The recent security breaches of roughly $1.5 billion in BYBIT, the world’s second largest cryptocurrency exchange, have ripped down the digital asset community by trading volumes. With $20 billion in customer assets in custody, Bybit faced major challenges when it misused security management during its routine transfer from offline “cold” wallets to “warm” wallets used for daily transactions.
The first report suggests that the vulnerability includes a homemade Web3 implementation using GNOSIS SAFE. This is a multi-signature wallet that uses off-chain scaling technology, includes a centrally upgradeable architecture, and a user interface for signatures. Malicious code deployed using an upgradeable architecture actually looked like a routine transfer with contracts changed. The incident sparked around 350,000 requests for withdrawal as users rush to secure funds.
It is a considerable violation in absolute terms, but this violation, which is estimated to be less than 0.01% of the total market capitalization of cryptocurrencies, shows that what once was an existential crisis has become a manageable operational incident. Bibit’s rapid assurance that all unrecovered funds will be covered through its reserves or partner loans further exemplifies its maturation.
Since the launch of cryptocurrency, human error, rather than technical flaws, has been a consistent major vulnerability. Our research, which examined major cryptocurrency infringements over a decade, shows that human factors always dominate. In 2024 alone, roughly $2.2 billion was stolen.
What’s impressive is that these violations continue to occur for similar reasons. Organizations cannot protect their systems because they do not expressly accept responsibility for their systems or because they do not rely on custom built solutions that maintain the illusion that their requirements are different from established security frameworks. This pattern of reinventing security approaches rather than adapting proven methodologies, perpetuating vulnerabilities.
Blockchain and encryption technology have proven cryptographically robust, but the weakest links in security are not technology, but the human element that interfaces with it. This pattern is remarkably consistent from the early days of cryptocurrency to today’s sophisticated institutional environment, reflecting cybersecurity concerns in other – more traditional – domains.
These human errors include mismanagement of private keys. In this case, losing, accidentally revealing your private key will result in a loss of security. Social engineering attacks remain a major threat as hackers manipulate hackers to manipulate them to reveal sensitive data through phishing, spoofing, and deception.
Human-centered security solutions
A purely technical solution cannot fundamentally solve human problems. The industry has invested billions in technology security measures, but is relatively uninvested in addressing human factors that consistently allow for violations.
A barrier to effective security is reluctance to acknowledge ownership and liability for vulnerable systems. Organizations that claim that they cannot clearly portray what they control or that their environment is too unique to apply will create blind spots that attackers can easily exploit.
This reflects what security expert Bruce Schneier calls the law of security. The system, designed alone by a team that is convinced that they are almost certain of their uniqueness, contains important vulnerabilities addressed by established security practices. The cryptocurrency sector has repeatedly fallen into this trap and often rebuilds its security framework from scratch, rather than adapting a proven approach from traditional finance and information security.
A paradigm shift towards human-centered security design is essential. Ironically, traditional finance has evolved from single-factor (password) to multifactor authentication (MFA), but early cryptocurrencies have returned to single-factor authentication via a private key or seed phrase through a veil of security. This simplification was dangerous and led to various vulnerabilities in the industry and speed turns of exploits. After billions of dollars of losses, we arrive at a more refined security approach where traditional funds are calm.
Modern solutions and regulatory technologies need to recognize that human error is inevitable and accept that they remain safe despite these errors rather than assuming full human compliance with security protocols. Importantly, this technology does not change the basic incentives. Implementing it involves direct costs, and avoiding it risks reputational damage.
Security mechanisms need not only protecting technological systems, but also predict human error and be resilient to common pitfalls. Static credentials such as passwords and authentication tokens are insufficient for attackers who take advantage of predictable human behavior. Security systems must integrate behavioral anomaly detection to flag suspicious activities.
Private keys stored in easy and easy access locations pose a great security risk. Splitting key storage between offline and online environments reduces full key compromise. For example, keeping another part offline and storing a part of the key in a hardware security module will enhance security by requiring multiple validations for full access.
Practical steps for a human-centered security approach
A comprehensive human-centered security framework must address cryptocurrency vulnerabilities at multiple levels with an ecosystem-wide coordinated approach rather than isolated solutions.
For individual users, hardware wallet solutions continue to be the best standard. However, since many users prefer convenience over security responsibility, the second best is the default (but adjustable) waiting period for security education, which is context sensitive to the security education that is activated at key decision points: exchanges for implementing practices from traditional finance.
Exchanges and agencies should move from assuming full user compliance to designing systems that predict human error. This starts with explicitly realizing which components and processes are responsible for controlling and thus protecting them.
Negation or ambiguity regarding the perimeter of responsibility directly undermines security efforts. Once this accountability is established, organizations will need to implement behavioral analysis to detect abnormal patterns, require multi-party approval for high-value transfers, and deploy automatic “circuit breakers” that limit potential damage if compromised.
Furthermore, the complexity of Web3 tools creates a large attack surface. Simplified adoption of established security patterns reduces vulnerabilities without sacrificing functionality.
At the industry level, regulators and leaders can establish standardized human factors requirements for security certifications, but there is a trade-off between innovation and safety. The Bybit incident illustrates how the cryptocurrency ecosystem evolved from the vulnerable early days into a more resilient financial infrastructure. Security breaches continue, but perhaps always, their nature has shifted from existential threats that could destroy trust in cryptocurrency as a concept of operational challenges requiring ongoing engineering solutions.
The future of cryptographic security is not about pursuing the impossible goal of eliminating all human error, but about designing a secure system despite inevitable human error. This requires first acknowledging which aspects of the system fall under the responsibility of the organization rather than maintaining the ambiguity that leads to security gaps.
By acknowledging human restrictions and the built systems that correspond to them, the cryptocurrency ecosystem can continue to evolve from speculative curiosity to a robust financial infrastructure, rather than assuming full compliance with security protocols.
The key to effective cryptographic security in this mature market lies in more thoughtful, human-centric design, rather than more complex technical solutions. By prioritizing security architectures that explain the reality of behavior and human limitations, we can create a more resilient digital financial ecosystem that continues to function firmly, rather than when human error occurs.
