BTC
$102,263.10
-
1.63%
ETH
$2,555.14
-
2.68%
USDT
$1.0002
+
0.03%
XRP
$2.4767
-
5.31%
BNB
$651.41
-
1.26%
SOL
$170.75
-
5.76%
USDC
$0.9999
+
0.01%
DOGE
$0.2264
-
4.68%
ADA
$0.7694
-
6.30%
TRX
$0.2695
-
1.96%
SUI
$3.7146
-
6.05%
LINK
$16.28
-
4.91%
AVAX
$23.92
-
7.69%
XLM
$0.2977
-
4.51%
SHIB
$0.0₄1502
-
6.70%
HBAR
$0.1995
-
5.58%
HYPE
$24.72
-
3.03%
LEO
$8.9027
+
1.20%
BCH
$392.06
-
3.97%
TON
$3.0799
-
8.17%
Logo
  • News
  • Prices
  • Data
  • Indices
  • Research
  • Consensus
  • Sponsored
  • Sign In
  • Sign Up
Advertisement

Consensus 2025

Consensus 2025

Prices Increase This Friday

15:08:18:39

15

DAY

08

HOUR

18

MIN

39

SEC

Register Now
Opinion
Share this article
X iconX (Twitter)LinkedInFacebookEmail

Crypto for Humans: Lessons from the Bybit Hack

The exploit showed that human failings, not technical glitches, are the most important factors in such incidents, says INSEAD's Ben Charoenwong.

By Ben Charoenwong|Edited by Benjamin Schiller
Updated Mar 18, 2025, 10:09 p.m. Published Mar 18, 2025, 10:04 p.m.
(Clint Patterson/Unsplash)

What to know:

  • The recent security breach at Bybit, the world's second-largest cryptocurrency exchange, involved a home-grown Web3 implementation using Gnosis Safe, triggering around 350,000 withdrawal requests.
  • Human error, not technical flaws in blockchain protocols, has consistently been the primary vulnerability in cryptocurrency breaches, with organizations often failing to secure systems due to a lack of responsibility acknowledgement or reliance on custom-built solutions.
  • A shift towards human-centric security design is essential, with modern solutions needing to anticipate human mistakes and remain secure despite these errors, integrating behavioral anomaly detection and multi-factor authentication principles.

The recent security breach for around $1.5 billion at Bybit, the world's second-largest cryptocurrency exchange by trading volume, sent ripples through the digital asset community. With $20 billion in customer assets under custody, Bybit faced a significant challenge when an attacker exploited security controls during a routine transfer from an offline "cold" wallet to a "warm" wallet used for daily trading.

Initial reports suggest the vulnerability involved a home-grown Web3 implementation using Gnosis Safe — a multi-signature wallet that uses off-chain scaling techniques, contains a centralized upgradable architecture, and a user interface for signing. Malicious code deployed using the upgradable architecture made what looked like a routine transfer actually an altered contract. The incident triggered around 350,000 withdrawal requests as users rushed to secure their funds.

STORY CONTINUES BELOW
Don't miss another story.Subscribe to the The Node Newsletter today. See all newsletters
By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy.

While considerable in absolute terms, this breach — estimated at less than 0.01% of the total cryptocurrency market capitalization — demonstrates how what once would have been an existential crisis has become a manageable operational incident. Bybit's prompt assurance that all unrecovered funds will be covered through its reserves or partner loans further exemplifies its maturation.

Since the inception of cryptocurrencies, human error — not technical flaws in blockchain protocols — has consistently been the primary vulnerability. Our research examining over a decade of major cryptocurrency breaches shows that human factors have always dominated. In 2024 alone, approximately $2.2 billion was stolen.

What's striking is that these breaches continue to occur for similar reasons: organizations fail to secure systems because they won't explicitly acknowledge responsibility for them, or rely on custom-built solutions that preserve the illusion that their requirements are uniquely different from established security frameworks. This pattern of reinventing security approaches rather than adapting proven methodologies perpetuates vulnerabilities.

While blockchain and cryptographic technologies have proven cryptographically robust, the weakest link in security is not the technology but the human element interfacing with it. This pattern has remained remarkably consistent from cryptocurrency's earliest days to today's sophisticated institutional environments, and echoes cybersecurity concerns in other — more traditional — domains.

These human errors include mismanagement of private keys, where losing, mishandling, or exposing private keys compromises security. Social engineering attacks remain a major threat as hackers manipulate victims into divulging sensitive data through phishing, impersonation, and deception.

Human-Centric Security Solutions

Purely technical solutions cannot solve what is fundamentally a human problem. While the industry has invested billions in technological security measures, comparatively little has been invested in addressing the human factors that consistently enable breaches.

A barrier to effective security is the reluctance to acknowledge ownership and responsibility for vulnerable systems. Organizations that fail to clearly delineate what they control — or insist their environment is too unique for established security principles to apply — create blind spots that attackers readily exploit.

This reflects what security expert Bruce Schneier has termed a law of security: systems designed in isolation by teams convinced of their uniqueness almost invariably contain critical vulnerabilities that established security practices would have addressed. The cryptocurrency sector has repeatedly fallen into this trap, often rebuilding security frameworks from scratch rather than adapting proven approaches from traditional finance and information security.

A paradigm shift toward human-centric security design is essential. Ironically, while traditional finance evolved from single-factor (password) to multi-factor authentication (MFA), early cryptocurrency simplified security back to single-factor authentication through private keys or seed phrases under the veil of security through encryption alone. This oversimplification was dangerous, leading to the industry's speedrunning of various vulnerabilities and exploits. Billions of dollars of losses later, we arrive at the more sophisticated security approaches that traditional finance has settled on.

Modern solutions and regulatory technology should acknowledge that human error is inevitable and design systems that remain secure despite these errors rather than assuming perfect human compliance with security protocols. Importantly, the technology does not change fundamental incentives. Implementing it comes with direct costs, and avoiding it risks reputational damage.

Security mechanisms must evolve beyond merely protecting technical systems to anticipating human mistakes and being resilient against common pitfalls. Static credentials, such as passwords and authentication tokens, are insufficient against attackers who exploit predictable human behavior. Security systems should integrate behavioral anomaly detection to flag suspicious activities.

Private keys stored in a single, easily accessible location pose a major security risk. Splitting key storage between offline and online environments mitigates full-key compromise. For instance, storing part of a key on a hardware security module while keeping another part offline enhances security by requiring multiple verifications for full access — reintroducing multi-factor authentication principles to cryptocurrency security.

Actionable Steps for a Human-Centric Security Approach

A comprehensive human-centric security framework must address cryptocurrency vulnerabilities at multiple levels, with coordinated approaches across the ecosystem rather than isolated solutions.

For individual users, hardware wallet solutions remain the best standard. However, many users prefer convenience over security responsibility, so the second-best is for exchanges to implement practices from traditional finance: default (but adjustable) waiting periods for large transfers, tiered account systems with different authorization levels, and context-sensitive security education that activates at critical decision points.

Exchanges and institutions must shift from assuming perfect user compliance to designing systems that anticipate human error. This begins with explicitly acknowledging which components and processes they control and are therefore responsible for securing.

Denial or ambiguity about responsibility boundaries directly undermines security efforts. Once this accountability is established, organizations should implement behavioral analytics to detect anomalous patterns, require multi-party authorization for high-value transfers, and deploy automatic "circuit breakers" that limit potential damage if compromised.

In addition, the complexity of Web3 tools creates large attack surfaces. Simplifying and adopting established security patterns would reduce vulnerabilities without sacrificing functionality.

At the industry level, regulators and leaders can establish standardized human factors requirements in security certifications, but there are tradeoffs between innovation and safety. The Bybit incident exemplifies how the cryptocurrency ecosystem has evolved from its fragile early days to a more resilient financial infrastructure. While security breaches continue — and likely always will — their nature has changed from existential threats that could destroy confidence in cryptocurrency as a concept to operational challenges that require ongoing engineering solutions.

The future of cryptosecurity lies not in pursuing the impossible goal of eliminating all human error but in designing systems that remain secure despite inevitable human mistakes. This requires first acknowledging what aspects of the system fall under an organization's responsibility rather than maintaining ambiguity that leads to security gaps.

By acknowledging human limitations and building systems that accommodate them, the cryptocurrency ecosystem can continue evolving from speculative curiosity to robust financial infrastructure rather than assuming perfect compliance with security protocols.

The key to effective cryptosecurity in this maturing market lies not in more complex technical solutions but in more thoughtful human-centric design. By prioritizing security architectures that account for behavioral realities and human limitations, we can build a more resilient digital financial ecosystem that continues to function securely when — not if — human errors occur.

Note: The views expressed in this column are those of the author and do not necessarily reflect those of CoinDesk, Inc. or its owners and affiliates.

Ben Charoenwong

Ben Charoenwong is an associate professor of finance at INSEAD where he teaches investments and asset management. His research focuses on financial regulation and financial technology. He benefited from discussion with Jon Reiter from ChainArgos and Emir Hrnjic at the Asian Institute of Digital Finance.

Ben Charoenwong

Only 1 article remaining this month.

Sign up for free

About

  • About Us
  • Masthead
  • Careers
  • CoinDesk News
  • Crypto API Documentation

Contact

  • Contact Us
  • Accessibility
  • Advertise
  • Sitemap
  • System Status
DISCLOSURE & POLICES
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.
EthicsPrivacyTerms of UseCookie SettingsDo Not Sell My Info

© 2025 CoinDesk, Inc.
X icon
Sign Up
  • News
    Back to menu
    News
    • Markets
    • Finance
    • Tech
    • Policy
    • Focus
  • Prices
    Back to menu
    Prices
    • Data
      Back to menu
      Data
      • Trade Data
      • Derivatives
      • Order Book Data
      • On-Chain Data
      • API
      • Research & Insights
      • Data Catalogue
      • AI & Machine Learning
    • Indices
      Back to menu
      Indices
      • Multi-Asset Indices
      • Reference Rates
      • Strategies and Services
      • API
      • Insights & Announcements
      • Documentation & Governance
    • Research
      Back to menu
      Research
      • Consensus
        Back to menu
        Consensus
        • Consensus Toronto
        • Toronto Coverage
      • Sponsored
        Back to menu
        Sponsored
        • Thought Leadership
        • Press Releases
        • CoinW
        • MEXC
        • Phemex
        • Advertise
      • Videos
        Back to menu
        Videos
        • CoinDesk Daily
        • Shorts
        • Editor's Picks
      • Podcasts
        Back to menu
        Podcasts
        • CoinDesk Podcast Network
        • Markets Daily
        • Gen C
        • Unchained with Laura Shin
        • The Mining Pod
      • Newsletters
        Back to menu
        Newsletters
        • The Node
        • Crypto Daybook Americas
        • State of Crypto
        • Crypto Long & Short
        • Crypto for Advisors
      • Webinars & Events
        Back to menu
        Webinars & Events
        • Consensus 2025
        • Policy & Regulation Conference
      Select Language
      English enEspañol esFilipino filFrançais frItaliano itPortuguês pt-brРусский ruУкраїнська uk