Cobo at Cyberport 2025: Breaking Down the Bybit Breach and Wallet Security Lessons

At this year’s Cyberport Blockchain Security Summit, one of the most anticipated conversations unfolded on the CyberArena stage: a candid, technically detailed fireside chat dissecting the recent $1.5 billion Bybit security breach.

Moderated by Cobo’s Head of Sales & Solutions, Lucas Yang, the panel brought together leading voices from Bybit and Sygnia—two of the firms at the heart of the response effort. 

Representing Bybit were Jonathan Cheong, Head of Legal & Compliance, and Alan Xin, Head of Blockchain Risk Control. From Sygnia, Yoav Mazor, Head of Incident Response for APJ, offered a cybersecurity firm’s perspective on incident handling.

This was not just a postmortem. It was a clear-eyed look at systemic vulnerabilities, decision-making under pressure, and what needs to happen next—across the entire industry.

A Sophisticated, Multi-Stage Attack

Alan Xin opened the session by walking through the timeline of the breach—a carefully orchestrated, multi-phase operation.

According to Alan, the attackers began by compromising a developer’s workstation, likely via social engineering. This gave them access to a linked AWS S3 bucket, which was used to inject a malicious JavaScript file. That file ultimately enabled the attacker to tamper with a regular transaction flow, triggering a malicious smart contract upgrade embedded with a backdoor.

“This wasn’t a smash-and-grab,” Alan emphasized. “It was calculated, and it took advantage of both infrastructure weaknesses and operational trust.”

Once the backdoor was in place, the attacker gained the ability to siphon funds out of the wallet contract. The Bybit team responded quickly, tracing funds as they moved across ETH, BTC, and other chains—eventually freezing $52 million with help from partners and launching a dedicated response site: laurasbounty.com.

Security Controls Bypassed at Every Stage

Yoav Mazor of Sygnia provided a sobering look at how each phase of the attack bypassed existing controls.

“You have a Mac malware targeting a developer, advanced AWS exploitation, and precise contract upgrades,” he explained. “Each step had standard protections in place—and yet the attacker bypassed them.”

He emphasized that while controls existed, no single layer was sufficient. “The level of sophistication shows that we’re up against threat actors with deep resources and long-term planning capabilities.”

Lessons in Architecture and Accountability

From a legal and compliance perspective, Jonathan stressed the need for faster detection and industry-wide readiness to act. One of his key takeaways: security teams should actively crawl the chain for suspicious contract upgrades, particularly ones linked to known or whitelisted wallet addresses.

“If we had real-time visibility on contract deployment activity linked to our own addresses, that might’ve raised a red flag earlier,” he said.

Post-breach, Bybit's legal team focused heavily on rapid cooperation—with exchanges, partners, and law enforcement alike. Jonathan shared that in high-stakes situations, informal cooperation often outpaces legal frameworks.

“Law enforcement is important—but slow. As an industry, we often detect threats before regulators do. We need fast, consensus-driven responses to be the norm.”

Alan echoed this urgency, calling out the dangers of relying too heavily on any one third party.

“No single vendor—no matter how respected—can be your entire line of defense. The architecture has to be led by us, the asset owners. We need to own security design from top to bottom.”

Wallet Infrastructure: What's the Right Approach?

With wallet design in the spotlight, the panel tackled the ongoing debate: should organizations build in-house or rely on third-party wallet providers?

Alan argued that it’s not about choosing one over the other. “It’s not MPC vs. hardware wallets vs. Safe. It’s about end-to-end architecture. Every component should be part of a larger, auditable system with consistency checks and fallback mechanisms.”

Yoav added that in many cases, wallet providers do play a valuable role in limiting damage. He cited cases where transaction throttling or withdrawal rules—applied at the API or contract level—reduced losses significantly.

“This case was unique in that the wallet provider was part of the exploited infrastructure. But in many other breaches, strong wallet logic has stopped attackers cold.”

For the Industry—And the Builders

The final section of the panel turned to forward-looking advice, especially for smaller teams without large in-house security departments.

Jonathan called on infrastructure providers to integrate risk-aware features directly into wallet contracts—like segregated witness nodes, whitelisting mechanisms, and KYT screening on-chain.

“Eventually, it’s not just about building smarter tools—it’s about programming in good behavior. We need smart contracts that enforce compliance and collaboration, not just custody.”

Alan and Yoav closed with a call for stronger industry alliances and standards—especially when it comes to freezing illicit funds and sharing intelligence. "It’s often the smallest choice—whether to act or not—that defines how recoverable a breach is,” Alan said.

Final Thoughts

This session made one thing clear: the future of crypto security doesn’t lie in any one company, protocol, or tool. It lies in collective resilience. That means deeper collaboration, smarter architecture, and an industry that’s willing to move fast and learn continuously—not just from headline breaches, but from every single incident.

What unfolded on stage was more than a breach debrief—it was a moment of cross-industry transparency and alignment. It’s a reminder that collaboration shouldn’t just be reactive, but built into how we design and defend infrastructure.