The Bybit Hack Was a Treasury Failure, Not a Tech One

Imagine you’re on the finance team at a major crypto exchange. You open up your wallet interface, carefully review a transaction to move $1 million to another company wallet, get your colleague to double-check and approve it, hit send, and... $1.5 billion disappears to North Korean hackers.

‍

This is not a hypothetical scenario. This actually happened to Bybit in what became one of the largest crypto hacks in history. The finance team saw one thing on their screens, approved what looked like a routine transaction, and watched as their actual transaction sent 1,500 times more money to completely different addresses controlled by North Korean hackers.

‍

It's the kind of breach that makes you question everything you thought you knew about crypto security. Multi-signature wallets were supposed to prevent this from happening. Multiple people approved the transaction. They followed best practices. And yet, somehow, North Korean hackers walked away with $1.5 billion while Bybit's team stared at their screens, stunned, as the funds disappeared.

‍

What many people don’t realize is that this hack was entirely preventable, and the lessons from it are actually pretty straightforward to implement. The problem isn't that crypto is inherently unsafe; it's that most companies are still using 2017 security practices for 2025 era problems.

Wait, How Did This Actually Happen?

Let's start with what didn't happen. This wasn't some Hollywood movie where hackers broke into Bybit's servers by typing really fast on multiple keyboards. This was something much more sophisticated and, frankly, much scarier: a supply chain attack.

‍

Think of it like this: imagine if someone secretly replaced the calculator on your accountant's desk with one that looked identical, but occasionally showed "2+2=5" when calculating your largest transactions. Except instead of a physical calculator, the hackers replaced part of the software that Bybit's team used every day.

‍

The hackers didn’t target Bybit directly. They targeted Gnosis Safe, the wallet software that Bybit used to manage their funds. North Korean hackers (specifically the Lazarus Group, North Korea’s state sponsored hacking unit) spent months researching Bybit's setup. Because all blockchain activity is public, they could identify that Bybit held significant assets in specific Gnosis Safe wallets.

‍

Instead of attacking the exchange, they went after a Gnosis Safe developer. They likely sent him what looked like a standard email, probably something with an embedded link. The developer clicked it, unknowingly compromising his computer.

‍

From there, the plan was diabolically clever. The Lazarus Group injected malicious code into Gnosis Safe that sat there, completely dormant and undetectable. During this time, thousands of people used Gnosis Safe daily with no harm caused by the code. It was programmed to activate only when it detected Bybit's specific wallet address in a transaction.

‍

When that moment finally came, the code performed what amounts to digital sleight of hand. The Bybit team saw a screen showing they were sending $1 million to wallet ABC. Their colleague saw the same thing when they approved it. But when the transaction actually hit the blockchain, it was $1.5 billion to wallet XYZ (controlled by the Lazarus Group).

What Made The Bybit Attack So Sneaky

This breach exploited the one variable that even the best security systems can’t fully control: the human element. 

We've all heard stories about crypto hacks where someone's password got stolen or they left their private keys on an exchange that got hacked. Those feel preventable, right? 

Use better passwords, don't trust exchanges with your keys, enable two-factor authentication. Problem solved.

But this attack bypassed all of that. The Gnosis Safe developer likely used strong passwords and followed excellent security practices. The Bybit team likely followed their procedures perfectly. Multiple people verified the transaction. Everything looked normal because the hackers made sure it looked normal.

‍

This is what security experts call an "insider threat," except the insider didn't know they were the threat. The Gnosis Safe developer wasn't malicious; his computer was just compromised in a way that was essentially undetectable.

‍

And here's the unsettling truth: there are about a million ways this could happen again. You could pay a developer to insert malicious code. You could blackmail them. You could hack their personal devices. You could compromise their coffee shop's WiFi. The attack vectors are endless.

‍

Pat White, CEO of Bitwave, put it perfectly when I talked to him about this: "The era of 'this could never happen to us' is over. Every business needs to assume their software supply chain has been compromised and plan accordingly."

The Uncomfortable Truth About Crypto Security

Let's talk about something that might hurt to hear: many digital asset security practices are still stuck in 2017.

‍

Back then, the biggest concern was "don't lose your private keys." Multi-signature wallets felt revolutionary: “You need multiple approvals to move funds? Game changer!” For a while, that really did feel like enough.

‍

As digital assets have grown up and now move enterprise-scale money, in particular in areas like B2B cross-border payments, the attack vectors have evolved faster than many security and control practices. 

‍

Traditional finance solved many of these problems decades ago. There's a reason banks don't keep billions of dollars in a single account that can be accessed by logging into a website. There's a reason financial institutions have extensive approval processes, segregated duties, and multiple layers of controls.

‍

Bybit had $1.5 billion sitting in a wallet that could be accessed through a web interface. That's like keeping your entire company's cash reserves in a checking account and doing all your banking through your browser. It sounds absurd when you say it loud, but that's essentially what happened.

So What Should You Actually Do?

‍

Let’s move from risk to response. If your company holds a meaningful amount of digital assets, it’s time to treat treasury operations with the same discipline as traditional finance. That starts with a tiered wallet strategy—designed to minimize exposure, enforce controls, and mirror enterprise treasury workflows.

‍

Cold Wallets

‍

Cold wallets (aka wallets stored offline) should hold the vast majority of your crypto assets. These are your treasury reserves: long-term holdings, not needed for day-to-day transactions.

‍

Best practices:

‍

• Store keys offline or with a reputable third-party custodian
• Use multisig access controls and dual-approval workflows
• Limit transfers to predefined addresses or smart contracts (e.g. whitelist)
• Audit access regularly and monitor for dormant wallet movements

‍

Hot Wallets

‍

Hot wallets (aka those connected to the internet) are essential for daily operations, but they should be treated like petty cash boxes, not vaults. You should only keep as much as you're willing to lose. That might be $10,000, $50,000, or one week’s worth of payroll and vendor expenses, but it should never be billions of dollars. For larger or more complex operations, introducing a warm wallet tier can also improve both security and flexibility.

Best practices:

• Limit balances using predefined thresholds
• Restrict access to a small group with clear operational roles
• Enforce transaction limits and daily velocity caps
• Sweep excess funds back to cold storage after usage cycles

These crypto-native practices have clear TradFi parallels. You can apply familiar financial discipline to your digital asset operations:

• Just-in-time funding: Move assets to hot wallets only as needed
• Zero-balance accounts (ZBAs): Keep hot wallet balances near zero outside of payment windows
• Sweeping mechanisms: Automatically return unused funds to cold storage
• Segregation of duties: Enforce role-based access and dual approvals for transfers

‍

You don’t have to reinvent the wheel, you can apply enterprise-grade treasury logic to a new asset class.

‍

When to Trust Someone Else vs. DIY

If your company manages more than a few million dollars in digital assets, here’s the uncomfortable truth: you probably shouldn’t be doing it all yourself unless you have a dedicated security, infrastructure, and treasury ops team.

Institutional custodians like Coinbase and Anchorage exist for a reason. They employ full-time security teams, operate audited key management systems (often using HSMs), and provide robust operational frameworks (including insurance coverage)

When used properly, custodians can offer:

• Segregated accounts (not pooled omnibus wallets)
• Role-based access controls and dual authorization
• Transaction limits, whitelists, and audit trails
• SOC 2 compliance and financial liability coverage

However, a 3rd party custodian is not a silver bullet. It introduces platform risk, counterparty exposure, and potential operational constraints. You are now placing trust in a third party which means you still need policies, oversight, approval workflows, and reconciliation.

‍

Red Flags That Should Keep You Up at Night

Let's get practical. Here are some warning signs that your crypto security setup might be at risk:

‍

• You have large amounts in wallets accessed through web interfaces. If you're regularly logging into a website to move significant money, you're one supply chain attack away from being the next Bybit.
• Your approval process is just "multiple people click approve." Multi-sig is better than no controls, but if everyone's using the same compromised interface, you're not actually adding security.
• You are custodying your own funds and don't have dedicated crypto security expertise. Crypto security is different from traditional IT security, plan and hire accordingly.
• You're mixing operational and reserve funds. If your day-to-day spending wallet could bankrupt your company if it disappeared, you’re unnecessarily exposing your entire treasury to day-to-day risks.
• You haven't audited your software supply chain. Every piece of software you use to manage digital assets is a potential attack vector. Have you audited your dependencies lately?

‍

The Big Picture: Crypto Is Growing Up

Here's the thing that makes all of this both exciting and worrisome: crypto payments are finally having their moment.

‍

For years, industry was focused on everything but payments, but now we're finally getting back to the original vision: using crypto as a better way to move money.

‍

And it turns out, stablecoin payments are finding product market fit thanks to lower fees, instant settlement, global reach, and programmability.

‍

Major enterprises have taken notice and are now accepting payments in stablecoin. Google, EY, and Coinbase are experimenting with stablecoin payments because the benefits are too obvious to ignore. Much of the $170 Trillion B2B payments market is inefficient, expensive, and ripe for transformation. 

‍

As Pat White, CEO of Bitwave, put it: "the era of bps-based payments is over." But that efficiency can't come at the cost of security.

‍

As stablecoin payments go mainstream, the security stakes get higher. When you're moving hundreds of millions or billions of dollars, you can't afford to learn security lessons retroactively.

‍

The Bybit hack wasn't just a wake-up call for Bybit, it was a wake-up call for businesses that are leading the disruption.

Don't Be the Next Cautionary Tale

The good news? We know how to solve these problems. The bad news? Many companies aren't solving them.

Many of the answers come from traditional finance: controls, segregation of duties, approval workflows, and cash management discipline. These aren’t new ideas. They’ve been refined over decades to protect high-value financial operations, but crypto introduces entirely new risks that didn’t exist before (like smart contract exploits and transparent wallet activity). These require new best practices built for an onchain world.

The companies that move early to implement these practices will have real advantages with faster payments, lower costs, greater transparency.

Ready to Do This Right?

The Bybit hack taught us that crypto security isn't just about technology; it's about implementing enterprise-grade processes that account for all the ways things can go wrong.

‍

At Bitwave, we've built our platform specifically to help companies navigate these challenges. We provide the workflow and controls, custody integrations, and best practices that enterprises need to safely adopt stablecoin payments without becoming the next cautionary tale.

‍

The future of business payments is digital assets, but only if you implement them securely.

‍

Want to see how to do crypto payments the right way? Request a demo of Bitwave's platform today.

‍