News

Crypto losses due to security breaches have surpassed $1.5 billion, highlighting vulnerabilities in bug bounty programs and the need for stricter security measures, cybersecurity experts say. Blockchain security firm CertiK reported that February alone saw $1.53 billion in crypto stolen, with over $1.4 billion lost in a single hack on Bybit. Other incidents, including a $49 million exploit targeting Infini, contributed to an additional $126 million in losses.

Ethical hacker Marwan Hachem, chief operating officer at cybersecurity firm FearsOff, pointed to flaws in the bug bounty system as a key factor in these losses. He explained that Safe, the multisignature wallet provider for Bybit, did not consider certain types of bugs eligible for bounty rewards. Specifically, vulnerabilities in the front-end and back-end systems were marked as “out of scope,” meaning ethical hackers had no incentive to report them. However, these very weaknesses were exploited, leading to what has now become the biggest crypto hack in history.

Hachem emphasized that hackers often breach platforms by targeting assets deemed out of scope. While ethical hackers would not be rewarded for reporting these vulnerabilities, malicious actors exploited them to steal $1.5 billion from Bybit. He argued that exchanges must revise their bug bounty programs by offering larger rewards to attract top-tier white hat hackers. Currently, Bybit’s official bug bounty program offers a maximum of $4,000 on its website and up to $10,000 on HackerOne—amounts that pale in comparison to the potential rewards cybercriminals gain from exploiting security flaws.

Instead of reacting to breaches by offering 10% of stolen funds as a recovery incentive, Hachem said it would be far more effective to reward ethical hackers proactively with competitive payouts. “Motivating top ethical hackers to dedicate their time and attention to testing an exchange by offering higher rewards will greatly improve its security, will be a lot cheaper, and will safeguard its reputation,” he said .

In addition to improving bug bounty programs, CertiK stressed the importance of adopting stricter security measures to prevent similar incidents. A spokesperson for the firm recommended implementing air-gapped signing devices, non-persistent OS environments for transaction approvals, and enhanced authentication layers for high-value transactions. Red-team exercises and phishing simulations were also suggested as strategies to reduce social engineering risks.

CertiK’s investigation revealed that Bybit’s exploit was executed through a phishing attack that tricked multisignature signers into approving a malicious contract upgrade. The Infini hack, on the other hand, stemmed from an admin private key leak, which enabled unauthorized withdrawals. Both cases, according to CertiK, highlight the urgent need for stronger authentication, real-time transaction monitoring, and more resilient UI security to prevent manipulation and fraud in the crypto space.