Importance of Continuous Security: Lessons from the Bybit Case

On February 21, 2025, the North Korean hacker group TraderTraitor carried out the largest security breach against a single target in history, stealing $1.46 billion from one of the world's largest crypto exchange, Bybit.

So far, numerous articles have been published regarding the Bybit incident, but most of them only cover the known facts about the event and suggest rather obvious countermeasures. This is likely because the focus of these writings is very narrowly fixed on the "Bybit Hot Wallet Exploit" alone, and the details, such as security audit reports, are very limited.

However, we need to break away from this narrow view and look at the incident from a broader perspective. Similar incidents to this Bybit case could happen to any exchange or project.

In this article, we briefly look at the circumstances of the Bybit incident and discuss what countermeasures could have been implemented. Then, we discuss the limitations of current solutions and how Xint resolves them.

Bybit Incident Overview

On February 21, 2025, TraderTraitor launched a targeted attack on Safe{Wallet}, a widely-used multisig solution, which has been used for Bybit’s cold wallet management. The breach began with a social engineering campaign that compromised a Safe{Wallet} developer’s device. From there, the attackers:

1. Gained access to AWS infrastructure: They infiltrated an Amazon S3 bucket containing sensitive configuration data.

2. Manipulated the UI: By altering the Safe{Wallet} interface, they tricked legitimate signers into approving a malicious transaction.

3. Executed the heist: Approximately 400,000 ETH—valued at $1.46 billion—was transferred to the attackers’ wallet in a single, irreversible move.

The incident was not a failure of blockchain technology or smart contract design but rather a exploitation of Web2 side. Safe{Wallet} had implemented multisig authentication, access controls, and monitoring, yet these measures couldn’t stop a targeted attack that bypassed Web3-specific defenses. This case highlights a broader issue: Web3 projects often overlook the foundational Web2 systems that underpin their operations.

How Can We Prevent, Rather Than Being “Careful”?

Safe{Wallet}, which was responsible for the Bybit incident, explained that the following security measures were in place:

• Limiting privileged access to the infrastructure, including S3, only to the strictly necessary amount of developers, maintaining a clear separation of access between development source code and infrastructure management

• Requiring multiple peer reviews before introducing changes to production

• Having monitoring systems in place to detect external threats

• Conducting continuous security audits with independent third parties

• Using third-party service providers to detect malicious transactions

However, the real problem is that despite these multi-layered security measures, a developer's device was compromised through a social engineering attack, and the UI code stored in AWS S3 buckets was modified, ultimately resulting in the theft of $1.46 billion from Bybit. This demonstrates the need for active prevention strategies beyond simply being "careful."

In cases like Bybit, where an insider gained access and infiltrated the system, detecting this requires a fairly high level of security personnel and monitoring systems. The collateral responsibility for the Safe{Wallet} incident lies in the failure of the monitoring systems of the compromised Safe{Wallet} infrastructure.

Additionally, when extending this to typical Web3 applications, there's another issue. While Web2 components of Web3 projects sometimes operate independently, there are also unique vulnerabilities not commonly found in traditional Web2 applications due to components that interact with the Web3 environment. Therefore, conducting security audits for Web2 components of Web3 projects presents the challenge of requiring deep understanding of both Web3 and Web2 environments.

To address these issues, there are two approaches:

1. Forming security teams or hiring security audit companies with understanding of both Web2/Web3

2. Using monitoring systems or automated security audit tools created by such experts

Realistically, the first approach is very costly and difficult to implement except for large-scale projects like exchanges. Therefore, a practical solution is to actively utilize monitoring systems or automated security audit tools developed by experts with sufficient background knowledge. Looking at the Bybit incident alone, if Safe{Wallet} had detected unauthorized access to AWS S3 buckets or UI code changes in real-time, the damage could have been reduced. The ultimate cause leading to the attack appears to be the failure of their internal monitoring system to detect the intrusion.

In this context, solutions that provide real-time monitoring and proactive vulnerability assessment can be highly effective. For example, tools designed for Application Security Posture Management (ASPM) offer unified management of IT assets across cloud and on-premise environments, enabling continuous visibility and rapid response to security risks like unauthorized access or misconfigurations. Such tools could have helped Safe{Wallet} identify and mitigate the risks associated with the AWS S3 bucket manipulation and UI code changes that were central to the Bybit incident. By integrating with cloud providers like AWS and providing real-time alerts, these solutions ensure that potential breaches are detected early, reducing the likelihood of large-scale financial losses.

Additionally, automated penetration testing tools, especially those leveraging AI and expert knowledge, can simulate attack vectors and identify vulnerabilities that traditional methods might miss. These tools conduct intelligent reconnaissance, mapping web assets and generating threat scenarios focused on critical targets—such as the client-side vulnerabilities exploited in the Bybit case through malicious JavaScript injection. By offering context-aware analysis and self-improving tests, they provide actionable insights into both Web2 and Web3 security risks, helping projects strengthen their security before the exploit.

Xint’s Role in Preventing Security Breaches

Following the Bybit incident, it is clear that Web3 projects need a proactive and comprehensive security strategy addressing both Web2 and Web3 vulnerabilities. Theori’s Xint is crafted to fulfill this requirement by offering a cost-effective, automated solution that boosts security without the need for large in-house teams. Developed from years of expertise by top-tier security professionals, Xint integrates extensive knowledge of Web2 and Web3 attack vectors, making it exceptionally well-suited to safeguard projects in this hybrid ecosystem.

Continuous Security with Dynamic, Automated Testing

In the Bybit case, attackers exploited client-side vulnerabilities by injecting malicious JavaScript into the Safe{Wallet} UI. If Safe{Wallet} had employed scanning solution that continuously tracks its every updates, this exploit might have been detected proactively.

However, achieving such security is challenging with traditional approaches. Manual penetration testing is effective, but not continuous. Ideally, it should occur with every code update, but the resources and costs of hiring expert teams repeatedly make this impractical for most projects. As a result, many rely on monitoring solutions, which often require extensive tuning to align with a product’s business logic, involve complex initial setups, and struggle to detect sophisticated, real-world vulnerabilities compared to manual testing.

To resolve these issues, we developed Xint.

Xint is an AI-driven Dynamic Application Security Tool (DAST), powered by a Large Language Model (LLM) that simulates real-world attack scenarios within fully blackbox settings. Leveraging decades of world-class hacker insights, we trained our LLM to perform contextual analysis, build real-world threat scenarios, and execute targeted attack simulations like real adversaries. Xint autonomously crawls applications, navigates workflows, and builds contextual threat scenarios, mimicking the tactics of real adversaries. This eliminates the cumbersome setup process typical of existing monitoring tools, enabling seamless integration into development cycles.

In the Bybit incident, the failure to detect unauthorized access to AWS S3 buckets and the subsequent manipulation of UI code was a critical oversight. Xint addresses this gap by providing continuous, real-time threat detection of applications, intercepting suspicious activities like unexpected code changes or misconfigurations. By integrating directly with application development process, Xint ensures potential breaches are identified early, allowing teams to respond before attackers can exploit vulnerabilities.

Conclusion

Bybit incident highlights that Web3 projects are not immune to the vulnerabilities inherent in the Web2 infrastructure they rely on. As the Web3 ecosystem grows and integrates with traditional web systems, the attack surface expands. This makes it crucial for projects to adopt a comprehensive security approach that addresses both Web2 and Web3 risks. Being merely "careful" is insufficient. Proactive, automated, and continuous security measures are essential to prevent large-scale breaches, like the one that cost Bybit $1.46 billion. The lessons from Bybit emphasize the importance of real-time monitoring, automated vulnerability detection, and a deep understanding of the interactions between Web2 and Web3 environments. AI-driven pentesting solutions like Xint offer a practical and cost-effective means for projects to bolster their defenses. Xint provides continuous oversight of infrastructure, identifies client-side vulnerabilities, and simulates real-world attack scenarios. This allows even small teams to manage security risks comprehensively. As the Web3 landscape evolves, the need for robust security will only grow. Projects neglecting both Web2 and Web3 vulnerabilities risk not just financial losses but also the trust of their users and the broader community. By leveraging tools like Xint, Web3 projects can stay ahead of emerging threats, ensuring their innovations are built on a foundation of security and resilience.

About Xint

Introducing Xint by Theori - an AI-driven Dynamic Application Security Testing (DAST) solution designed to proactively mitigate security threats with context-aware testing and instant validation.

Built on decades of expertise from world-class security professionals, Xint leverages an AI model trained to simulate real-world attack scenarios, offering a proactive and cost-effective alternative to traditional security measures. Xint operates in a fully blackbox environment, autonomously crawling applications, analyzing workflows, and identifying vulnerabilities with contextual precision.

Supporting a “Shift Left” approach, Xint addresses security issues early in development, minimizing production risks. Integrated with development process, Xint offers continuous visibility into today’s threats and tomorrow’s challenges.

From startups to Fortune 500 enterprises, Xint empowers organizations with a security strategy that combines the attacker’s perspective with robust defense from every angle.

To learn more about Xint,

• Visit our website

• Visit Theori’s website

• Follow us on X