Cryptocurrency Exchanges & Web3 · Cybersecurity Training
Bybit. DMM Bitcoin. Ronin Bridge. Every major crypto loss traced back to the same pattern: a signer who approved what they didn't understand, an engineer who opened a file they shouldn't have, a key ceremony that skipped its own rules. Live training that closes the human gap — and satisfies NYDFS Part 500, FATF Travel Rule, and your SOC 2 auditor.
$2.39B
Combined anchor breach total
3
Training drills per session
5
Compliance frameworks covered
Each breach below exposes a distinct human-layer failure — and a training gap your team likely has.
Attackers compromised Safe{Wallet} multisig infrastructure and presented a Bybit signer with a transaction that looked like a routine cold-to-hot wallet transfer. The signer approved what the UI showed — not what the contract actually did. In seconds, $1.46B in ETH was moved to Lazarus-controlled wallets. The blind-signing gap was the entire attack surface. Attribution confirmed by FBI, March 2025.
Key lesson: UI-displayed transaction details ≠ actual contract payload. Signers must verify destination addresses and amounts out-of-band — not from the signing interface itself.
North Korean threat actors — confirmed by Japan's National Police Agency — compromised exchange-level key management infrastructure and drained $305M in Bitcoin. DMM Bitcoin subsequently shut down all operations, making it one of the few major exchange collapses due to a cyber incident rather than insolvency. The failure was structural: key management at the exchange level had no adequate compartmentalization or monitoring.
Key lesson: Exchange-level key management requires independent monitoring, hardware security modules, and geographic distribution of signing authority — not just password protection on a server.
A senior engineer received a LinkedIn connection request from what appeared to be a legitimate recruiter at a major tech company. Over several weeks, rapport was built through what seemed like a standard technical interview process. The attacker then sent a PDF "job description" that contained malware. Once the engineer's workstation was compromised, 5 of 9 Ronin validator keys were extracted. FBI and DHS jointly attributed the attack to Lazarus Group (North Korea).
Key lesson: Social engineering of technical staff via professional networking platforms is a primary attack vector. Fake-recruiter scenarios, LinkedIn vetting, and out-of-band verification before opening any file are non-negotiable operational habits.
The SBF trial revealed near-total absence of segregation of duties on hot-wallet signing at FTX. A small number of individuals held unilateral signing authority over customer funds with no multi-sig, no air-gap, and no independent key ceremony. There was no external intruder — the structural failure was operational. Used as a cautionary tale for what the absence of M-of-N controls looks like in practice.
Key lesson: Multi-sig and key ceremony hygiene aren't just for external attackers — they protect against operational negligence and single-person capture. M-of-N is a structural control, not just a security feature.
🔑
Funds in operational hot wallets are permanently internet-connected — and permanently exposed to credential theft, API key compromise, and signing-interface manipulation. The Bybit attack exploited the gap between cold and hot, not a software vulnerability.
🎭
The people with signing authority are the primary attack surface. Ronin/Axie Infinity ($625M) was breached via a LinkedIn recruiter attack on a single engineer. DMM Bitcoin key management fell to a targeted operation on exchange infrastructure staff.
🖥
Multisig and wallet-as-a-service providers (Safe{Wallet}, BitGo, Fireblocks) sit between your signers and your funds. Compromising that infrastructure — as Bybit's attackers did — allows manipulation of the signing interface without ever touching the exchange's own systems.
🏫
FTX's operational failure — no M-of-N, no air-gap, unilateral signing authority — is a cautionary example of what the absence of key ceremony discipline looks like. Many smaller exchanges and Web3 projects operate with similar structural gaps.
🌍
NYDFS Part 500 (US), FATF Travel Rule, EU MiCA, Singapore MAS licensing, and OFAC sanctions screening — each with different requirements and conflicting timelines. Compliance failure is as dangerous as a breach for regulated entities.
🔗
Every transaction on a blockchain is permanently traceable. If a wallet you interact with is later flagged by OFAC, your transaction history becomes evidence. Training on sanctions screening and wallet risk assessment is a legal obligation, not a best practice.
Generic phishing simulation doesn't address the specific attack patterns targeting crypto organizations. These three drills cover the exact vectors used in Bybit, DMM Bitcoin, and Ronin.
Drill 1 · Signing Authority & Ops Teams
Walk your signers through the exact Bybit attack sequence. The attacker showed a familiar UI — a routine cold-to-hot transfer — while substituting a malicious contract at the signing layer. The signer verified what he saw, not what the contract actually did. This drill teaches the out-of-band verification protocol that closes this gap permanently.
Drill 2 · Engineering & Protocol Teams
Walk your engineers through the Ronin/Axie Infinity breach — the fake LinkedIn recruiter who spent weeks building rapport, then sent a PDF with malware that ultimately drained $625M. This is the highest success-rate attack vector against technical staff in the crypto industry. Live role-play and scenario walkthrough.
Drill 3 · Security Engineering & Ops Leads
Tabletop exercise covering the full lifecycle of key ceremony integrity: setup, execution, recovery, and post-incident review. Includes analysis of the DMM Bitcoin key management failure and the FTX structural absence of M-of-N controls. Walk away with a written key ceremony protocol specific to your wallet architecture.
NYDFS Part 500, FATF Travel Rule, SOC 2, and OFAC sanctions screening. Here's what applies and what's at stake.
72-hour notification, MFA on all internal access, CISO designation, cybersecurity program. Applies to any entity with NY license or operations in New York.
Incident response drill covers the exact Part 500 notification timeline and required content.
Originator/beneficiary information for all VASP transfers above de minimis. VASP registration, OFAC SDN screening, and Travel Rule data transmission obligations.
Training drill covers VASP obligations, Travel Rule data fields, and sanctions nexus for crypto transactions.
Logical access controls (CC6.1) and incident response (CC7.2) require documented security awareness training. Training completion certificates satisfy auditor evidence requirements.
Completion records included in every session package for SOC 2 Type II evidence.
Every wallet interaction creates sanctions risk. If you transact with a flagged address, your entire transaction history can become evidence. OFAC violations are criminal, not civil.
Drill covers wallet risk assessment, SDN screening, and OFAC reporting obligations.
No annual contracts. No per-seat licensing. Book a session, train your team, satisfy your regulator.
Individual Contributor — IC
$150
Per session · per person
60-minute personalized session for engineers, protocol developers, and ops staff with signing authority.
Team Session
$390
Per session · up to 8 people
90-minute team session covering all three drills, compliance mapping, and post-session evidence package.
Business · Unlimited Users
$900
Flat rate · unlimited participants
120-minute org-wide session covering all three drills plus executive briefing, board materials, and 30-day coaching access.
The primary custody risks are: (1) hot-wallet exposure — funds in operational wallets connected to the internet are vulnerable to theft via credential compromise or UI manipulation; (2) key-ceremony failures — single points of failure in signing workflows, like the Bybit $1.46B loss where a signer approved a supply-chain-manipulated transaction; (3) social engineering of signing authorities — attackers targeting the humans with key access via fake recruiter approaches (Ronin/Axie Infinity, $625M) or fake IT support calls; (4) validator key compromise — 5 of 9 Ronin validators fell to a LinkedIn phishing attack. The defense is operational: M-of-N multi-sig, air-gapped signing for large transfers, blind-signing detection training, and key ceremony hygiene protocols.
NYDFS Part 500 requires covered entities to maintain a cybersecurity program, implement MFA for all internal access, designate a qualified CISO, notify NYDFS within 72 hours of a cybersecurity event, and maintain audit trails. For crypto exchanges and Web3 platforms, Part 500 applies to any entity licensed or operating in New York. The regulation also requires asset classification, access controls for wallets and key management systems, and incident response planning that includes the specific notification timelines required by the superintendent. SecurEveryone's crypto-web3 training includes a Part 500 incident response drill that walks through the exact 72-hour notification timeline and required content.
The FATF Travel Rule (Rule 16) requires VASPs (Virtual Asset Service Providers) to collect, transmit, and receive originator and beneficiary information for any virtual asset transfer above a de minimis threshold — equivalent to the wire-transfer information requirement in traditional finance. This applies to cryptocurrency exchanges, custodians, and any entity that transfers virtual assets on behalf of another person. The rule creates AML/KYC obligations at the transaction level, requires screening against OFAC SDN lists, and creates data-sharing requirements between sending and receiving VASPs. Non-compliance in jurisdictions with strict Travel Rule enforcement (Singapore, UK, EU under MiCA) can result in licensing revocation or criminal liability.
Cold wallets store private keys on air-gapped systems or hardware security modules disconnected from the internet. They are the primary defense against remote compromise but require secure physical access controls, careful key ceremony procedures, and well-tested recovery plans. Hot wallets are connected to the internet for operational liquidity — faster and more convenient but exposed to credential theft, API key compromise, and remote exploit. The Bybit attack exploited the gap between cold and hot: a routine cold-to-hot transfer was manipulated at the signing interface, draining $1.46B. The defense requires: dedicated cold wallet infrastructure with no internet exposure, M-of-N multi-sig for transfers exceeding a threshold, and blind-signing detection training so signers verify the transaction payload — not just the UI.
Crypto incident response differs from traditional corporate IR in three key ways: (1) Time pressure is extreme — blockchain transactions are irreversible and funds can be moved and mixed within minutes of a breach. The incident response plan must include automated wallet freeze procedures, exchange-of-first-contact with exchanges that may receive stolen funds (Binance, Coinbase, Kraken), and OFAC sanctions nexus review for any incoming transaction. (2) Regulatory notification timelines are tight — NYDFS Part 500 requires 72-hour notification; FinCEN requires SAR filing if ransomware payment or transaction-linked money laundering is identified. (3) Attribution matters more than in traditional incidents — Chainalysis, Elliptic, and FBI/OFAC can trace fund movement on-chain, so incident documentation must be prepared for potential law enforcement engagement. SecurEveryone's incident response drill covers all three dimensions, including the specific decision tree for engaging blockchain forensics firms.
Book a live session today. Each session is 60–120 minutes, held over Zoom, built around your team's actual wallet architecture, signing workflows, and compliance requirements. Walk away with a written key ceremony protocol, a completed NYDFS Part 500 evidence record, and a team that knows what a Bybit-style blind-signing attack looks like in the wild.
Sessions from $150 · Unlimited users on Business tier · 24/7 emergency access available
SecurEveryone · NYDFS Part 500 / FATF Travel Rule / SOC 2 CC6/CC7 / OFAC · $150–$900 · Live expert coaching