Mt Gox. Coincheck. Bitfinex. Binance. The history of cryptocurrency exchanges is littered with headline-grabbing hacks and thefts. Every day, we entrust our money and digital assets to online platforms on the assumption that they are safe. But are they? The $1.4 billion Bybit hack — perhaps the largest single theft of any kind, ever — highlights just how critical security is.
How did it happen?
We are all subject to the risk that, at some point, we blithely agree to terms and conditions we haven’t consciously read, or dismiss a computer warning without a second thought. The contents may be complex, time is short, and eventually we assume everything is fine. Usually, it is.
The Bybit hack was not typical. It wasn’t a brute-force attack but a deception that exploited trust, human error, and UI manipulation. It was meticulously planned and precisely executed by a state-backed actor, North Korea’s Lazarus Group, the shadowy outfit behind the WannaCry ransomware attack on the NHS, the Sony Pictures hack that shook Hollywood, and the audacious theft of $101 million from Bangladesh’s central bank. As in those incidents, Lazarus Group didn’t rely on brute force. They studied their target, mapped its weaknesses, and exploited routine operational processes.
Multisig
Bybit secured each of its signers’ private keys in cold storage wallets, meaning that withdrawals required multiple employees to manually approve them. Moreover, cold wallets are not constantly connected to the internet, shielding them from potential malware. This setup is designed to prevent a single point of failure — one person cannot unilaterally transfer assets. However, the system assumes that the approval process itself is trustworthy. The hackers’ strategy wasn’t to bypass multisig, but to hijack it.
UI manipulation
The hackers had infected a Safe{Wallet} staff computer long before the attack began. Using malware or a supply-chain compromise, they altered a very specific file that changed the approval interface the Bybit team relied on to review transactions. On the surface, everything appeared routine — staff saw a transaction with the correct destination and amount. But beneath the interface lurked a hidden smart contract upgrade that their approval would deploy. This would rewrite the wallet’s fundamental rules, granting the attackers control over future transactions.
Blind approval
Staff members believed everything was normal. The interface showed a familiar transaction format, and the approval process followed standard procedure. But a crucial security step was overlooked. They didn’t manually verify each digit of the transaction on the Ledger hardware wallet against the data on their computer screens—a tedious but essential safeguard. Unknowingly, they “approve” the contract that changed how the wallet operated.
Redirection
Once the signatures were collected, the malicious code took over. Instead of sending funds to Bybit’s internal warm wallet, the assets were rerouted to the hackers’ address. 401,000 ETH—USD 1.4 billion on the day of the attack—was gone in minutes. By the time the deception was discovered, it was too late.
What makes this hack so significant is that the attackers didn’t steal any Bybit’s passwords or break cryptography. They simply deceived the funds’ guardians. Bybit’s security was defeated by clever social engineering and interface trickery—not through a flaw in blockchain technology. It’s a powerful reminder that you can open even the strongest vault if you target the people with the keys.
Could Xapo Bank suffer a similar hack?
The short answer is: no.
On paper, Bybit’s security was strong, but it left crucial steps vulnerable to human error. The problem wasn’t the technology—it was the trust placed in manual approvals and human oversight. Xapo Bank takes no such chances.
Xapo Bank’s security model is fundamentally different. While Bybit relied on multisig wallets and solely on human approvals, Xapo does not rely only on individual discretion for such processes. Instead, we rely on cryptographic certainty, automated policy enforcement, and a zero-trust security culture designed to prevent deception.
Security isn’t just about technology and culture. It’s also about accountability. While Bybit operates as an exchange under a Virtual Asset Service Provider (VASP) registration, Xapo Bank is a fully licensed and regulated bank. That means we don’t just follow security best practices. We follow legal and regulatory requirements designed to protect customer funds.
What does all this mean in practice?
At Xapo Bank, security isn't just a feature—it’s fundamental to our operational architecture. Every transaction, every approval, and every system interaction is designed to remove human error. Here’s how.
MPC-CMP
Unlike Bybit’s multisig implementation, which required human approvals, Xapo Bank uses Multi-Party Computation (MPC-CMP). This system is fundamentally different because:
No single person or system ever holds the entire private key. Instead, the key is split in cryptographic “shards”, each held by separate, independent organisations.
To sign a transaction, multiple organisations must act simultaneously. Even if one organisation were compromised, an attacker would not have access to the others.
The key shards refresh every minute. Even if an attacker somehow accessed one part of the key, it would become invalid before they could collect the rest.
TAP rules
Transaction Authorisation Policy (TAP) rules constitute our answer to the risks of blind signing. These policies automatically enforce transaction limits, restrict counterparties, and prevent unauthorised contract upgrades or changes to wallet permissions. They work at the transaction level—not the user interface—so no matter what a human sees, the underlying detail must comply for it to be enacted. If a transfer doesn’t match pre-approved limits or whitelisted addresses, it’s automatically blocked and this cannot be overridden. Meanwhile, changing the TAP itself requires many multi-layered, offline approvals from separate devices.
Zero trust
At Xapo Bank, we assume that any and every step in the system could be compromised. Our security is built on constant verification—even for internal transfers. Typically, systems authenticate users when they log in. Our zero trust model re-validates every action, continuously checking if the request is coming from the right device, location, and context. Here, trust isn’t a factor—only real-time security verification matters.
Banking regulations
Security isn’t just about preventing hacks. It’s ensuring customer assets remain protected—no matter what happens. Many crypto platforms operate under a Virtual Asset Service Provider (VASP) registration, which focus on basic compliance rather than full financial oversight.
Xapo Bank is a registered bank with internationally recognised banking standards such as Basel II capital requirements, PSD 2 SCA, SOC2 type 2, PCI DSS and more. These guardrails ensure our operations are subject to continuous oversight and enforcement. To support our compliance, we undergo regular external audits by one of the Big Four accounting firms.
Finally, we do not lend, leverage, or risk customer deposits. Funds are always available and protected.
Xapo Bank: ahead of the curve
We can all fall on it. Assume the systems we use will protect us. Just click “I agree”. The Bybit hack proved that even the strongest-looking security can fail if it relies on human trust. Xapo Bank has moved beyond trust. We verify through cryptography.
No blind approvals
We don’t create situations where people can potentially be deceived. Instead, we insist on automated, policy-enforced certainty through MPC-CMP and TAP rules.
No hidden risks
We back every deposit to the full extent to deliver full-reserve banking with independent auditing.
No assumptions
Even internal transactions are probed as diligently as external ones. We verify at every step.
We are built for the future of crypto security, where trust-based systems and self-custody risks are replaced with cryptographic certainty.
Xapo Bank, the only way to bank your bitcoin.
