Bybit’s Hack: A Call for Enhanced Security

This is a segment from the Empire newsletter. To read full editions, subscribe.

Bybit’s hack on Friday morning has ignited discussions among security experts regarding the exchange’s response. Bybit CEO Ben Zhou noted that they have successfully closed the ETH gap and promised an audit report soon.

I spoke this weekend with Ledger’s CTO, Charles Guillemet, who remarked that this year is “the worst year for cybercrime in history.” Ledger experienced a hack two years ago due to a former employee’s phishing, resulting in the theft of roughly $600,000—significantly less than the $1.4 billion lost in the Bybit hack. Following that incident, Ledger removed the blind signing feature last June. Ledger’s CEO, Pascal Gauthier, offered support to Bybit in light of the attack.

Guillemet emphasized that this incident underscores the necessity for the industry to move beyond trust-based security models as attackers adapt. He stated, “We can’t keep signing blind cheques and expecting it to be ok. The key evolution we’re seeing is the shift toward enterprise-grade security solutions that combine Clear Signing with robust governance frameworks.”

He pointed to increasing sophistication among attackers, particularly the Lazarus Group, linked to the Bybit attack. Guillemet expressed concerns that this may not be the end of their targeting of Bybit, suggesting that “Lazarus compromised several of Bybit’s endpoints,” indicating that their systems may have been infiltrated.

He added that pausing certain central functions of the exchange could have been prudent while forensic investigations were conducted.

When discussing lessons from the attack, he remarked, “When the stakes are high, attackers raise the bar for their attacks. They won’t stop here.” He reiterated the call for improved security measures: “Stop signing blank cheques — instead, use enterprise-grade security and custody solutions built for managing significant amounts of value.” He concluded, “Institutional-grade security isn’t optional – it’s fundamental.”