# Essential Security Tactics to Implement After the Bybit Hack *Below, we outline key strategies, drawing from expert recommendations shared in the wake of the event.* By [Officer's Blog](https://paragraph.com/@officercia) · 2025-12-22 security, hacking, multisig, bybit --- In February 2025, cryptocurrency exchange Bybit [experienced](https://www.bbc.com/news/articles/c2kgndwwd7lo) a devastating hack involving the compromise of their Gnosis Safe multisig wallet, leading to the theft of approximately $1.4 billion in assets. This incident, detailed in a transaction trace breakdown by security researcher Elliot0x (available [here](https://t.co/3tphPYZPjK)), underscores the vulnerabilities in even sophisticated setups like multisig wallets. The hack likely stemmed from signer compromises, highlighting the need for layered defenses, better transaction verification, and stricter operational security (OpSec) practices. For users managing crypto assets, especially on platforms like Bybit or similar exchanges, implementing proactive tactics is crucial to prevent similar losses. Below, we outline key strategies, drawing from expert recommendations shared in the wake of the event. **Strengthen Transaction Verification and Decoding** ==================================================== One of the primary lessons from the Bybit incident is the importance of independently verifying transactions before signing. Malicious calldata can be disguised, so tools that decode and hash transactions offline are essential. * Use transaction identicons for visual verification of tx data: [github.com/Wardens-OSS-Club/tx-identicons](http://github.com/Wardens-OSS-Club/tx-identicons) Employ safe transaction hash utilities to compute and compare hashes locally: * [github.com/pcaversaccio/safe-tx-hashes-util](http://github.com/pcaversaccio/safe-tx-hashes-util) * [github.com/Cyfrin/safe-tx-hashes](http://github.com/Cyfrin/safe-tx-hashes) (includes a comparison section with the above tool) * For a user-friendly interface to preview safe hashes: [www.safehashpreview.com](http://www.safehashpreview.com) * Decode calldata directly from Gnosis Safe by pasting it into this [tool](https://t.co/EvKJDNl6cv) (which redirects to the ETH Calldata Decoder on [Swiss-Knife.xyz](http://Swiss-Knife.xyz)) * Additional utilities for safe transaction handling: [github.com/OpenZeppelin/safe-utils](http://github.com/OpenZeppelin/safe-utils) These tools help ensure you're not approving drained or malicious transactions, a tactic that could have mitigated the Bybit compromise. **Implement Whitelisting and Domain Restrictions** ================================================== To limit exposure to phishing or malicious sites, restrict interactions to trusted domains. * Set up a DeFi DNS whitelist to block unauthorized domains in your browser or wallet: [github.com/0xKoda/defi-dns-whitelist/tree/main](http://github.com/0xKoda/defi-dns-whitelist/tree/main) This prevents accidental approvals on fake sites mimicking legitimate platforms like Bybit. **Adopt Advanced Wallet Solutions** =================================== Shift away from single-signer hot wallets to more secure alternatives that distribute risk. * Implement MPC (Multi-Party Computation) wallets for keyless security * Use delegation tools to manage permissions without exposing keys: [delegate.xyz](http://delegate.xyz) * Opt for air-gapped wallets for offline signing: [airgap.it](http://airgap.it) * Acquire hardware security modules for cold storage: [gridplus](https://x.com/@gridplus) or [KeystoneWallet](https://x.com/@KeystoneWallet) These options reduce the attack surface by avoiding online key exposure, a potential vector in the Bybit hack. **Enhance Multisig Defenses with Modules and Timelocks** ======================================================== First things first, let's break down what Gnosis Safe is... Safe operates as a smart contract deployed on the blockchain, rather than a traditional externally owned account (EOA). Users set up the wallet with an "M-of-N" (or X-of-Y) configuration, where "M" is the minimum number of approvals needed out of "N" total signers. For example, a 2-of-3 setup means at least two out of three signers must approve a transaction for it to proceed. **The process typically involves:** 1. _Deployment: The Safe contract is created on-chain, with owners (signers) and a threshold defined._ 2. _Transaction Proposal: One signer proposes a transaction (e.g., transferring funds or interacting with a dApp)._ 3. _Approvals: Other signers review and sign off on the proposal using their private keys._ 4. _Execution: Once the threshold is met, the transaction is executed by the smart contract itself._ 5. _Extensibility: Through modules and integrations, users can add custom logic, such as automated actions or connections to other protocols._ For users relying on multisig setups like Gnosis Safe, add layers of protection to delay or veto suspicious actions. * Apply defense-in-depth strategies to multisig schemes: [bentobox19.github.io/posts/defense-in-depth-applied-to-multisig-schemes.html](http://bentobox19.github.io/posts/defense-in-depth-applied-to-multisig-schemes.html) * Integrate a delay modifier module that allows time-locked executions with veto options: [github.com/gnosisguild/zodiac-modifier-delay](http://github.com/gnosisguild/zodiac-modifier-delay) * For Solana-based multisigs, follow security best practices: [osec.io/blog/2025-02-22-multisig-security/](http://osec.io/blog/2025-02-22-multisig-security/) * Explore secure key management in Web3: [olympixai.medium.com/secure-wallet-key-management-in-web3-268c143820ca](http://olympixai.medium.com/secure-wallet-key-management-in-web3-268c143820ca) Additionally, consider diagrams like the FailSafe Attestation Service for native ETH protection (illustrated [here](https://t.co/vcRBw32141)), which outlines quorum-based signing and asset guards using services like AWS Nitro Enclaves. **Bolster General OpSec Practices** =================================== Operational security extends beyond wallets to your entire digital environment. Follow comprehensive OpSec guides: * Trail of Bits' MVP guide: [docs.google.com/document/d/1-\_0Wlwch\_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit](http://docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit) * Officer's Crypto OpSec Self-Guard Roadmap: [github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap](http://github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap) * Install bandwidth monitors to detect unusual network activity: Options include Endian, LuLu, or Little Snitch. * Sanitize PDFs and potentially malicious files before opening: [dangerzone.rocks](http://dangerzone.rocks) These habits help identify and block threats like malware or phishing, which may have played a role in compromising Bybit's signers. **Run Local Instances for Critical Interfaces** =============================================== Avoid relying on hosted UIs that could be hijacked or serve malicious code. * Use a local Safe interface to interact with your multisig wallet securely: [justfuckinguselocalsafe.eth.limo](http://justfuckinguselocalsafe.eth.limo) \- made by [PatrickAlphaC](https://x.com/@PatrickAlphaC) This tactic ensures you're not vulnerable to frontend attacks on platforms like [app.safe.global](http://app.safe.global). **Conclusion** ============== The Bybit hack serves as a stark reminder that no system is infallible, but layering these tactics can significantly reduce risks. Start by auditing your current setup, migrating to MPC or air-gapped solutions, and always verify transactions independently. By implementing these tools and practices, users can better safeguard their assets in an increasingly hostile crypto landscape. Stay vigilant, and consider consulting security experts for personalized advice. **If you want to support my work, please, consider donating me:** * _0x1191b7d163bde5f51d4d2c1ac969d514fb4f4c62_ or _officercia.eth_ — all supported EVM chains; * _17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU_ or _bc1q75zgp5jurtm96nltt9c9kzjnrt33uylr8uvdds_ — Bitcoin; * _BLyXANAw7ciS2Abd8SsN1Rc8J4QZZiJdBzkoyqEuvPAB_ — Solana; * _0zk1qydq9pg9m5x9qpa7ecp3gjauczjcg52t9z0zk7hsegq8yzq5f35q3rv7j6fe3z53l7za0lc7yx9nr08pj83q0gjv4kkpkfzsdwx4gunl0pmr3q8dj82eudk5d5v_ — Railgun; * _TYWJoRenGB9JFD2QsdPSdrJtaT6CDoFQBN_ — TRX; * _4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds_ — XMR; * _DQhux6WzyWb9MWWNTXKbHKAxBnAwDWa3iD_ — Doge; * _UQBIqIVSYt8jBS86ONHwTfXCLpeaAjgseT8t\_hgOFg7u4umx_ — TON. If you enjoy my content and want to help keep it ad-free, please consider supporting my work through donations. Your contributions will allow me to dedicate more time to crafting in-depth articles and sharing even more valuable insights. **Thank you!** -------------- --- *Originally published on [Officer's Blog](https://paragraph.com/@officercia/essential-security-tactics-to-implement-after-the-bybit-hack)*