How to Read a Crypto Hack Post-Mortem

When a protocol or exchange loses hundreds of millions of dollars, the most useful document is rarely the news headline. It is the post-mortem: the incident report the team itself publishes. A post-mortem is a primary source, and readers who know what to look for can extract more signal from one than from any secondary summary.

This guide offers a five-step checklist for reading a crypto hack post-mortem critically, then applies it to three case studies: Bybit's $1.5 billion hack (February 2025), Drift Protocol's $285 million exploit (April 2026), and Kelp DAO's $292 million LayerZero-bridge compromise shortly after. The cases rotate. The framework does not.

What a Post-Mortem Actually Is

Borrowed from site-reliability engineering, a post-mortem in the crypto context is a written incident report that explains what went wrong, what was lost, and what will change. A real one contains an incident summary, a detection timeline in UTC, a named root cause, contributing factors, a quantified impact, immediate mitigations, and longer-term remediation with action items and owners. A status update on X is not a post-mortem. Neither is a legal-team statement.

Secondary coverage tends to compress nuance. The phrase "oracle hack" in a headline can mean price-feed manipulation, admin-key compromise of an oracle multisig, or a fake asset being listed as collateral - different failure modes with different lessons. According to the NCC Group's technical analysis of the Bybit incident, calling it "a Bybit hack" at all is slightly misleading: the compromise was upstream, in the signing interface Bybit used, not inside Bybit's own systems.

Good-faith signals in a report include precise UTC timestamps, named third-party forensics firms, verifiable on-chain transaction hashes, and an admission of contributing factors the team itself controlled. A post-mortem that only blames an anonymous attacker has not finished writing itself.

The Five-Step Reading Checklist

Step 1 - Identify the Root-Cause Class

Force the incident into one of six buckets: private-key or admin-key compromise, smart-contract bug, oracle or price-feed manipulation, social engineering of humans, phishing or wallet-drainer attacks on end users, or multisig and governance compromise. Many real incidents are compounds. As Chainalysis documented in its Drift write-up, the Drift attack layered social engineering, admin-key compromise, and oracle manipulation. Single-label explanations are usually wrong.

Step 2 - Read the Timeline and Follow the Funds

Three sub-questions matter: when did detection begin and end, how fast was the drain, and where did the funds move next. A minutes-long drain suggests an automated or pre-staged attack; an hours-long drain suggests a human operator; a days-long drain suggests the protocol was asleep. Laundering speed - funds hitting Tornado Cash or a cross-chain bridge in under 48 hours - is a proxy for attacker sophistication.

Step 3 - Rate the Communication

Score the report on five axes: time-to-first-acknowledgement, UTC precision, disclosure of on-chain transaction hashes, naming of third parties, and willingness to admit what the team itself controlled. The last is the hardest. A team that admits it removed a timelock on a critical multisig three weeks before the hack is worth trusting with future remediation.

Step 4 - Examine Remediation

Read remediation through two lenses. Who eats the loss - insurance fund, team treasury, bridge loan, socialized haircut, or hard-fork clawback. And what structural change ships - audit, timelock, circuit breaker, multisig reshuffle. "We will improve security" is not remediation. "We will add a 48-hour timelock by a specific date, audited by a named firm" is.

Step 5 - Look for the Generalizable Lesson

The best post-mortems end with something that transfers to other protocols or users. If the only lesson is "don't be compromised," the report is incomplete. A strong lesson reframes the industry's defaults - for example, that blind-signing a complex transaction is equivalent to signing a blank check.

Case Study 1 - Bybit, February 21, 2025 ($1.5 Billion)

Bybit's loss on February 21, 2025 remains the largest exchange hack on record. According to the NCC Group's technical analysis, the root cause was a supply-chain compromise of Safe{Wallet}, the smart-contract wallet interface Bybit used for Ethereum cold storage. A Safe developer's workstation was compromised, and attackers injected JavaScript into app.safe.global that activated only for Bybit's signers. The script swapped transaction parameters before signing and swapped them back after, so signers saw a legitimate transfer on screen while approving a delegatecall to an attacker contract that rewrote storage slot 0 of Bybit's ETH cold-wallet proxy.

401,347 ETH - approximately $1.5 billion - was drained from Bybit's cold wallet. According to CSIS, roughly $160 million was laundered through decentralized exchanges within 48 hours. Security analysts including Chainalysis attributed the attack to the Lazarus Group, a North Korean state-sponsored threat actor.

Bybit's communication set a bar. CEO Ben Zhou went live on X Spaces within hours of the hack, and withdrawals continued processing. Bybit secured bridge-loan financing to restore 1:1 client-asset backing without imposing a haircut, a socialized loss, or requiring a hard fork.

The lesson: an exchange's attack surface extends to every SaaS tool its signers touch. A cold wallet is not cold if its signing interface is hot. Blind signing of complex transactions - where the signer cannot decode what a delegatecall actually does - is the underlying villain. One compromised developer machine, upstream of the exchange, was enough.

Case Study 2 - Drift Protocol, April 1, 2026 ($285 Million)

Drift's loss is instructive for a different reason: patience. According to Chainalysis and TRM Labs, the attackers began social-engineering Drift's Security Council in the fall of 2025, roughly six months before the drain. Staging funds came from Tornado Cash in mid-March 2026. On March 12, the attackers deployed a fake asset called CarbonVote Token (CVT) and seeded it with artificial price legitimacy. From March 23-30, they used social engineering to obtain pre-signed durable-nonce Solana transactions from Security Council multisig signers. In late March - days before the hack - the Security Council migrated to a 2-of-5 multisig with zero timelock, removing protective delays. TRM Labs and Chainalysis both attribute the attack to DPRK actors.

At 16:05:18 UTC on April 1, the first pre-signed transaction executed; drainage continued until 18:31 UTC. 31 rapid withdrawals over roughly 12 minutes removed $71.4 million USDC, $159.3 million JLP, $11.3 million cbBTC, and roughly 15 other tokens. According to TRM, the drain represented over 50% of Drift's TVL. Drift's oracles had accepted the fake CVT as collateral because of the manufactured price.

Drift's post-mortem, produced with Chainalysis, scored high on the checklist: precise UTC timestamps, named contributing factors, and willingness to admit that the zero-timelock migration was a self-inflicted wound. Remediation, however, was incomplete - at least 20 other protocols experienced disruptions, and reimbursement discussions were ongoing.

The generalizable lesson: timelocks are not bureaucratic theater. They are the window during which a community can spot a malicious transaction before it settles. Removing a timelock on a multisig that controls an oracle is the governance equivalent of disabling the smoke detectors.

Case Study 3 - Kelp DAO, April 19, 2026 ($292 Million)

Kelp DAO's loss illustrates the third failure mode: composability turning a local hack into systemic contagion. According to CoinDesk, at 17:35 UTC on April 19, 2026, an attacker exploited a vulnerability in LayerZero's bridge infrastructure, causing Kelp's bridge to release 116,500 rsETH - approximately $292 million, or roughly 18 percent of circulating rsETH supply. Kelp's emergency pauser multisig froze the core contracts 46 minutes later at 18:21 UTC. Two follow-up attempts at 18:26 and 18:28 UTC, each targeting another 40,000 rsETH, reverted because of the pause.

The contagion was immediate. Aave's TVL dropped by approximately $6 billion as it suspended rsETH market operations, and total DeFi TVL fell more than $13 billion over the following two days. Arbitrum's Security Council froze 30,766 ETH (approximately $71 million) linked to the exploit - about a quarter of the stolen funds.

The communication, however, failed Step 3. Kelp DAO publicly argued that LayerZero's default DVN and relayer settings were the proximate cause. LayerZero disputed the framing. When two parties publicly point at each other, neither post-mortem is yet complete - a credible report names what the team itself controlled, which here would include the decision to use default verifier settings without independently evaluating their trust assumptions.

The lesson is twofold. A bridge's security is the weakest configuration in its message-verification stack, and defaults matter more than marketing. And composability means a hack does not stay contained - it lands on every protocol that accepts the compromised token as collateral.

Red Flags in a Bad Post-Mortem

Treat the following as warning signs. Passive voice throughout ("funds were moved," "a vulnerability was exploited") without naming the class of vulnerability. Timeline gaps of hours with no explanation. Blame aimed only at third parties. No named remediation actions with owners and dates. Silence on who eats the loss - teams that plan to make users whole say so immediately, as Bybit did within hours. Excessive optimism about fund recovery, especially once funds have touched Tornado Cash or a cross-chain bridge. Refusal to publish on-chain transaction hashes, which are the one part of the report readers can independently verify.

What to Do as an Affected User

In the first hour, stop interacting with the protocol and revoke token approvals using a tool such as Revoke.cash. Many post-exploit follow-on drains target users whose allowances are still live.

If the compromised platform is a centralized exchange, read the CEO's statement directly rather than an aggregator summary, and look for explicit language on 1:1 client-asset backing and withdrawal processing. Bybit made that statement within hours; that is the bar. The distinction between an IOU balance and on-chain ownership is foundational here.

If the compromise is in a DeFi protocol, determine whether the hack was isolated to one vault or whether the token itself is impaired, as happened with rsETH. An impaired token means your loss may be at every protocol where you deposited it, not only at the originating one.

Track the post-mortem across versions. Teams typically publish a preliminary report within 72 hours and a fuller one weeks later. The second version is usually more honest and is the one to keep. Document your exposure - transaction hashes and balances at the time of the hack - immediately; reimbursement programs require proof.

Finally, treat any unsolicited "recovery service" outreach as hostile. After every major incident, phishing operations impersonate support teams to target already-shaken users.

What to Watch Next

Three threads will shape the next post-mortems. Signing-interface security - the upstream lesson from Bybit - is driving hardware-wallet firmware that refuses to blind-sign. Timelock defaults on governance multisigs are under renewed scrutiny after Drift. And the bridge-security debate Kelp and LayerZero exposed - whose responsibility it is to pick safe defaults and whose to evaluate them - will likely produce either a new standard or a new lawsuit.

Sources

• NCC Group, Bybit technical analysis - https://www.nccgroup.com/research/in-depth-technical-analysis-of-the-bybit-hack/
• CSIS, Bybit Heist analysis - https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation
• Chainalysis, Lessons from Drift - https://www.chainalysis.com/blog/lessons-from-the-drift-hack/
• TRM Labs, DPRK and Drift - https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist
• CoinDesk, Kelp DAO $292M exploit - https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains
• Crypto Briefing, Aave TVL after Kelp - https://cryptobriefing.com/aave-tvl-plummets-6b-after-kelp-dao-hack-exploits-layerzero-bridge-flaw/
• CoinDesk, Kelp vs LayerZero - https://www.coindesk.com/tech/2026/04/20/kelp-dao-claims-layerzero-s-default-settings-are-what-actually-caused-the-usd290-million-disaster
• CoinDesk, Arbitrum freeze - https://www.coindesk.com/markets/2026/04/21/arbitrum-freezes-usd71-million-in-ether-tied-to-kelp-dao-exploit
• CoinDesk, DeFi TVL drop - https://www.coindesk.com/markets/2026/04/20/defi-tvl-drops-more-than-usd13-billion-in-two-days-following-kelp-dao-hack