Life after Bybit

The industry took the Bybit breach in its stride, but it left a trail of questions. In an interview with FLMonthly, Irakli Dizenko, an expert in deploying crypto-security tools at HAPI, discusses whether DeFi should expect tighter rules, and the state of hacks in general and this case in particular.

ForkLog: The Bybit breach ranks among the largest incidents to date: a technically sophisticated attack and a critical sum siphoned. Many argue the industry has entered a new reality. How do you assess the fallout?

Irakli: The industry reacted calmly and moved on quickly. Of course there was a reaction—the amount is truly unprecedented. Perhaps only the Bitfinex hack was larger, and that was after bitcoin and ether had already rallied. Here, in the moment, this is one of the biggest breaches.

Even so, the market digested it almost instantly. There was a reaction for a few hours and then a general crypto sell-off. Frankly, it is not clear the two were directly connected. We actually expected a sharper, especially immediate, reaction.

The first question everyone asks is: who covers the losses? A hit around the billion-dollar mark is hard for any single company. Bybit says it has everything under control, which sounds odd at best. It raises the question: how much do they earn? That is not idle curiosity—it is simply hard to imagine a private firm swallowing such a loss at once because of its own mistake.

Yet, oddly enough, we have not seen user withdrawal issues—no real complaints, everything appears stable.

As for the breach itself, it was indeed complex. The service responsible for signing transactions was attacked. From open sources it appears social engineering was involved: either an employee or their laptop was compromised. The exact details are unknown, but the attackers clearly waited for the right moment to implant malware.

Attacks today are ever more intricate. It is no longer just about poking holes in smart contracts. From the 2000s to 2025, the industry has come a long way. The focus has shifted from audits to deploying crypto-security tooling and, more broadly, secure-development standards.

Paradoxically, the breach happened at the junction of those very safeguards. Precisely where you know you need extra protection is often where the break occurs.

It is a reminder that we remain vulnerable. The moment you delegate any part of a process, a loophole appears. Perhaps Bybit’s internal procedures were not tight enough: yes, they sign transactions and use keys, but maybe they do not always validate what they are signing. That is a problem.

And then there is the broader angle. According to available information, a North Korean hacking group was behind the attack. That raises a serious concern: if there are jurisdictions where hacking is not just tolerated but encouraged, then genuine safety is out of reach.

There are said to be entire floors of people hunting for system vulnerabilities around the clock. This is no longer hobbyists stumbling on a bug in a smart contract. It is a job. People form groups, act systematically and may be state-backed.

That, arguably, is the most worrying part—not technical bugs, but hacking as an organised industry.

ForkLog: The hacker who broke into Curve publicly said he would return the stolen funds, keeping 10% as a “reward”. At the time, many argued the era of big on-chain heists was ending: everything is traceable, funds cannot be hidden, laundering is more trouble than it is worth. The Bybit case appears to contradict that. How do you read it? How feasible are effective attacks today despite blockchain transparency?

Irakli: Yes, back then it looked as though on-chain heists were becoming too risky. Everything is transparent and tracked, and the odds of keeping the loot trend to zero. Bybit shows that is not quite true.

One sign of high attacker sophistication is how quickly they used DeFi tooling. Bridges were employed almost immediately; THORChain and, as far as I know, several other avenues were used.

The stolen funds were rapidly redistributed into other assets and, effectively, sifted. They were not left sitting on-chain in a form convenient for monitoring.

Tether is trying to block some of it, but most funds continue to circulate. The problem is that once those tokens start flowing through markets, swaps and wallets, tracing provenance and applying restrictions becomes near impossible. Centralised counterparties like CEXs can no longer just stop them.

Some, like Hyperliquid, even say they “can’t do anything”. That looks like shirking responsibility.

ForkLog: In your view, how could such cases be addressed at the blockchain and platform architecture level?

Irakli: Here is the key distinction. Centralised exchanges have an advantage: regardless of which account or chain funds arrive from, if there are signs they are compromised, the account is simply frozen. You cannot withdraw until the matter is resolved.

Say you receive ether and want to bridge it to Solana to “clean” it—CEXs can stop that.

In DeFi it is different. If assets are stolen or have a high-risk profile (say they are tied to fraud or gambling—in some jurisdictions that alone is ground for a block), running them through a bridge is often enough to “wash” them.

Although providers have all the technical means to track cross-chain transactions, in practice they rarely do. Architecturally, blockchains are designed so that one chain does not trust another.

If a transaction is executed on Ethereum and sent to Solana via a bridge, it is invalid by default for Solana. You need external oracles or services to relay data across chains. Most chains are not keen on this—they focus on their own ecosystems, and not always effectively.

It is reminiscent of mobile operators in the 1990s in the ex-USSR. They would not block SIMs: if a phone was stolen, they just wanted a new subscriber. Blockchains behave similarly: if a user arrives with an asset—even laundered—so be it, that is one more user.

The idea of tracing and accountability is pushed onto end-protocols, which lack the tools. And they are not keen on filtering users—it caps growth.

Finally, if you look at the effectiveness of KYC/AML globally, the stats are bleak. All these procedures together flag roughly 0.05% of suspicious funds. Yet 100% of users bear the burden. Billions are spent for a meagre result.

ForkLog: You mean AML systems in traditional finance?

Irakli: Yes. The absence of AML in crypto certainly simplifies life for users. In our project, for instance, we built a protocol that lets a DEX check whether an address is flagged. The snag is gas cost—you must run an additional check on every transaction. In our sample, roughly one in ten thousand turns out suspicious.

It is like policing: mere presence lowers crime, even if it looks like nothing is happening. Likewise, the availability of a tool that can filter suspect transactions already has an effect. Many people assume security is a given. That is the subtle point.

ForkLog: In DeFi, platforms probably need their own safeguards—before regulators step in in earnest.

Irakli: Yes, that is sensible. Everyone is waiting for top-down regulation; perhaps we should think bottom-up instead.

This may sound utopian, but imagine DEXs on a given chain forming an ecosystem and agreeing on common rules. DeFi is decentralised and fragmented, yet nothing prevents a minimal set of principles—for fair competition. We would still vie for users, but within shared guardrails.

What is more, a year or two ago few believed DEXs would survive the crypto winter. Not only did they survive, they transformed and started pulling in traffic.

Right now, amid rapid growth, scaling trumps security. That is normal for this stage. But the fact remains: neither users nor protocols want to pay for security—until something serious happens.

ForkLog: The old dictum “not your keys—not your money” still holds. Yet as crypto goes mainstream, we seem to be entering a new phase where stock reminders are not enough. Platforms themselves may need to shoulder some responsibility. Is there an engineering answer? Are you working on one?

Irakli: Plenty of teams are building solutions. Our flagship is the HAPI protocol. It operates on-chain and maintains a database of addresses linked to the custody of stolen or fraud-associated assets.

Any developer can plug HAPI in and restrict such addresses from accessing their protocol or product. Ours is open and fully on-chain. Many others do it off-chain—simple lists of disallowed addresses.

But it is not just about tech; it is a mindset. More users want transparent, predictable rules.

Veteran crypto users still favour full responsibility: you hold your assets, you are accountable for them. The upside is that no one can freeze them.

Yet we run into a contradiction: we want complete freedom and complete safety. That is harder to reconcile, especially as adoption grows.

The irony is that most of us use Tether and implicitly accept that our tokens can be frozen at any time. Typically, these are sizeable wallets—the smallest I saw was $100,000. It was tied to a pool, so it likely formed part of a larger split.

We have not seen freezes on $100–200 deposits; likely we will not in the near term. Still, the fact remains: the technical capability exists and is used.

On regulation: Europe’s MiCA introduces payment thresholds. Above a set limit, you face a cumbersome verification process—documents, bureaucracy, the lot.

We are now watching centralised platforms re-enter the payments niche. They see MiCA as an opportunity: building software layers atop blockchains, clustering addresses and erecting trust zones. The logic is: within these addresses, assets can circulate under oversight.

Technically, it is debatable. But if rules demand it, it will likely be built. It is a step backwards, certainly. But it looks set to happen.

An alternative, and in our view more sound technically, is MPC wallets. These multi-party computation wallets add new layers of interaction: you can link, rotate, protect and transfer them. In effect, a simple wallet becomes a full-fledged exchange instrument.

This is promising because it is about concrete technology, not mandates.

For now, such wallets see limited use. Making them mainstream will take substantial work. Their advantages are clear, but most users simply do not need them.

In reality, users want something else: send $500 to Solana, buy a token and spin memes.

ForkLog: MPC wallets do not get much airtime. What are they and why do they matter?

Irakli: This was more hotly discussed about a year ago; it has since slipped into the background. The gist remains. An MPC wallet lets you, using the same seed phrase, create an internal structure of accounts.

You get extra authentication—email or phone, for instance. That enables recovery or more flexible custody.

You gain an internal space across your wallets with added capabilities. If you create an address on Solana, you are a new user there. Link that address to an existing Ethereum wallet, and to the ecosystem you become a user with history.

In effect, a crypto-account emerges—a nascent digital passport on-chain.

Services are already building on this idea, including us. The point is to cluster data—that is what we at HAPI do: identify users and group them into clusters—without breaching anonymity.

Everything remains private—crucially. We do not determine who owns an address; we analyse how wallets relate to each other. Not our exclusive know-how—this is fairly widespread practice.

ForkLog: You said you are “waiting for regulation”. Do you mean it is inevitable—or that it is actually needed?

Irakli: Both, really. As an industry, we left the realm of marginal experimentation long ago—it is a full-fledged sector that means something. And yes, rules are needed—but bottom-up, not top-down.

We would rather not be shoehorned into securities rules, as the SEC tried to do by corralling everything under the same framework as equities. That is not quite right. Cryptoassets are not derivatives; they are closer to money.

As for MiCA, it is good the discussion has started, but parts of the law seem excessive. You cannot cap blockchain transfers—it is technically impossible.

Remember, cryptocurrency is only one use of blockchain. At heart it is a public database; cryptoassets are a popular but derivative use of that base.

So, yes, regulation is needed. But not as edicts from officials. It should start with industry-agreed principles—then be codified.

ForkLog: Waiting for DEXs to start checking passports.

Irakli: Yes—but DEXs are unlikely to do it themselves. Providers will wrap such functions. Think digital platforms: there are big players like Revolut, and small teams building their own solutions.

Those smaller teams will offer add-ons: wrapping wallets into accounts, adding identification forms. In essence, that is what an MPC wallet does, but you do not need a whole company to deliver it. It can be an app or a protocol.

Then again, a crypto start-up is a digital solution—just lighter and more flexible.

There is another point—not strictly about DeFi but about a broader trend we think is growing. The world is drifting from globalisation towards fragmentation, into distinct clusters.

Take North Korea. It steals centrally, and its view of assets seems to be that any asset is good if you can pocket it.

On the other side are Europe and America, whose approaches are clearly diverging. A year from now, I fear they will rate payments by their own risk systems. A payment from the US might, say, be deemed higher risk—and vice versa.

The result could be the end of a single framework for asset assessment. That is a challenge for all teams: technically we still operate in one global space, but in practice users and platforms will assess the risk of assets, wallets and transactions differently.

We are not there yet, but we are heading that way. There is plenty to explore in this theme.

ForkLog: It is not obvious how this could be implemented on-chain at all.

Irakli: On-chain—unlikely. Anyone working in security uses large off-chain databases one way or another.

Consider Bybit. A wallet was blocked, supposedly for using Trust Wallet. The real reason was different.

There was a big debate: can you identify which wallet app a person uses? In fact, yes. The method is complex, but it relies on fees and other metadata wallet apps leave on-chain.

There is no 100% tag, but with sufficient data you can infer the source of a payment with high probability.

This is the beginning of filtering users by their wallets. It is not yet used directly as grounds for blocks, but the data are already being collected.

ForkLog: Finally, a few practical security questions. First—businesses. Where do they most often slip up today? Is there a standard set of vulnerabilities?

Irakli: Business issues are broadly stable. We are past the era of leaky smart contracts and front-end compromises. Teams and the wider community have done good work—sharing experience and solutions. Major incidents are rarer, though smaller ones still happen.

Serious trouble arises during surges in user activity—like the recent meme phase. That wave has ebbed, but there was a genuine influx. Teams expanded quickly, hired fast, and trust questions surfaced.

Sometimes production keys sit with a developer nobody has met. You have just entrusted half your platform to them. They may not have wallet access, but they may hold business-logic or admin access. That is a risk.

The second weak link is social media. We still see account takeovers, fake giveaways and posts masquerading as projects. Media infrastructure remains vulnerable.

Centralised platforms once faced another big problem: with dozens of blockchains, keeping everything current and secure was hard. The landscape has shifted: few new chains are emerging; what grows is the number of protocols within existing networks. So that issue is less acute.

ForkLog: What about users? Since 2024, many unprepared newcomers have entered DeFi—especially with the meme rally and the Solana influx.

Irakli: In scams, most users lose money not to classic fraud but on their own trading.

Interestingly, the Pump.fun saga showed some positives. Scams like “cannot sell the token”, rug pulls and outright broken contracts have become less common.

Why? Because centralised launch platforms such as Pump.fun provide a single contract and basic checks. Users launch tokens through a platform that at least guarantees technical viability.

Before that, it was more chaotic—people posted anything on Raydium and other aggregators, and you could not tell what you were buying. Now there is at least basic technical filtering.

Still, user behaviour has drifted closer to a casino. Many treat it as a game—guess whether a token will pump. If luck runs out and it goes to zero, so be it.

That is increasingly accepted as the rule of the game. The audience seems resigned to it.

The biggest threat for users is the leap from Web 2.0 to Web3 without grasping how data custody works in crypto.

Amazingly, both basic internet users and very technical users fall for vulnerabilities. It again comes down to social engineering.

ForkLog: You mean classic tricks like clipboard address swaps?

Irakli: Yes, that too—rare but recurring. There are more advanced schemes. A long-standing one, common on TRON: high-activity wallets are monitored and targeted.

One tactic is duplicating a transaction while spoofing the address: the first and last characters match, the middle differs. Or sending a reverse transaction with the same amount in a non-existent token.

The user opens a block explorer, sees the “latest” address, copies it and sends funds to the scammer.

ForkLog: So that, too, is social engineering?

Irakli: Essentially, yes—just a higher-grade version. You are not messaging the user via chats or socials—you are “talking” through the explorer, a tool meant to boost transparency and safety.

Explorers have begun flagging suspicious addresses via external providers. Unfortunately, they do it slowly.

ForkLog: What are you preparing for in 2025–2026? Which areas look promising?

Irakli: First, we are still preparing for a world that may fracture into clusters. We would hate that, but the trend seems to point there.

Second, we are pushing ahead with MPC wallets. We think that is a point where we can contribute most and deliver real user value.

We also see growing interest from crypto projects in more granular interaction data. Users are not there yet, but platforms are already seeking multiple data providers rather than just one. That matters—relying on a single risk-profile source is not enough, because jurisdictions can read the same activity differently.

Interest in security has spiked after Bybit. Platforms increasingly care not only about custodial protection, but also about assessing the assets they interact with.