Following the Bybit exchange hack on February 21, 2025, the cryptocurrency industry is once again reminded of the concrete consequences when threat actors identify and exploit vulnerabilities in crypto platforms or their supply chains. The attack, which resulted in the theft of nearly $1.5 billion worth of ether (ETH), highlights the ongoing threat posed by sophisticated cybercriminals, including state-sponsored actors like those affiliated with the Democratic People’s Republic of Korea (DPRK).
Recent findings from our 2025 Crypto Crime Report reveal a concerning trend: North Korea-affiliated hackers were responsible for stealing approximately $660.5 million across 20 incidents in 2023. In 2024, that figure surged to $1.34 billion across 47 incidents — a 102.88% rise in value stolen. The Bybit hack alone accounted for more than what DPRK hackers stole throughout the entire previous year, underscoring the urgent need for enhanced security measures across the industry.
The good news is that a broad array of steps can be taken to prevent such attacks. Crypto users can leverage free resources to verify transactions and increase their security on- and off-chain. For example, accessible Github scripts can help crypto users output domains, messages, and Safe transaction hashes in order to easily compare them against values displayed on Ledger hardware wallet screens.
In this blog, we’ll discuss key security measures exchanges can take to prevent large-scale hacks, best practices for securing digital assets, and how rapid response strategies can minimize damage in the event of an attack.
How the industry can strengthen its defenses
Based on our conversations with Chief Information Security Officers (CISOs) in the industry, the following are some of the top security measures we are seeing exchanges implement:
Web2 security
- Endpoint Detection and Response (EDR): Tools like SentinelOne and CrowdStrike can help identify and mitigate potential threats on employee hardware devices.
- Segregating signing computers from the internet: Air-gapped devices should be dedicated solely to signing transactions to minimize exposure to external threats.
- Locking down hardware that connects to cold storage: Any device used to access cold wallets should be heavily secured and aggressively access-controlled to prevent unauthorized access.
- Securing API key storage with Hardware Security Modules (HSMs): HSMs help prevent unauthorized access and ensure cryptographic integrity.
Web3 security
- Strict signer communication protocols: A dedicated process for communication between signers ensures that all approvals are properly contextualized and verified before execution.
- Multi-party computation (MPC) wallets with strong quorum: MPC wallets, such as those developed by Fireblocks and Fordefi, reduce reliance on single points of failure in key management.
- Wallet-level policy controls: Some solutions implement policy enforcement directly on wallets, such as restricting individual transfers to a set limit, such as $1 million.
- Cosigner/transaction validation: Chainalysis Hexagate, which uses machine learning to provide real-time web3 security solutions that detect and mitigate cyber threats, acts as an independent cosigner and transaction validator to analyze transactions before they are signed. This layer helps detect malicious transactions, flags anomalies, and automatically denies high-risk operations before they are executed.
- Real-time on-chain monitoring and response: Chainalysis Hexagate continuously tracks fund movements to ensure transactions comply with security policies. This includes verifying that funds are sent only to authorized addresses, detecting abnormal transaction sizes or patterns, and identifying potential compromises. In case of a security event, automated mitigation playbooks can be automatically triggered, such as moving assets to cold storage, swapping tokens to reduce exposure, or unwinding risky positions. For instance, Chainalysis Hexagate was able to use real-time monitoring to see that attackers stole cmETH from Mantle, and therefore could alert Mantle to pause the funds.
Why real-world security matters just as much
Off-chain vulnerabilities can be just as costly as on-chain threats, however. For instance, some security breaches have been linked to North Korean IT workers infiltrating crypto and web3 companies by using false identities and third-party hiring intermediaries. A recent U.S. Department of Justice (DOJ) case indicted 14 DPRK nationals who exploited remote work opportunities to steal proprietary information and extort employers, generating more than $88 million. To combat such threats, organizations should follow guidance from FBI, CISA, and other authorities, including conducting thorough background checks, monitoring network activity for anomalies, and training employees on social engineering tactics.
If you’re interested in how to best prevent and respond to hacks, schedule a time to speak with Chainalysis Hexagate here.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.