Security Experts React to Bybit’s $1.4 Billion Cold Wallet Hack

February 24, 2025

By Joe Pan

Cryptocurrency exchange Bybit is grappling with the aftermath of a massive security breach that resulted in the loss of approximately $1.4 billion in Ethereum (ETH) and other tokens. CEO Ben Zhou described the incident as one of “the worst hacks” in cryptocurrency history.

The breach, which targeted Bybit’s Ethereum cold wallet, prompted a flurry of activity on the open market, with around $200 million worth of stETH being swapped for ETH following the attack.

Zhou assured users that withdrawals had resumed at full capacity within 12 hours in a series of tweets on “X”. Zhou also pledged that Bybit would release a comprehensive incident report and implement enhanced security measures in the coming days. The exchange had processed an unprecedented number of withdrawal requests—over 350,000—since the hack occurred. According to Zhou, 99.994% of those requests have been completed. “Since the hack 10 hours ago, Bybit has experienced the most withdrawals we have ever seen,” Zhou acknowledged. “So far, around 2,100 withdrawal requests remain to be processed. Overall, 99.994% of withdrawals have been completed.”

Security Experts React

The Bybit hack has sent ripples through the cryptocurrency community, prompting renewed scrutiny of exchange security practices.

Key Quotes:

“One of the key vulnerabilities in the APAC region is the reliance on centralized key management,”

“Cold storage is widely regarded as one of the most secure methods for protecting assets.”

“The best security is still a paper wallet, generated from a random, offline computer,”

Jessica Chuah of Crystal Intelligence, an Amsterdam-based consultancy specializing in investigating cryptocurrency crimes, notes that while cold wallets greatly reduce the risk of cyberattacks, they aren’t foolproof. Drawing on investigations in the Asia-Pacific (APAC) region, Chuah explains that security breaches often stem from “insider threats, physical security lapses, or weak key management protocols.” She added that “Even in regulated jurisdictions like Japan and Australia, past cases have demonstrated that unauthorized access can still occur due to poor private key storage practices, social engineering, or physical theft.”

Chuah emphasizes that “one of the key vulnerabilities in the APAC region is the reliance on centralized key management,” which can render cold storage ineffective if compromised. To counter this, leading financial institutions are implementing geographically distributed key shards, biometric authentication for access, and real-time auditing of key usage. She also underscores the importance of physical security, suggesting that “companies consider third-party custodians with insured vaults to restrict and monitor physical access.”

David Leung, founder of AITHOS Labs, notes that while “cold storage is widely regarded as one of the most secure methods for protecting assets,” it’s not without its challenges. Due to their offline nature, Leung explains, cold wallets are “inherently harder to update,” which can cause delays in applying security patches and software enhancements. This lag time can make them vulnerable to new threats.

Furthermore, Leung points out that the expense of “setting up and maintaining effective cold storage systems” is significant. The need for specialized equipment and highly skilled personnel can lead to “uneven security measures across different cold storage sites,” as some locations may lack the resources or expertise of others. He concludes that ensuring secure synchronization across all sites is also a complex and costly undertaking.

“The best security is still a paper wallet, generated from a random, offline computer,” said Eddie Chou, chief technical officer with Digital Plus Asia Limited. “The recovery seed phase is another failure point. Where do you store it? Who has access? All hardware needs a backup, and both can fail. The hardware hack involves opening the device, duplicating the RAM, and brute-forcing the pin. At the end of the day, it’s just a PIN.”  Chou has conducted blockchain and cryptocurrency 101 classes for law enforcement in various jurisdictions across Asia.

Bybit is expected to announce additional security enhancements as it works to recover from the incident and prevent future breaches.

About the Author

Joe Pan is an editor at Blockwind News and an early adopter of blockchain technology. He has covered major crypto conferences globally since 2019 and frequently moderates Web3 events across Asia. Joe is part of the founding team of Blockwind News and teaches Asia’s only accredited Master of Journalism class on “Covering Cryptocurrency and Blockchain” at Hong Kong Baptist University.