Lessons from the Bybit hack
On Feb. 21, 2025, the Dubai based cryptocurrency exchange Bybit suffered a $1.5 billion loss during a routine Ethereum customer transfer. This theft was by far the largest diversion of digital assets in history. The heist was traced to a state-sponsored North Korean hacking group.
The Bybit exchange is not legally available to U.S. residents under regulations promulgated by the Securities and Exchange Commission (SEC) and the Commodities Futures Trading Commission. Further, Bybit had sufficient capital to cover all customer positions. Nevertheless, this latest breach raises important risk management questions. Specifically, will a free-market regulatory environment benefit the digital-currency industry, or could it actually damage the industry, its reputation, and its customers?
Bitcoin price instability, which began in the COVID-19 era, brought a cascade of failed investment platforms that culminated in the FTX bankruptcy. The SEC was criticized for its failure to act sooner in prosecuting exchanges for the sale of unregistered securities. Now, deregulation advocates are applauding the voluntary dismissal of the SEC suit against Coinbase for exactly that practice.
With the digital-currency market now relatively stable and populated by large financial institutions, some argue that regulatory constraints are interfering with the growth of a vibrant industry. A reality often ignored by those favoring deregulation is the link between the meteoric rise of cryptocurrency prices and their ownership by well-regulated institutions such as exchange-traded funds (ETFs). Thanks to the ETF price bump, investors in the later crypto exchange failures like FTX will obtain substantial dividends on their investments in bankruptcy court.
Cryptocurrency exchanges are new players in an electronic-payments system that traces its origin to Western Union in the 1870s. To satisfy safety and soundness standards, regulated financial institutions must adopt security policies to protect against wire fraud. The speed and convenience of electronic payments must be supported by robust customer authentication protocols.
Lessons from the Bybit Hack
The Bybit hack was an expensive lesson in the need to develop similar standards for exchanges entrusted with custodial digital assets. In this instance, the Ethereum security credentials breached were held in a so-called “cold wallet.” Normally, those credentials are not available through any online source. In theory, that feature insulates cold wallets from online cyber theft.
Taking digital currency out of cold storage is essentially an electronic payment process. Tokens held by the exchange must be credited to a so-called “warm wallet,” which is the more familiar fully viewable digital currency wallet used by customers to complete online transactions. As in the case of wire transfers, Bybit had a signature authenticating protocol to credit a warm wallet with Ethereum in a defined amount. However, the authentication was neither multi-layered nor multi-factored. There was a single point of failure: Access to the cold wallet was controlled by one Bybit operator team.
The hackers created a counterfeit interface viewed by the cold wallet security team. The interface had a valid address and trusted URL. Relying on what appeared to be legitimate transaction details, Bybit operators unknowingly signed off on an entirely different transaction—a takeover of the cold wallet and all of the Ethereum it protected.
For that reason, the loss dwarfs prior thefts, all of which had transaction limits. The entire Bybit cold wallet was drained of $1.5 Billion and quickly moved to digital wallets controlled by the hackers. Fortunately, Bybit has sufficient assets to cover the loss. However, the liquidity of such exchanges generally depends on favorable market conditions. Ethereum dropped in price on the news but did not collapse. Given the volatile history of digital assets held by exchanges, the need for uniform standards in protecting customer currency is both evident and urgent.
About the Author:
Edward F. Donohue is a partner at Hinshaw & Culbertson LLP. EDonohue@hinshawlaw.com
Edward F. Donohue is a partner at Hinshaw & Culbertson LLP. EDonohue@hinshawlaw.com
CLM’s Cyber, Management & Professional Liability Community helps raise awareness of issues and trends in the management & professional liability insurance marketplace, with an emphasis on litigation management through a collaborative effort between insurance companies and brokerages, claims organizations and service providers.
