For readers who prefer to read in Chinese, here are the links:

Simplified Chinese: [简]Bybit被盗15亿美元：大型金融机构应如何建构有效的安全防御体系？

Traditional Chinese: [繁]Bybit 被盜 15 億美元，大型金融機構應如何建構有效的安全防禦體系？

1. Recap of the Hack: How Was the Multi-Signature Wallet Compromised?

On February 21, 2025, what seemed like a routine cold-to-hot wallet transfer resulted in the largest theft in crypto history—nearly $1.5 billion (401,347 ETH) stolen from Bybit’s wallet. This unprecedented attack has sent shockwaves across the industry, highlighting the growing sophistication of cyber threats targeting institutional digital assets.

Unlike traditional attacks involving private key theft, key service exploitation, or vulnerabilities in multi-signature contract code, this breach was carried out using social engineering and front-end interface spoofing. Hackers tricked Bybit employees into signing a malicious contract upgrade request, ultimately gaining full control over the wallet.

Key Attack Vectors Identified

• Compromised Signer Devices: Hackers gained control over the terminals of multi-sig wallet signers through undisclosed methods.

• Front-End Spoofing: The Safe multi-signature wallet UI was manipulated to display forged transaction details, disguising a critical contract upgrade request as a routine transfer.

• Blind Signing Exploitation:  With a compromised front-end and limited transaction visibility, signers unknowingly approved a fraudulent contract upgrade. The hardware wallets used were unable to display enough Safe multi-signature request details, leading to blind approvals.

Core Issues Exposed: Systemic Vulnerabilities in Digital Asset Security

The Bybit hack underscores a harsh reality: Single-layer security measures are obsolete. Despite managing billions in assets, crypto institutions remain vulnerable to sophisticated, organized attacks. The industry must rethink security architectures by integrating technical rigor, process controls, and operational governance into a layered security ecosystem. 

2. Systemic Security: Pillars of Institutional Wallets

To defend against increasingly sophisticated cyberattacks, digital asset institutions must adopt defense-in-depth architectures that integrate multiple layers of protection. RigSec, with 15+years experience in digital security, highlights the following key areas:

1️⃣ Strengthening Private Key Security

Private keys are the ultimate control mechanism for blockchain wallets. If compromised, the wallet—and its assets—are lost. Institutions can utilize:
✅ NIST-certified financial-grade HSMs (Hardware Security Modules)—ensuring private keys are stored in tamper-proof, isolated environments, preventing unauthorized access.
✅ MPC (Multi-Party Computation) & Multi-Signature Storage—sharding keys to eliminate single points of risk, so no single breach can expose the full key.

2️⃣ Securing Endpoint Devices

The Bybit hack underscores the importance of endpoint security, where attackers infiltrate transaction approval processes at their source. To mitigate this risk:
✅ Adopt Trusted Execution Environments (TEE) & Secure Hardware—ensuring that all transaction approvals occur in isolated, verifiable environments, resistant to manipulation.
✅ Implement Threat Intelligence & Behavior-Based Security Monitoring—AI-driven anomaly detection to identify unusual activity attempts in real time and prevent unauthorized access.

3️⃣ Enhancing Transaction Visibility & Verification

A major flaw in Bybit’s process was blind signing, where signers lacked the ability to verify transaction details. To address this:
✅ Implement WYSIWYS (What You See Is What You Sign) Technology—ensuring that signers can fully review and confirm transaction details before approval.
✅ Introduce Multi-Source Cross-Verification—Mandate multi-channel confirmation of critical actions like contract upgrades.

4️⃣ Enforcing Automated Risk Control Policies

Blockchain transactions are inherently complex, and manual transaction reviews alone are insufficient. Institutions should:
✅ Implement Automated Policy Enforcement Engines (PEE)—enforcing whitelists, risk thresholds, and automatic transaction flagging before execution.
✅ Adopt Multi-Tiered Approval Flows—critical transactions should trigger additional verification steps and role-based approvals.

✅ Transaction Analysis and Simulation - Real-time risk monitoring using on-chain analysis and simulation, preventing malicious transactions from being signed

5️⃣ Strengthening Institutional Training & Governance

Institutional security extends beyond technology—it requires continuous training, real-time monitoring, and regulatory oversight:
✅Continuous Staff Training: Train staff on emerging Web3 threats (e.g., phishing, front-end spoofing)—ensuring that custody operation personnel remain up-to-date with evolving cyber threats and compliance standards.

✅Transaction & Policy Monitoring and Auditing—Live monitoring and alerts on critical requests like large amount transactions, whitelist changes, abnormal approvals, etc. Log all approvals, signatures, and policy changes for forensic analysis and risk control policy improvements.

3. RigSec’s Institutional-Grade Wallet Solutions 

The Bybit incident reinforces that institutions must move beyond traditional multi-signature setups to a more comprehensive security framework—integrating technology, governance, and process controls. RigSec delivers institutional-grade wallet solutions that directly address these challenges:

Key Features of RigSec’s Wallet Solution:

✅ Air-Gapped Cold Storage – Support air-gapped HSM-based key storage, eliminating network attack vectors and ensuring private keys remain secure at all times.

✅ What You See is What You Sign – Dedicated financial-grade Personal Security Device (PSD), enforcing the display of crucial transaction details on the PSD screen, together with PEE, validating consistency between the request approved by PSD and the actual request, ensuring ‘What You See is What You Sign’.

✅ Robust Policy Enforcement Engine (PEE) – As the final defense layer before signing, PEE automatically validates transaction legitimacy, checking transactions against the rules like whitelists, approval workflows, risk thresholds etc., configured from compliance and security requirements.

4. Closing: Security as an Ecosystem

Bybit’s $1.5 billion loss underscores a critical reality—for hackers, any single-layer defense is a potential vulnerability. Key sharding, multi-signature wallets, and cold storage, alone are not enough. True institutional security demands a holistic approach that combines advanced security technologies, governance frameworks, and operational best practices.

At RigSec, we help institutions build security ecosystems that evolve with emerging threats. Our solutions are trusted by licensed financial institutions across Hong Kong, Japan, Singapore, and Taiwan, ensuring regulatory compliance and institutional-grade security.

Want to strengthen your custody security? Contact us to learn more: [email protected]