The recent $1.4 billion Bybit hack by Lazarus Group has crypto industry figures weighing in on lessons that should be learned moving forward. SMARDEX co-founder Jean Rausis said the industry should review its hiring practices and closely consider crypto’s “remote nature.”
“Most of us work from home and hire remotely, and this leaves the door open to malicious actors to penetrate a project from the inside more easily,” Rausis said. “It’s a well-known fact that North Korean actors have previously managed to infiltrate tech companies from the inside, like cybersecurity firm KnowBe4.”
“I’m not saying we should all be returning to the office to improve cybersecurity – this would severely limit the talent companies are able to hire, and simply goes against the entire ethos of Web3. But in a decentralized environment, hiring managers need to be more vigilant than ever when hiring new recruits. The hackers won’t stop trying – indeed, there’s probably another hacker attempting to steal assets somewhere right now. So we need to make it impossible for them to succeed.”
SPACE ID director of business development Harrison Seletsky said the Bybit experience offers an opportunity for crypto to fix a sub-optimal transaction experience. That begins with blind signing. Seletsky noted that even if someone signs transactions in a multisig wallet every day and is used to the interface, it can be hard to verify all the details of the contract they’re interacting with. That was made evident by the Bybit hackers’ ability to spoof the front-end output of the transaction.
“Even at the very base level, a large proportion of the crypto ecosystem still relies on 42-character jumbles of letters and numbers that make up crypto wallet addresses,” Seletsky said. “While we have seen growing adoption of human-readable domain names, like “jane.bnb”, to replace these randomized 0x addresses, these strings of characters are still perfectly acceptable within the crypto payments system. Seeing all these numbers and letters on screen can divert attention and make it hard to verify, obfuscating malicious transactions and leading to simple mistakes.”
Seletsky suggested that if every wallet and treasury in the ecosystem has a human-readable unique identifier, such as “bybitcoldwallet2.bnb” transferring to “bybithotwallet3.bnb”, for example, this could make transactions much easier to verify and potentially alert signers if something looks off. It wouldn’t fix the entire issue of blind signing, but he said it’s a step toward safer, more easily trackable transactions.
“At this moment, the crypto industry needs any advantage available to protect against future fraud attempts, be it by the Lazarus Group or any other malicious organization,” Seletsky concluded.
YouHodler chief of markets Ruslan Lienkha wondered if Bybit’s travails will affect institutional confidence in centralized exchanges. He doubts there will be much change.
“Institutions typically adhere to strict treasury management rules and allocate only the necessary liquidity to CEXs for routine transactions,” Lienkha said. “Large-scale institutional trades are often conducted through OTC markets, while long-term holdings are kept in secure, self-custodied solutions. Security breaches significantly impact retail traders, who rely more heavily on centralized exchanges for trading and asset storage.”
Impossible Cloud Network managing director Sebastian Pfeiffer pinned the Bybit blame on an over-reliance on centralized systems. He said Bybit’s report revealed that compromised credentials for Amazon Web Services – the centralized cloud provider that currently dominates the running of the global internet – provided the attacker with access to Safe.Global’s infrastructure.
“Unfortunately, much of the Web3 ecosystem still relies on centralized cloud providers despite touting the benefits of decentralization,” Pfeiffer said. “But we can no longer do this in a world where hackers are becoming increasingly more sophisticated – it’s simply too risky.”
“Change is hard. People get attached to recognizable brand names and tried-and-tested solutions and are typically extremely reluctant to change, even when the alternative is objectively safer and better.”
Pfeiffer said it’s no longer enough to turn on two-factor authentication and hope for the best – it’s time for real change.
“A new paradigm is needed where the entire Internet doesn’t run on three centralized companies that are vulnerable to constant attacks and hacks,” Pfeiffer warned. “In the age of AI and blockchain, a centralized cloud simply no longer makes sense. It’s such a shame that major Web3 infrastructure providers are still so dependent on centralized cloud infrastructure. Now there are real alternatives, the move must be made.”