On February 21, 2025, Web3 faced a devastating hack. Bybit, a leading exchange, was hacked for USD1.4 billion in Ethereum and staked Ethereum, sending shockwaves through the digital asset community. This unprecedented breach exposed a persistent truth: centralised exchanges (CEXs) are the Achilles’ heel in Web3 security.
The attack reportedly exploited a sophisticated phishing hack, deceiving multisig wallet signers into approving fraudulent transactions via UI spoofing. While ByBit’s core infrastructure survived, trust in centralised security suffered yet another heavy blow.
ByBit’s loss highlights an alarming trend. In 2024 alone, Web3 suffered USD2.36 billion in losses across 760 security incidents, most targeting centralised platforms. Why? Centralised systems hinge on human trust. This makes them predictable, lucrative targets for cybercriminals. While Web3 preaches decentralisation, many of its most valuable assets still rely on Web2-era security models.
CEXs, with their centralised control over funds, operate as high-value targets. Unlike decentralised finance (DeFi) protocols, where users retain self-custody, CEXs depend on human trust, an inherently exploitable weakness. ByBit joins Binance and OKX among victims proving centralised Web2-era security models are inadequate for decentralised ambitions.
Web3 security urgently requires a shift from centralised vulnerability to decentralised resilience. Decentralised Physical Infrastructure Networks (DePIN) distribute trust and validation, eliminating the single points of failure exploited by attackers.
Utilising post-quantum powered decentralised proof of security (dPoSec) blockchain, traditional centralised control can be replaced with a decentralised network of validator nodes. Each node continuously validates every other, forming a robust, real-time ‘security hive mind’ to swiftly detect and neutralise threats.
While no security system is infallible, a DePIN cybersecurity framework could have significantly reduced such risks. Here’s how it could have mitigated the ByBit incident:
DePIN cybersecurity framework assigns quantum-resistant cryptographic identities to devices, making stolen credentials unusable from compromised machines. Its decentralised validator nodes automatically detect abnormal user behaviors or compromised devices, isolating threats immediately. Lazarus operatives would have faced instant detection and containment, blocking persistent system access.
Attackers tricked ByBit’s signers with fake transaction interfaces. The DePIN cybersecurity framework addresses this vulnerability through quantum-secure UI hashing, continuously verifying transaction interfaces against cryptographically secure, on-chain versions. Any alteration triggers instant consensus failure, halting malicious transactions. Moreover, its distributed code attestation ensures only verified smart contracts execute, thwarting any unauthorised transactions.
Had ByBit adopted this type of security, fraudulent transactions would have detected and blocked in real time, protecting USD1.4 billion in user assets.
The ByBit breach underscores why centralised models are no longer viable for Web3’s decentralized vision
“The ByBit hack highlights systemic flaws in centralized security,” said Naoris Protocol CEP David Carvalho. “Web3 must break free from Web2 vulnerabilities. Decentralised ecosystems demand decentralised security.”
ByBit’s transparent response and swift reassurances to users, pledging 1:1 asset backing and full solvency, are praiseworthy. Yet, the reality remains stark: centralised security has failed repeatedly, demanding immediate evolution.
Web3 stands at a crossroads. To fulfill its decentralised promise, it must embrace trustless, resilient security models. The ByBit attack is more than a breach, it’s an urgent call for Web3 to transition fully to DePIN-based cybersecurity solutions.
