The recent security compromise involving approximately $1.5 billion at Bybit, the second-largest cryptocurrency exchange globally by trading volume, has reverberated throughout the digital asset community. With $20 billion in customer holdings secured, Bybit faced a daunting challenge when a hacker took advantage of its security measures during a routine transfer from an offline “cold” wallet to a “warm” wallet utilized for daily trades.
Early reports indicate that the vulnerability stemmed from a proprietary Web3 implementation utilizing Gnosis Safe — a multi-signature wallet featuring off-chain scaling methods, a centralized upgradable design, and a user interface for signing transactions. Malicious code introduced through this upgradable framework transformed what seemed to be an ordinary transfer into a modified contract. The fallout led to around 350,000 withdrawal requests as users scrambled to safeguard their assets.
Although substantial in absolute terms, this breach — estimated to be less than 0.01% of the total market cap of cryptocurrencies — illustrates how what was once perceived as an existential threat has now morphed into a manageable operational issue. Bybit’s swift commitment to cover all unrecovered assets through its reserves or partner loans further highlights its evolution.
From the early days of cryptocurrencies, human errors — rather than technical vulnerabilities in blockchain protocols — have continually posed the greatest risk. Our analysis of over a decade of significant breaches in the cryptocurrency sector reveals that human factors have consistently been at play. In just 2024, around $2.2 billion has been reported stolen.
What is noteworthy is that these breaches tend to occur for similar reasons: organizations often fail to adequately secure their systems because they do not explicitly accept responsibility for them, or they depend on custom solutions that create the illusion that their needs differ from established security practices. This pattern of reinventing security measures instead of adopting tried-and-true methodologies perpetuates vulnerabilities.
While blockchain and cryptographic technologies have proven strong in terms of encryption, the most vulnerable aspect of security remains the human element interacting with them. This trend has remained strikingly consistent from the earliest phases of cryptocurrency to today’s advanced institutional networks, resonating with cybersecurity issues in other — more traditional — realms.
These human errors range from the mishandling of private keys, whereby losing, mismanaging, or exposing them can lead to security breaches, to social engineering attacks where hackers deceive victims into revealing sensitive information through tactics like phishing and impersonation.
Human-Centric Security Solutions
Technical solutions alone cannot remedy what is essentially a human issue. Although the industry has poured billions into technological security enhancements, relatively little has been directed toward addressing the human factors that consistently lead to breaches.
A key barrier to effective security is the hesitance to acknowledge ownership and responsibility for vulnerable systems. Companies that do not clearly define what they control — or insist their environments are too unique for established security standards to apply — create blind spots that attackers are quick to exploit.
This illustrates what a security expert has termed a law of security: systems created in isolation by teams convinced of their uniqueness invariably harbor critical vulnerabilities that established security practices would have addressed. The cryptocurrency industry has repeatedly fallen into this trap, building security frameworks from scratch instead of adapting time-tested strategies from traditional finance and information security.
A paradigm shift toward designing security with human factors in mind is crucial. Ironically, while traditional finance advanced from single-factor (password) to multi-factor authentication (MFA), early cryptocurrency often reverted to simplified security models through private keys or seed phrases, hiding behind the notion of encrypted security. This oversimplification proved perilous, leading the industry to face numerous vulnerabilities and exploits. After billions in losses, we’re now witnessing more advanced security methodologies similar to those in traditional finance.
Modern solutions and regulatory frameworks should recognize the inevitability of human error and design systems that remain secure despite these errors rather than assuming ideal human compliance. Importantly, technology does not alter fundamental incentives. Implementing new solutions incurs direct costs, while neglecting them can lead to reputational harm.
Security measures need to progress beyond merely protecting technical infrastructures to anticipating human errors and being resilient against common pitfalls. Static credentials like passwords and authentication tokens are inadequate against attackers who exploit predictable human behavior. Security systems should employ behavioral anomaly detection to identify suspicious activities.
Private keys held in a single, easily accessible location represent a major security vulnerability. Dividing key storage between offline and online environments helps prevent comprehensive key compromise. For example, storing part of a key on a hardware security module and another part offline enhances security by necessitating multiple verifications for complete access — reintroducing multi-factor authentication principles into cryptocurrency security.
Actionable Steps for a Human-Centric Security Approach
A thorough human-centric security framework must tackle cryptocurrency vulnerabilities at multiple dimensions, with coordinated efforts across the ecosystem rather than fragmented solutions.
For individual users, hardware wallet solutions continue to set the gold standard. However, many users lean towards convenience over security accountability, making it vital for exchanges to adopt practices from traditional finance: default (but adjustable) waiting periods for substantial transactions, tiered account systems with varying authorization levels, and timely security education that activates at critical decision points.
Exchanges and organizations must transition from assuming flawless user adherence to designing systems that foresee human errors. This begins with unambiguously recognizing which components and processes they control, thus accepting responsibility for their protection.
Denying or being vague about responsibility boundaries directly undermines security efforts. Once accountability is established, organizations should implement behavioral analytics to identify abnormal patterns, mandate multi-party authentication for high-value transfers, and introduce automatic “circuit breakers” that mitigate potential damage if a compromise occurs.
Moreover, the intricacies of Web3 tools create extensive attack surfaces. Simplifying these and adopting established security paradigms would decrease vulnerabilities without sacrificing their functionality.
At the industry level, regulators and leaders can create standardized requirements for human factors in security certifications; however, some trade-offs exist between innovation and safety. The Bybit incident highlights how the cryptocurrency landscape has transitioned from its fragile origins to a more resilient financial infrastructure. While security breaches persist — and likely always will — their nature has shifted from existential threats capable of undermining confidence in cryptocurrency to operational challenges that warrant continual engineering solutions.
The future of cryptosecurity lies not in striving for the unattainable goal of completely eradicating human error, but in crafting systems that remain secure in the face of inevitable mistakes. This necessitates recognizing which aspects of the system fall under an organization’s accountability rather than holding onto ambiguity that breeds security weaknesses.
By recognizing human limitations and constructing systems to accommodate them, the cryptocurrency ecosystem can evolve from a speculative curiosity to a robust financial infrastructure, rather than relying on perfect compliance with security protocols.
The path to effective cryptosecurity in this growing market doesn’t reside in increasingly complex technical solutions but rather in thoughtful human-centric designs. By focusing on security frameworks that take into account human behaviors and limitations, we can create a more resilient digital financial ecosystem that can operate securely when — not if — human errors take place.