Cryptocurrency losses from security breaches are skyrocketing, now surpassing a staggering $1.5 billion. Because of this surge, cybersecurity experts are strongly recommending that exchanges significantly improve their bug bounty programs. The aim? To attract top-tier ethical hackers and ultimately fortify the security of their platforms.

On March 3rd, blockchain security specialists at CertiK announced some concerning figures. They reported that cryptocurrency losses due to hacks in February alone had reached a massive $1.53 billion. A large part of this was attributed to the Bybit hack, which accounted for over $1.4 billion of the total. Even when you put aside this major incident, CertiK highlighted that other security exploits still resulted in a substantial $126 million in losses, including a significant $49 million hit from the Infini hack.

Adding his voice to the conversation, ethical hacker Marwan Hachem told Cointelegraph that this dramatic increase in crypto hack losses really emphasizes the growing necessity for better bug bounty programs. 

Hachem explained that if exchanges want to effectively prevent these kinds of damaging exploits, they absolutely must offer higher, more attractive bug bounty rewards to white hat hackers. 

https://www.buzzsprout.com/2096415/episodes/16616214-cex-vs-dex-in-2025-the-future-of-trading-feat-armani-ferrante-backpack?client_source=small_player&iframe=true&referrer=https://www.buzzsprout.com/2096415/16616214.js?container_id=buzzsprout-player-2096415-16616214&player=small" loading="lazy" width="100%" height="200" frameborder="0" scrolling="no" title="Hashing It Out, CEX vs. DEX in 2025: The future of trading feat. Armani Ferrante (Backpack)

An “out of scope” bug led to a $1.4 billion hack 

Hachem, who also serves as chief operating officer at cybersecurity firm FearsOff, reiterated that crypto exchanges need to offer more substantial rewards to ethical hackers to head off similar exploits in the future.

According to Hachem, the bug bounty program implemented by Safe, Bybit’s multisignature wallet provider, unfortunately categorized bugs in the front and back-end as “out of scope.” This meant that ethical hackers who discovered these critical security flaws wouldn’t be rewarded for their findings.

Hachem pointed out that the massive Bybit hack actually occurred precisely because of a bug that fell into this unrewarded “out of scope” category. “What they deemed out of scope ended up causing the biggest crypto hack we’ve ever seen,” Hachem stated to Cointelegraph. He further elaborated: 

“We frequently gain access to platforms by exploiting bugs in areas considered out-of-scope. Ethical hackers aren’t incentivized to report these types of vulnerabilities, but malicious actors are happy to take advantage, as we saw with the $1.5 billion stolen from Bybit.” 

Looking at Bybit’s official bug bounty program, the maximum reward listed on their website is a mere $4,000, and even on HackerOne, it only goes up to $10,000. These amounts are dwarfed by the potential riches that await malicious hackers.

Hachem stresses that it’s far more sensible to proactively offer larger rewards to white hat hackers than to wait for a devastating hack to occur and then offer a percentage (like 10%) of the recovered stolen funds as a reward. He believes this reactive approach actually “encourages bad actors.” 

“If exchanges are serious about security, they need to motivate top ethical hackers to dedicate their time and expertise to testing their platforms by offering truly enticing rewards. This proactive approach would be significantly more cost-effective in the long run and would be a smart move for safeguarding their reputation,” Hachem emphasized in his conversation with Cointelegraph. 

Related: Bybit hackers resume laundering activities, moving another 62,200 ETH

Adopting stricter security measures

Beyond just improving bug bounty programs, a spokesperson from CertiK also told Cointelegraph that preventing future large-scale exploits like the Bybit hack requires a broader commitment to adopting much stricter security measures across the board. 

The CertiK spokesperson suggested that certain security practices should become standard procedure in the industry. This includes using air-gapped signing devices, implementing non-persistent operating system environments for transaction approvals, and adding enhanced authentication layers, particularly for high-value transactions.

“Regularly conducting red-team exercises and phishing simulations can also be incredibly helpful in reducing risks associated with social engineering attacks,” the spokesperson added.

CertiK’s report highlighted that the Bybit exploit originated from a sophisticated phishing attack. This attack tricked multisignature signers into approving a malicious contract upgrade. Meanwhile, the Infini hack was traced back to a leaked admin private key, which allowed for unauthorized withdrawals.

CertiK emphasizes that both of these incidents underscore the significant dangers of blind signing and insufficient transaction verification processes. “These cases really highlight the critical need for stronger authentication protocols, real-time transaction monitoring, and more robust UI security measures to prevent malicious manipulation,” CertiK concluded. 

Magazine: Elon Musk’s plan to run government on blockchain faces uphill battle