
A detailed look at the Bybit hack from a Web3 wallet product manager's perspective
TechFlow Selected TechFlow Selected

A detailed look at the Bybit hack from a Web3 wallet product manager's perspective
The only thing to trust is technology, not "people" or "platforms."
Author: Yue Xiaoyu
1. First, let's explain in plain terms how Bybit was hacked:
Bybit uses a Safe multisig wallet with a 3/3 signing configuration, meaning three signers are required to complete any transaction, and each signer uses a hardware cold wallet.
The Safe multisig smart contract is a well-established solution that has been battle-tested for years and is secure by design. Combined with the fact that signers use hardware cold wallets—keeping private keys physically isolated and offline—
Multisig wallets + cold wallets represent the most secure wallet setup currently available.
So why was it still compromised?
The hackers used social engineering.
Since direct technical intrusion was not feasible, they targeted the "people" instead.
The attackers first infiltrated the computers of the three signers and then swapped out the actual signing content during their routine operations (e.g., signing transfers).
The signers believed they were approving legitimate transactions on their browsers, but the hackers had replaced the content with "malicious signatures," such as upgrading the Safe contract to a malicious one pre-prepared by the attackers.
The three signers unknowingly signed, allowing the hackers to use this malicious contract to drain all funds.
2. What exactly is social engineering attack?
Social engineering attacks are highly costly and complex to execute, yet extremely effective.
In this incident, the exchange had already implemented the highest level of security measures: multisig smart contracts, hardware wallets, and strict internal organizational protocols—yet still fell victim to a social engineering attack.
The hackers directly identified the multisig signers and found compromising their computers an easier entry point.
How did they compromise the staff's computers?
Tactics include phishing emails, installing malware, or exploiting personal security weaknesses (e.g., weak passwords, lack of two-factor authentication).
Once a computer is compromised, hackers gain full control over the device and can alter any data.
Social engineering attacks are highly stealthy. The signers may believe they completed normal tasks, and system logs might only show legitimate actions like "contract upgrade" rather than obvious "fund transfer."
By the time funds were drained, Bybit realized what happened—but it was too late.
That said, social engineering attacks are not impossible to prevent. They require rigorous, long-term defensive strategies.
The best defense includes strict control over employees' devices and behavior monitoring—such as using dedicated isolated devices, device whitelisting and surveillance, regular audits, and updates.
3. What happens next after Bybit's hack?
First, whether Bybit can withstand a potential user withdrawal rush—if it cannot, it could become another FTX, potentially dragging our entire industry into a new bear market;
Second, whether Bybit can reimburse the stolen funds—if it fails to do so, it may go bankrupt, which could similarly drag the industry into a bear market.
So what is Bybit's current financial standing?
Bybit is the world's second-largest cryptocurrency exchange, with a daily trading volume reaching $36 billion and over 60 million users. Given its scale, its profitability is undoubtedly strong.
Industry estimates suggest that top-tier exchanges like Bybit earn primarily from trading fees, leveraged trading interest, and revenue sharing from financial products, with annual net profits fluctuating between $1.5 billion and $5 billion.
Now consider Bybit's asset size: prior to the hack, its total reserve assets reportedly exceeded $16 billion.
In comparison, the $1.5 billion shortfall represents less than 10% of total assets—not a fatal blow.
Moreover, Bybit CEO Ben Zhou has publicly stated that customer assets are fully backed 1:1, meaning user funds are protected, and the funding gap caused by the hack mainly comes from the company’s own profits and reserves.
In summary, there are three possible scenarios:
Best case: Withdrawals stabilize, Bybit covers the deficit via loans and internal assets, recovers within six months. Market confidence rebounds, and the bull market continues.
Middle case: Withdrawals persist but remain manageable; Bybit tightens spending, allocates profits to repay the debt over several years. The industry sees minor impact—ETH and altcoins correct—but no full bear market.
Worst case: Withdrawals spiral out of control, Bybit collapses into bankruptcy. The $1.5 billion gap triggers a crisis of confidence, chilling the entire industry and bringing forward a bear market.
4. What does this mean for ordinary users?
Many say: "Beginners shouldn't manage their own private keys—it's unsafe. It's safer to keep funds on exchanges."
Yet continuous exchange hacks strongly refute this argument.
Don't blindly trust exchange technology or security—the hidden risks of exchanges are actually enormous.
Why are exchanges riskier?
The biggest risk of centralized platforms is that all user assets are pooled together, making them a prime, concentrated target for attacks.
No system is absolutely secure. Any system can be breached, but attacks come at a cost—so it depends on how big the payoff is.
When the potential reward is large enough, attackers will invest more resources and escalate their methods.
Exchanges are clear high-value targets. Their wallet addresses are mostly public, and fund flows are transparent. With sufficient investment, they will eventually be breached.
The only thing we can truly rely on is technology—not "people" or "platforms."
Therefore, we must emphasize: ordinary users should use decentralized wallets, hold their own private keys, or even better, adopt keyless wallets.
The Web3 world is a dark forest—we are both hunters and prey. Every step must be cautious, only then can we survive longer and go further.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














