By Srilekha Veena Sankaran, Senior Enterprise Security Evangelist at ManageEngine
In February 2025, Dubai-based cryptocurrency exchange Bybit learned a security lesson on a staggering scale. A cyberattack drained approximately $1.5 billion in Ethereum from Bybit’s cold wallet, making it the largest digital theft in cryptocurrency history. North Korea’s Lazarus Group was identified as the perpetrator. But for security experts, the amount stolen wasn’t the headline, it was the method of entry.
The visibility gap that made it happen
The attackers did not break cryptography or exploit a smart contract vulnerability. They targeted a developer at Safe{Wallet}, the third-party multi-signature platform Bybit relied on to approve cold wallet transactions. Through social engineering, the attackers compromised the developer’s workstation and extracted AWS session tokens, bypassing MFA entirely. Then, they operated inside Safe{Wallet}’s cloud infrastructure for over two weeks, aligning their activity with the developer’s working hours to avoid detection.
The attackers injected malicious JavaScript code into the S3 bucket hosting Safe{Wallet}’s web interface. The code was surgically targeted; it altered transaction data only when Bybit’s specific wallet was accessed, while the rest of the application functioned normally. Two days later, when Bybit’s operators initiated a routine transfer from cold storage to a warm wallet, the interface displayed a legitimate looking 30,000 ETH transfer. However, the underlying transaction data had been swapped for a malicious payload. The signers reviewed the details, connected their Ledger devices, and approved the transfer.
Incredibly, every step in the attack was authorized: The developer had infrastructure access to modify front-end code, and the front end governed what signers saw before approving any transactions. The multisignature process required three independent approvals, and all three were given to a transaction none of the approvers could actually see.
What failed was Bybit’s lack of visibility into how its system’s trust dependencies were connected. From cold storage to multisignature approval to hardware wallets, each link in the trust chain was technically sound, but they ran through a single third-party interface that wasn’t independently verified. The attack proved that UI manipulation through infrastructure compromise can bypass even the most secure wallets.
The identity landscape is changing at an unprecedented scale and pace
Consider a service account created for a now-defunct integration that still holds privileged access to production systems. Over time, entitlements accumulate, authentication requirements weaken, and behavioral monitoring is minimal.
Multi-cloud and SaaS adoption compounds the problem. One identity may exist in Microsoft Entra ID, federate into AWS, and authenticate to multiple SaaS platforms, each with different permissions. No single directory reflects the identity’s total effective access. Correlating that access into a single view remains a challenge for many organizations.
The emerging identity frontier of AI
Organizations are rapidly deploying autonomous AI agents across their systems. These agents access APIs, query databases, write code, and orchestrate workflows. Each one operates as a machine identity, often with meaningful privileges.
Unlike traditional service accounts, AI agents can act across systems in ways static policies never anticipated. The trust chains governing them are immature, and visibility into their access and behavior is minimal in most enterprises.
Non-human identities are already growing faster than security teams can manually track. AI accelerates this trajectory. As attacker dwell time compresses (some 2025 intrusions moved from initial access to exfiltration in under two hours), reactive governance is insufficient. Visibility must operate ahead of the breach.
AI is the next force multiplier. If visibility does not extend to autonomous agents, blind spots will scale with it.
Comprehensive visibility compounds to better governance
The pace of change has outstripped manual oversight. Non-human identities are multiplying rapidly, attacker timelines are shrinking, and breaches now unfold in hours, not weeks.
Visibility must be continuous, automated, and forward looking, encompassing human and non-human identities, AI agents, OAuth grants, and relationship paths that create unintended privilege. Organizations must identify and eliminate risky access chains before they are exploited to stay ahead of modern intrusions.
Here’s how:
- Know what exists: Most enterprises manage a fraction of their actual identity footprint. A credible inventory must include service accounts, API keys, machine credentials, vendor access, CI/CD tokens, and AI agents.
- Map relationships, not just accounts: Accounts are rarely dangerous in isolation. Risk emerges from nested groups, inherited roles, cross-platform federation, and trust chains. If you can’t trace the path from a dormant contractor account to a critical asset, you can’t defend it.
- Treat non-human identities as paramount: They rarely expire and are frequently overprivileged at creation. Though they’re seldom reviewed, they deserve the same governance rigor that’s applied to human accounts.
- Make visibility behavioral: Structural access data is foundational. Behavioral baselines turn that data into an early warning. When a service account begins querying unfamiliar systems, or a vendor credential deviates from established patterns, that signal must surface before damage occurs.
- Extend visibility across vendors and environments: A third-party credential outside of your monitoring perimeter is still inside your risk profile.
The bottom line: Visibility (or the lack thereof) decides the efficacy of your identity governance program
The definition of identity is expanding, shaped by multi-cloud adoption, software supply chains, and autonomous AI agents. Many enterprise security strategies were designed to repel attackers who charge the perimeter and trigger alerts. Against that pattern, they perform well.
However, attackers don’t need to bypass your security stack anymore. They just need to find the identity paths that will take them through it. When group memberships nest three or four layers deep, service accounts outlive the projects that created them, or vendor integrations carry inherited permissions, the result is an environment where every individual access grant looks legitimate even though it’s full of exploitable pathways. Governance, compliance, and enforcement can only function when grounded in a complete and continuously updated view of the estate. For most organizations, that view simply doesn’t exist.
The question is not whether blind spots exist in your identity estate. It is whether you find them before someone else does.
