Especially not if a single API call can spend from it.
ByBit has all their keys online and calls it cold just because it's multisig?
That's not how it works
Discussion
Is that really what happened? I saw multisig and immediately wondered how the funds were stolen
The only person who really knows is the person who hit send on the TX. What facts have come out are pretty bad.
Glacier protocol is the best I know of, definitely work to hit that level though.