The Bybit Hack: A Digital Asset Insurance Perspective and Lessons Learned

Helen Ye

CEO at Qubit

The recent Bybit hack, as detailed in the latest forensic reports, has sent shockwaves through the cryptocurrency community. The attack, which originated from the compromise of a Safe developer’s credentials, highlights the critical vulnerabilities that exist in even the most secure digital asset infrastructures.

From a digital asset insurance perspective, this incident underscores the importance of robust security practices, proactive risk management, and the need for comprehensive incident response mechanisms.

Let’s break down what happened, what could have been done differently, and how the industry can learn from this event.

What Happened?

According to forensic investigations, the attacker gained unauthorized access to Bybit’s Safe (formerly Gnosis Safe) infrastructure by conducting a social engineering attack on a Safe developer, thereby allowing the attacker to gain access to the Bybit environment.

Based on unofficial reports, the attacker located production access keys to a Bybit AWS S3 bucket and replaced a JS file used by Safe clients with a malicious copy that targeted a Bybit wallet. Once the attack was completed and the wallet funds drained, the attacker replaced the malicious JS file with the original JS file, attempting to cover their tracks. 

This breach allowed the attacker to manipulate transactions during the signing process, ultimately leading to the theft of funds. The incident serves as a stark reminder that even the most sophisticated systems are only as secure as their weakest link—in this case, human error and credential management.

Key Lessons and Best Practices

While the hack is undoubtedly a setback, it also provides an opportunity for the industry to reflect on and improve security practices. Here are some key takeaways and best practices that could have mitigated the risks of such an incident:

1. Secure Secrets Management

The compromise of developer credentials was the root cause of this attack. Secure storage of sensitive information such as API keys, passwords, and private keys is non-negotiable. Best practices include:

• Using Product Vaults or Secret Managers: Tools like AWS Secrets Manager can securely store and manage access credentials, reducing the risk of accidental exposure.
• ⁠Implementing Role-Based Access Controls (RBAC): Limit access to sensitive systems and data to only those who absolutely need it, and enforce the principle of least privilege.

2. Staff Awareness and Training

Human error remains one of the biggest security risks. Developers and staff must be trained on secure coding practices, phishing awareness, and the importance of safeguarding credentials. Regular training sessions and simulated phishing exercises can help build a security-first culture within organizations.

3. Incident Response Mechanisms

No system is 100% secure, and organizations must operate under the assumption that a breach is inevitable. A well-defined incident response plan can make all the difference in minimizing damage. Key components include:

• ⁠Real-Time Monitoring and Alerts: Implement systems to detect unusual activity, such as unauthorized transaction signing or access attempts.
• Rapid Containment and Recovery: Have a clear plan to isolate affected systems, investigate the breach, and recover lost assets as quickly as possible.

4. Risk Distribution

One of the most puzzling aspects of this incident is the concentration of US$1.5bn in a single wallet. Distributing assets across multiple wallets or using multi-signature setups can significantly reduce exposure in the event of a breach. This approach aligns with the age-old adage: Don’t put all your eggs in one basket.

5. Third-party audits

External third-party audits and certifications of an entity’s information security controls are crucial. The entity must be certified with internationally respected information security standards such as ISO/IEC 27001 or CCSS. SOC2 Type 2 could be accepted but we recommend a thorough review of the SOC2 Type 2 report to ensure the auditor’s scope and testing procedures cover important information security controls.

Further, a counterpart risk assessment should be conducted before insurance is provided to an entity.  Information security certifications are critical however, they may not cover the entire scope of the systems being insured or lack key testing procedures that do not identify risks not covered by the audit conducted for the certification.

6. Insurance Coverage for Digital Assets

While preventive measures are crucial, having comprehensive digital asset insurance can provide a financial safety net in the event of a breach. Policies that cover theft, hacking, and operational errors can help organizations recover losses and maintain stakeholder confidence.

Final Thoughts

The Bybit hack is a sobering reminder of the ever-present risks in the digital asset ecosystem. While no system is impervious to attack, implementing best practices in security, risk management, and incident response can significantly reduce the likelihood and impact of such incidents.

For insurers, this event underscores the importance of developing innovative products that address the unique challenges of the crypto space.

As the industry continues to mature, collaboration between security experts, developers, and insurers will be key to building a safer and more resilient digital asset ecosystem. Let’s learn from this incident and work together to prevent future breaches.