered security framework must address vulnerabilities at multiple levels of cryptocurrency and adopt a coordinated approach across the entire ecosystem rather than isolated solutions.

For individual users, hardware wallet solutions remain the best standard. However, many users prefer convenience over security responsibility, so the next best option is for exchanges to implement the practices of traditional finance: default (but adjustable) waiting periods for large transfers, a tiered account system with different authorization levels, and contextual security education activated at key decision points.

Exchanges and institutions must move from assuming full user compliance to designing systems that anticipate human error. This starts with explicitly acknowledging which components and processes they control and are therefore responsible for ensuring security.

Denial or blurring the lines of responsibility directly undermines security efforts. Once accountability is established, organizations should implement behavioral analytics to detect anomalous patterns, require multi-party authorization for high-value transfers, and deploy automated “circuit breakers” to limit potential damage when compromised.

In addition, the complexity of Web3 tools also creates a large attack surface. Simplifying and adopting established security patterns can reduce vulnerabilities without sacrificing functionality.

At the industry level, regulators and leaders can establish standardized human factors requirements in security certifications, but there is a trade-off between innovation and security. The Bybit incident exemplifies how the cryptocurrency ecosystem has evolved from its fragile early days to a more resilient financial infrastructure. While security breaches continue—and likely always will—their nature has shifted from an existential threat that could destroy confidence in the concept of cryptocurrency to an operational challenge that requires ongoing engineering solutions.

The future of crypto security lies not in pursuing the impossible goal of eliminating all human error, but in designing systems that remain secure despite the inevitable presence of human error. This requires first recognizing which aspects of a system are an organization’s responsibility, rather than maintaining ambiguity that leads to security breaches.

By acknowledging human limitations and building systems that accommodate them, rather than assuming perfect compliance with security protocols, the cryptocurrency ecosystem can continue to evolve from a speculative curiosity to a robust financial infrastructure.

In this maturing market, the key to effective crypto security lies not in more complex technical solutions, but in more thoughtful human-centered design. By prioritizing security architectures that account for behavioral realities and human limitations, we can build a more resilient digital financial ecosystem that continues to operate securely when (rather than if) human error occurs.