How not to become the next victim of a crypto hack
Cold storage is not a security guarantee for cryptocurrencies
If a company stores assets in cold* wallets, that does not necessarily mean nothing can happen to them. This was demonstrated in the $1.4 billion hack of one of the largest exchanges, ByBit.
On February 21, attackers breached the cold wallet of the exchange and withdrew Ethereum (ETH) and LST tokens. The incident became one of the largest hacks in the crypto industry.
Before the ByBit breach, attackers primarily targeted hot** wallets of trading platforms. A well-known example is the $534 million theft in NEM tokens from Japanese exchange Coincheck in 2018. The vulnerability at Coincheck was because the exchange stored a significant portion of its funds in hot wallets.
Similarly, the 2020 hack of another major exchange, KuCoin, which resulted in losses exceeding $280 million, was caused by compromised hot wallets. However, thanks to the quick response of the team, $204 million of the stolen assets were recovered.
Still, storing digital assets in cold wallets does not guarantee complete security due to the human factor. In many security incidents, users themselves turn out to be the weakest link.
In the case of ByBit, employees transferred funds to an unidentified fraudulent wallet that did not raise suspicion. The attackers executed a combined attack using phishing, malware, and social engineering (SE) techniques to deceive ByBit staff.
* Cold wallets refer to hardware or offline wallets not connected to the internet, making them secure against online threats such as phishing, hacking, and malware. Cold wallets are typically hardware devices that store private keys in an isolated environment and sign transactions offline. Organizations use offline computers, disconnected from the internet, for secure wallet storage. Another option is storing encrypted keys on removable media like USB drives.
** Hot wallets refer to all software-based wallets that remain connected to the internet and are vulnerable to online attacks such as phishing and malware.
Cryptocurrency security is a personal responsibility
According to analysts, over $3 billion was stolen due to hacks and scams in 2024, with approximately 29% of that — around $834 million — stolen through fraudulent activities.
This means users must primarily rely on protecting their digital assets themselves rather than trusting centralized platforms.
Experts recommend storing most of one's crypto in non-custodial (personal) wallets — either cold or hot. Crypto exchanges should be used only when necessary. An additional protection measure is diversifying assets across multiple platforms.
For long-term storage, when digital assets are not used for several months or even years, cold wallets protected from online attacks are the best option. Hot wallets are needed for quick access to assets — for example, from a laptop or smartphone.
These measures help prevent seed phrase leaks and reduce the risks of online attacks by malicious actors.
Internal threats are not an exception
One should not forget that there are threats not only from external actors. Risks can also arise from former employees of exchanges who had access to systems, as well as from insiders.
For example, in November 2022, amid the bankruptcy announcement of what was then one of the largest crypto exchanges, FTX, an unknown hacker stole $477 million in cryptocurrency. Security experts believe an employee of the exchange was behind the theft, but the individual has not yet been identified.
In similar incidents, such as the 2021 hack of BitMart, the leak of private keys was linked to internal violations of access protocols.
Another notable case: in 2018, employees of the Indian crypto exchange Coinsecure were suspected of stealing 438 bitcoins (then worth ~$3.5 million). The CEO claimed that only one technical director had access to the private keys, who later disappeared.
To minimize such risks, companies implement privileged access management (PAM) systems, action logging, and regular internal audits. They also apply the "Zero Trust" principle, where every access request must be verified, regardless of the employee's role.