This discussion in Space focuses on the largest hacking incident in the history of the cryptocurrency sector, which is also regarded as the largest theft in human history. Colin Wu talks with Bybit executives Shunyet Jan and founder Ben Zhou, presenting the details of the event and the subsequent rescue efforts. The incident involved the theft of about $1.5 billion worth of Ethereum, allegedly carried out by the hacking group from North Korea, Lazarus Group. Bybit managed to restore full withdrawal functionality within 12 hours. It prioritized retail withdrawals, imposed tiered restrictions on institutional clients, and made use of the liquidity support from exchanges such as Bitget and OTC service providers. Currently, the liquidity problems have been resolved. However, the possibility of retrieving the stolen funds is extremely low. The company is working with security teams to investigate the root causes of the vulnerabilities, which may be related to technical issues of the multi-signature cold wallet provider, Safe, or potential internal mistakes. Moreover, Bybit stresses that it will rebuild user trust by strengthening security measures, optimizing risk control processes, and conducting transparent communication. At the same time, it admits that this incident has revealed the shortcomings in internal processes and crisis management, and there will be a comprehensive review and improvement in the future.

Audio transcription completed by GPT, errors may exist. Please listen to the complete podcast:

YouTube：

Spotify：https://creators.spotify.com/pod/show/7qfkmlvhrl8/episodes/Bybit-CEO-BEN-15-e2v8i1g

70% of Ethereum Spot Inventory Stolen, Liquidity Crisis Resolved Through Lending and Other Means

Colin:

Shunyet, the most pressing question for everyone is, how is Bybit doing right now? Is your liquidity completely restored, or are there still some gaps?

Shunyet:

At the time, the only assets stolen were our Ethereum spot inventory, which accounted for about 70% of our total Ethereum spot inventory. Many clients had demands during this period, so we paused several operations and allowed withdrawals in batches based on client levels. Retail clients could generally make withdrawals as usual, but they couldn’t withdraw Ethereum. Our inventory was indeed insufficient at that time, and customers could not access their funds. We are grateful to Grace, as well as exchanges such as Bitget and MEXC, and some market makers. They helped us gradually replenish our inventory. Some of this was done through lending, while others were direct exchanges, but primarily we relied on bridging models. Eventually, we met all withdrawal requests, fully reopening services about 12 hours later, including for institutional clients. Now, our spot liquidity is no longer an issue.

Colin:

So your initial strategy was to prioritize retail withdrawals while communicating with institutional clients, correct? But now everything is fully open, right?

Shunyet:

Yes, everything is now completely open.

Colin:

So the main liquidity gap was concentrated in Ethereum, right? Besides Bitget and MEXC, which other institutions helped you?

Shunyet:

I’m not sure if it’s appropriate to disclose specific names, but well-known large OTC market makers almost all participated in supporting us.

Colin:

Grace (CEO of Bitget) mentioned that the funds provided by Bitget required no collateral, interest, or even a specified return time. But not all institutions are like that, right? Did others impose any conditions?

Shunyet:

Yes, we must thank Bitget again. Other OTC market makers might require some form of collateral. For instance, we could use our company’s treasury as security, which is entirely sufficient to cover the $1.5 billion gap. So we might borrow Ethereum through controllable methods, such as collateralizing USDT or Bitcoin. However, Bitget’s assistance was substantial and required no collateral, which stands out significantly.

Colin:

Looking at the situation now, do you feel that the incident has basically calmed down? Additionally, is your liquidity no longer tight because the overall atmosphere has eased, especially since the withdrawal willingness of institutions and large holders is not as strong?

Shunyet:

Yes, we have many large clients. Some have high trading volumes, while others hold significant assets on Bybit. For those with high trading volumes, we observed that many are market makers who might reduce operations based on fund strategies, but still, about one-third to half of their funds remain on the exchange. As for those holding large amounts of assets, their attitudes are generally split: for example, some completely trust Bybit and have left their funds untouched, while others may transfer funds elsewhere in the short term. However, I believe the peak of panic has completely passed.

Restoring User Trust Post-Crisis: Transparency in Review, Publicizing Reasons, and Strengthening Security Measures

Colin:

For Bybit, Grace previously mentioned that the funds stolen by the hackers were roughly equivalent to Bybit’s annual profits. Currently, from the perspective of security firms or other institutions, it seems likely that this money was taken by North Korean hackers, and the chances of recovery are minimal, correct? Is this judgment relatively certain?

Shunyet:

We certainly hope to recover it, but looking at the history of the Lazarus Group, there are very few cases of successful recovery. I remember that their only successful recovery involved them withdrawing some coins like USDT or USDC, which can be frozen and subsequently destroyed. However, the Lazarus Group may previously have made minor errors, such as depositing funds into smaller exchanges. Back then, Ben and the leaders of the exchanges had good relationships, and everyone was willing to help freeze those assets. But now, I believe the Lazarus Group has learned from these mistakes and is unlikely to commit such basic errors again, making recovery very unlikely.

Furthermore, I’ve seen many discussions suggesting that the Lazarus Group is now the 14th largest holder of Bitcoin in the industry, and some have proposed whether a fork may be needed to address this issue. It seems unfavorable for a sanctioned entity to be one of the largest holders. However, this isn’t my primary concern; we are observing, but these matters aren’t within our control.

Colin:

Understood. One more thing — are you concerned that the reputation of the entire company and the exchange industry may suffer after this incident, leading to decreased trust from users and institutions? While we know that security issues are challenges every exchange faces and are ongoing topics, many institutions and individuals have been complaining about Bybit’s security, which could lead them to distrust you in the future.

Shunyet:

Let me approach this from a different angle. I only joined Bybit at the end of August last year; prior to that, my company was one of Bybit’s top three clients, and I had worked as a market maker. At that time, I witnessed the situations of other exchanges, such as KuCoin, Binance, and of course, the collapse of FTX. Looking back, Binance is doing well. We’ve observed many exchanges, and I must admit that while some users’ trust may be shaken, our response is primarily to maintain transparency. We will first investigate what went wrong — whether it was a vulnerability in the partnered system, an internal rule issue, or a financial department problem, like why assets weren’t spread across multiple systems. We will conduct a thorough internal review and then make decisions.

Once we’ve clarified everything, we will certainly publicize our findings. This is essential for rebuilding trust. I believe that to turn the situation around, our exchange’s functionalities, products, and ecosystem still have significant advantages, but right now, the most crucial aspect is trust. We haven’t been hacked before, so we haven’t faced this issue, but our top priority now is to regain trust. To achieve this, we need to be extremely transparent, explaining why this incident occurred and what preventive measures we will undertake in the future. I think the company has already invested substantial resources in this regard, but it might need to do even more going forward.

Colin:

Understood. I have another question. You just mentioned that Bitget proactively offered support without conditions. I see that many other exchanges, such as Binance, OKX, etc., have also expressed their willingness to provide liquidity support. Did they reach out to you, or did you contact them?

Shunyet:

Yes, indeed. I saw in some groups that many exchanges offered help proactively. However, some may request deposits or interest. Many OTC service providers have partnered with us for a long time and understand our profitability. They feel that while the amount involved in this hack sounds large, it’s at most equivalent to our annual profits. So everyone believes we are still trustworthy, and the situation isn’t as dire as it seems.

Of course, Bitget’s assistance was relatively substantial, with more lenient conditions, which is notable. However, many other institutions also provided support. I’ve experienced similar situations in the past, like during the 911 events when I was working on Wall Street, and many companies offered their offices to competitors when Lehman Brothers lost theirs. Therefore, seeing many of our competitors step up recently and ask, “What support do you need? How can we help?” genuinely makes me happy. This attitude extends beyond just clients; it reflects a sense of camaraderie among competitors. I think this sense of solidarity in the cryptocurrency industry is truly special.

Colin:

Right, understood. Users might feel it’s too early to discuss this, but I see users asking what Bybit plans to do in the future to regain user confidence. It feels a bit premature to discuss this now; what are your immediate goals regarding this issue, and what steps will you take moving forward? Is there a plan, or can you share any insights?

Shunyet:

We are still researching, but the first thing I mentioned is to prioritize trust. To rebuild trust, our security must be significantly enhanced; that is the first step. Beyond that, we will return to Bybit’s original organic growth model. We understand retail clients’ needs very well and excel at serving both retail and VIP clients. I believe that time is the best tool; as long as we handle this matter properly, trust will naturally return.

Colin:

Got it. How is the overall morale within the company right now? In the face of the largest theft in human history, what is the state and morale of the internal staff?

Shunyet:

Ben is a remarkable person; he always focuses on how to solve problems. He asks everyone: What is our current issue? Is it a lack of inventory, trust, or something else? Each department will form specialized teams to address every issue. The current focus is to deeply understand where things went wrong — whether it was our SOP (Standard Operating Procedures) or issues with our partners. We need to resolve these issues first.

The second step is, after enhancing security, we must ensure better liquidity. When clients come to our platform, they need good liquidity. So we will communicate with various market makers to see what support they need and what specific assistance can be provided in the short term to restore the user experience to its original level. This is our most direct path forward. Additionally, we are also considering some potential partners we may not have thought of before. Due to this incident, we might need to revisit some matters and disclose more information. For instance, our reserve proofs were originally updated once a month; now, we are considering releasing another one after resolving this incident to enhance transparency.

Discussion on Improving Security Issues: Multi-Signature Management, Approval Processes, and Employee Management

Mirror:

Since this security incident involves multi-signature issues, I’d like to ask if you have a specific upgrade plan for multi-signature? How will you handle it moving forward?

Shunyet:

We have always believed that multi-signature security issues aren’t too significant because we use tools like Safe, which should be quite reliable, right? However, after this incident, we have indeed proposed several solutions. First, regardless of the technology we use, we think it’s safe and will continue using various methods. Additionally, in multi-signature management, the signing authority is currently concentrated in four or five individuals; in the future, it may be distributed, for example, assigning different currency permissions to different people. Furthermore, future cold wallets must be decentralized; we can’t keep such large assets in one wallet anymore. These seem simple in discussions, but looking back, how did we not think of this before? But these are certainly things we will implement moving forward.

Mirror:

Understood. Have you considered directly adding the addresses of cold wallets and hot wallets to the whitelist and fixing them?

Shunyet:

That is something we can consider, although sometimes it may reduce flexibility. However, it indeed serves as a solution.

Mirror:

Many have suggested that you can conduct a rehearsal first to see if the execution results are transparent. I also think you could take it a step further, for instance, performing a check before executing signatures, analyzing the bytecode in detail, and then conducting some rehearsals. This could possibly mitigate the risk of such attacks.

Shunyet:

That’s a suggestion I will definitely bring to our security department for discussion. My background leans towards trading, so I will leave this to the professional team for assessment.

Mirror:

There was also the previous incident in 2022, where an employee modified data in an Excel sheet — though it wasn’t technically theft. After that incident, did you upgrade the entire CRS (Customer Relationship System) process?

Shunyet:

Yes, we did. I believe that often, once a problem is identified, it needs to be improved. That incident was quite some time ago, and we had more or less fixed it by then. Now our approval process has more control measures in place. Initially, I encountered similar situations where many exchanges had advanced technology, but the backend systems or processes were relatively simple. Our company has grown rapidly, and some areas were not well managed, but now all departments have adjusted. Even some very simple internal matters need to go through an approval process. Sometimes it feels a bit cumbersome, but this way, we won’t encounter similar issues again.

Mirror:

Yes, this is actually quite critical. Since the exchange business involves funds, the checks required can be more complex. I have another question. Many people have mentioned Bybit this year, and indeed, it has captured a significant advantage, becoming one of the top three exchanges. Will this lead to a large expansion in personnel? Could it impact the existing risk control structure?

Shunyet:

Actually, Bybit’s employee count is somewhat less than that of some of our competitors because we place a high emphasis on selecting individuals who fit Bybit’s culture. Not just anyone can easily join, so our hiring process tends to be relatively lengthy. Our business is growing rapidly, but the pace of talent acquisition sometimes lags behind business growth. Nonetheless, we maintain this approach in risk control, business, and product areas.

Collaborating with External Teams to Track Funds, Low Probability of Ethereum Rollback

Mirror:

Okay, I’ll continue asking. Earlier, Colin mentioned that the money might not be recoverable, but I’ve observed community discussions and the hacker’s operations, and it seems that even if it can’t be recovered, the hacker’s chance of completely taking this money is also low. However, I’ve seen some in the community suggesting that the hacker is performing self-destructive operations on these Ethereum. I’d like to confirm this with Ben.

Ben:

I can share what we are currently doing. Our security team has reached out to several external partners, with the well-known domestic firm Slow Fog cooperating with us for global tracking. We are also working with on-chain analytics companies to backtrack what happened during this hacking incident, trying to clarify how this event occurred. So far, there is no conclusion, because several suspicious points in this incident are quite different from previous cases. First, it wasn’t an issue with our hot wallet system; rather, it was the provider Safe, which we use to store multi-signature cold Ethereum, that encountered issues. We are still uncertain whether their servers have problems or if something went wrong in the user interface for each signature. This is one direction we are investigating. Regarding the funds tracking you mentioned, from our perspective, it won’t be easy for these Ethereum to be laundered. I believe this will be a long process, and the hacker will gradually attempt various laundering methods. Although this incident is significant, I feel fortunate that the entire industry is very united, and everyone is helping us, for which we are grateful.

In fact, as long as the hacker transfers funds to a cross-chain bridge, we can almost immediately locate them and request the bridge’s assistance in freezing the funds. Therefore, for this $1.5 billion to be completely laundered, I think it will require a long period. Secondly, regarding self-destruction, we have not seen any signs of that. Why would they go through all that effort to steal it, only to destroy it?

Colin:

Not self-destruction, but Mantle managed to rescue this money.

Ben:

Exactly. If the hacker tries any re-staking protocols now, we should have some means to respond. So they are currently in a standoff with us; we have a lot of people keeping an eye on them, and their situation is a bit awkward. Finally, indeed, some people, including some top projects and several prominent figures online, have suggested whether Ethereum could consider an overall rollback. However, most viewpoints believe that the last rollback was due to 30% of Ethereum being stolen, while this time, although the amount is large, it only accounts for about 0.3% to 0.4% of the total, so they probably won’t consider a rollback. Nonetheless, we are trying to contact Vitalik (the founder of Ethereum) to see what advice he can offer us.

Colin:

Will you request or plead with him to initiate a rollback?

Ben:

We will plead with them to extend their assistance, haha. But whether they cooperate will depend on their considerations.

Specific Responses to the Crisis: How to Restore Liquidity, Optimize Security Strategies, and Future Plans

Colin:

Ben, I actually asked Shunyet earlier. Do you think liquidity has been fully restored now? Grace mentioned that you may not need external support anymore.

Ben:

Yes, I must particularly thank those partners who quickly extended a helping hand. Bitget was the first to assist us without mentioning any conditions; they truly came to our aid without even signing a contract, and I am very grateful for that. MEXC and Huobi also continuously lent us Ethereum, which has been a tremendous help.

Now, our overall situation is completely stable. Within about 12 hours, our deposit and withdrawal levels returned to normal. I posted on Twitter that our withdrawal system has no backlog, and all withdrawal requests have been processed. Currently, compared to the second hour after the incident — the peak period — the system is now facing not pressure from withdrawals but rather issues with its overall capacity.

The withdrawal system has never seen so many people withdrawing simultaneously. At that time, we performed system maintenance, adjusted on-chain transaction fees, optimized the risk control system, and handled many related affairs. Meanwhile, we contacted others in the background to borrow Ethereum to fill the gaps. Now, the entire liquidity situation is no longer a problem.

Colin:

Had you conducted any rehearsals for similar scenarios before? For instance, if such an event occurs, what should be done in the first step, second step, and so on?

Ben:

Yes, I think many people, including most online comments, say that while this incident is unfortunate, our crisis management has been quite effective. Some have said that I remained calm during the command, and I believe this isn’t due to my personality but because we have many tools that help keep me composed. Our risk control levels and the financial status of our system are accurate to the minute, so we always know what step the system is on and the status of clients’ withdrawals.

This allows us to handle matters in an orderly fashion. These data-driven, visual dashboards enable us to plan subsequent actions step by step. For example, during withdrawals, we first process smaller clients to ensure they can withdraw completely, then gradually work our way up. Also, we adjust according to the situation of different chains — which chains have funds and which do not, and how to allocate them. To me, this data-driven approach enables orderly progress in subsequent work. In contrast, FTX was chaotic at that time, likely because they lacked any tools to assist their decision-making, which was unfortunate. Of course, at the company level, we have rehearsed for all crises, whether theft or system crashes; we conduct internal so-called P-1 level drills every month.

Colin:

Understood. What are the next steps you plan to take at this stage? For instance, what important steps will you carry out over the next day, three days, week, month?

Ben:

Currently, we are dividing into several different phases. The first is related to security; the first step is to clarify exactly what happened. The second step is to track the funds; we will cooperate with external teams and even collaborate with Safe to determine the sequence of events and attempt to control the damage. Secondly, regarding finances, we will quickly repay the temporarily borrowed funds — not from the cross-chain bridge, referred to as a “bridge loan” — through OTC trades and other means. At the same time, we are now focusing more on changes in withdrawal levels, and currently, it seems that customer panic has passed.

From a business perspective, we are most concerned about the impact of this incident on our operations, such as how many users we have lost, how many VIP clients, and how many institutions. We hope to promptly create the next steps based on the impact reports. For instance, which countries have lost the most users? How can we help users in those countries understand the current situation and know that our platform is actually fine, with our hot wallets and data systems functioning normally? This area will also be advanced based on data to formulate our next plans.

Colin:

Okay, understood. Initially, many discussions centered around CZ (Binance founder Changpeng Zhao), who suggested you pause withdrawals. My guess is he may have wanted you to conduct a security check in case there were other vulnerabilities. I wonder why you didn’t heed his advice at the time; what considerations did you have? Were you not worried about other potential issues?

Ben:

Yes, actually at that time, CZ and some other friendly firms, like Binance, expressed their willingness to help. However, it was about half an hour later that I noticed their messages because Twitter was overwhelmed, and I was busy with the live broadcast. I believe that from their perspective, that suggestion is quite normal. If the specifics of the hacking incident are unclear, one might think our hot wallets were compromised. If it were truly a hot wallet issue, then all withdrawals would need to be frozen. However, our situation was different; our withdrawal system had no problems, and the internal systems were functioning normally. It was just the tool used for multi-signatures that was compromised — you could think of it as an external tool malfunctioning. Therefore, the rest of our operations were running normally, and we didn’t need to expend extra effort to halt operations. Once we identified the issue, Slow Fog quickly confirmed, “The rest of your operations are completely fine.” That’s why we could feel confident in that decision.

In contrast, when other exchanges were hacked, it was mostly due to issues with their internal code or processes, or even employee operations. However, we quickly ruled out these possibilities because signatures were handled by founders like me. This allowed us to confidently maintain the normal operations of the deposit and withdrawal systems. Therefore, I feel that CZ’s suggestion was not incorrect; it just did not apply to our unique situation.

Analysis of Security Vulnerabilities: Internal Threats, Trojans, Bybit’s Internal Issues or Safe

Colin:

There’s another point; while the final security report is yet to be released, there is a notion that several of your team members’ user interfaces were attacked. Is there a possibility of internal threats?

Ben:

Yes, I think we need to rule out any possibilities one by one; we haven’t completely ruled them out. Our immediate action was to document evidence, backing up each operator’s computer and recording all actions taken by the individuals involved. This data will later be shared with law enforcement, external security partners, and our internal investigation team. So far, all operations appear similar to past practices. However, it is strange that several mandatory checks are in our security protocols, such as URL checks, which we did perform.

As of today, I am uncertain whether Safe’s multi-signature system is still frozen; they might also be investigating. They are hesitant to make immediate conclusions, whether their servers were hijacked and impacted us or if the issues arose from individual computers. Moreover, we found everyone operating in different locations and networks, making it difficult to control remotely. There are various possibilities, but we cannot definitively rule any of them out at this time, so we are still investigating.

Mirror:

So, Ben, does this mean no traces of Trojans were found on the devices?

Ben:

Correct. We have checked all the computers of those involved in the signatures, and no Trojans were found. Of course, this is just our security team’s initial findings; we can’t be certain there aren’t particularly sophisticated Trojans that we haven’t detected yet. So we first gathered evidence, securing the computers and retaining data images.

Haotian:

I saw that Safe issued a statement claiming their codebase has no vulnerabilities. I wondered, if it were a common APT (Advanced Persistent Threat) attack, like a penetration attack, and assuming that one of your employees or executives’ terminals was compromised — say, through social engineering — that would only be an internal entry point. I’m curious how the hacker was able to penetrate your advanced systems from such a small internal point. Did your security alert mechanisms fail during this process? Did you not receive any alerts over such a long time? Will you investigate this specifically moving forward?

Ben:

First, I want everyone to understand our situation. We have a complete withdrawal system, including hot and warm wallets. The hot wallet handles withdrawals automatically, while the warm wallet requires manual signatures, which is a system we’ve developed ourselves. When we have additional reserves, we place them in cold wallets. You can think of the cold wallet as being like HSBC. This incident occurred when the “HSBC” side had an issue — I was trying to retrieve the funds but was intercepted, leading to the entire theft. So, when I mention the hacker penetrating our systems, that didn’t happen. This is why we’ve been able to maintain uninterrupted withdrawals; our internal withdrawal system was functioning normally.

We do frequently face penetration attempts. We have comprehensive protective measures in place, such as many honeypots in the system, along with white-hat teams and red-blue team engagements. Our red team even occasionally sends phishing emails to employees to test whether they follow security protocols. This is a routine operation for exchanges. However, this incident was different; the hacker did not breach our internal systems. You could say we had placed the funds in a service provided by Safe; the biggest challenge was the external issue. To address your question, it wasn’t an internal attack; it was through the external multi-signature process. We have four people responsible for signatures, including myself; I cannot disclose the others, but they are all at the same level.

What’s perplexing is that we all operated in different network environments, and our computers are regularly checked, yet we found no evidence of Trojans. We did not sign in the same location or even the same country; one person would sign, and then the next would follow, each time verifying URLs and similar aspects. So now we are still trying to figure out which link failed. I’m collaborating with Safe, but I’m not blaming them; we are uncertain about where the problem lies. They haven’t identified the cause, and we don’t know. The final conclusion remains unclear regarding how this issue occurred.

Discussion on Asset Security and Team Response

Colin:

I have another question that I’m not sure if Bybit can address: What is the scale of your own assets used for liquidity or reserves? As previously mentioned, Bybit’s annual profit might be around $1.5 billion, but you must allocate some for dividends or other expenses yearly. Does the company’s overall assets cover this $1.5 billion gap?

Ben:

The company’s assets are definitely greater than that amount. I posted on Twitter, and you can check; our auditing firm has already spoken up. This firm has reviewed our finances and company accounts. There’s a message on my Twitter from Hacken, who helped audit us. They have seen our funds accounts, which is our treasury account. They immediately expressed their willingness to speak on our behalf but needed our consent. At that moment, I was busy, and after two or three hours, I agreed, and they issued a statement confirming they audited our treasury and verified that our cash and token reserves can fully cover the $1.5 billion loss.

Colin:

So, overall, how is the morale within the company right now? What is the state of the employees following this incident?

Ben:

I feel fortunate that our team’s execution and culture have impressed me. After the incident, nearly everyone rushed to the office almost immediately. Bybit operates in a centralized manner; I was live streaming in Singapore, and our entire floor there was nearly filled with people. The security team, streaming team, media, public relations, and even legal were all online. The Singapore police arrived within a few hours after we reported the incident, and even Interpol came this morning. The overall response speed was very quick; at least the dozens of people who report directly to me were up all night contacting various parties.

I think the hardest hit was the customer service team, which was entirely online to address client inquiries. The risk control personnel also worked tirelessly handling withdrawal requests, and almost all department heads were on duty. The product and tech teams were also maintaining system stability; we were concerned that this incident could lead to other systems collapsing. I sent an internal email to the entire company, stating that the next 24 to 48 hours would be very challenging, but I hoped everyone would remain calm and handle this matter professionally, while also being available for clients to reach out to us. I believe online presence and accessibility are the most important elements at such times, including for our institutional team, as many institutional clients were also worried. I just managed to get two hours of sleep, and some others have managed to rest a bit. Overall, the state is quite energized, as there are still many issues to resolve.

I think the most difficult moment has passed; liquidity has completely restored. Now, client deposits and withdrawals are operating normally, just like before.

Colin:

Understood. This suggests that the next steps might be more critical in two aspects: first, a comprehensive security review, and second, restoring institutional and user trust, focusing primarily on these two areas, correct?

Ben:

Yes, I think you’re right. The first immediate issue is what to do about our Ethereum multi-signature. We are still using Safe, but we have moved funds to our hot wallet, which clearly isn’t a long-term solution, so we need to solve this. The next step will certainly involve business aspects; we will evaluate the overall impact of this incident through influence reports from our internal BI team and then formulate our next operational plans.

Mirror:

I just checked the statement Ben posted from Hacken, which mentioned a market value of $7.9 billion. What does this refer to? Is it the previously mentioned Bybit’s own assets or client assets?

Ben:

Hacken helped us with the audit, separating user assets and our internal assets. They publicly disclosed the client asset portion but also reviewed our internal funds. However, specific numbers were not published because that is internal data. What they committed to was that they have verified our assets, ensuring that we can fully cover the loss from this incident. That was the content of their post.

Ben Thanks Industry Support and Commits to Continuous Security and Crisis Management Optimization

Colin:

Ben, I’ve seen many people online, particularly founders of projects in the Chinese-speaking community and in Western communities, are quite supportive of Bybit. For instance, Du Jun and Yuan Jie are also returning Ethereum to Bybit accounts. Do you want to express your gratitude to them?

Ben:

Yes, I am genuinely grateful. During this incident, many partners stood up, some even being on standby at any time. From wallet-related services like Fireblocks, Chainalysis, to other teams — I can’t remember all of them right now because some contacted me directly, and others reached out to our team. Overall, we felt the support from the entire industry at various levels, all helping us in diverse ways. As you mentioned, several well-known domestic platforms, such as Bitget, MEXC, and Huobi, proactively contacted us, directly providing lending support. Binance also reached out to us, and we are still in communication, but ultimately, we have borrowed enough funds, so we did not trouble them further. Other exchanges, our partners, and various networks and market makers have also been providing assistance. So I am truly grateful for that.

Colin:

Yes, we hope that Bybit can recover from this incident. After all, the loss is quite significant. Do you think this incident will have any impact on Bybit’s future development? Will it lead to changes in your thought process, or will there be specific adjustments in the future?

Ben:

To be honest, I haven’t had the chance to think deeply about this yet. However, it will undoubtedly have a significant impact on us. From a security perspective, for instance, concerning wallet deployment, we may become more cautious. During this crisis response, we also identified several optimization issues. For example, the performance of our deposit and withdrawal systems under high traffic conditions, and the risk control system became somewhat chaotic under a large number of tags, leading to overall efficiency not being ideal. Also, while our P-1 level response was rapid — we have rehearsals, and with a button press, almost everyone in the company receives phone calls and text notifications to quickly go online — there were some areas, such as during such a significant event, whether the security leader had clear division of responsibilities. We will perform a complete review of these aspects and optimize internal management.

Overall, the silver lining in this unfortunate event is that we could handle it. I can’t imagine what would have happened if the loss had reached $10 billion; we might have had to consider selling the company. But this time we managed to withstand it, so I haven’t thought that far ahead. However, from this perspective, we will adjust all processes to ensure that if such an event occurs again, we can endure it and make some changes accordingly.

Colin:

Yes, many people say that Bybit has historically not experienced such incidents, unlike other exchanges, at least not publicly disclosed thefts. However, this incident has become the largest in history. Could it be that because you hadn’t encountered such an issue before, there was some complacency internally?

Ben:

I believe there are definitely areas where I could have done better. For instance, our cold signatures could have been distributed across several wallets rather than placing all of our Ethereum in one wallet. This time, we were fortunate that our USDT was also in one of Safe’s wallets, totaling around $3 billion, which is twice the amount of Ethereum. But that wallet, due to the ample USDT reserves, basically remained untouched. I guess the hacker might have lost patience after waiting for a while or was afraid to touch the USDT because it can be easily frozen. Therefore, in retrospect, there were several straightforward methods to avoid this.

First, why place $1.5 billion in one wallet? Couldn’t it be divided into five? At least the losses wouldn’t be so concentrated. Perhaps because we had never been hacked before, we were overly confident in our deposit and withdrawal system and didn’t think much about this aspect, focusing more on the signing environment and computer security. I think this requires a mindset shift; it’s no longer about how to avoid being hacked forever but rather how to ensure that if we are hacked, the losses are manageable and do not leave us with nothing.

Colin:

Yes, although the amount is significant, as you mentioned, the silver lining is that the company can still hold on. We hope that you can recover soon.

Ben:

Thank you all for your support.

Supplementary Information

In the official live broadcast room of Bybit after the incident, Ben and Shunyet also introduced other details related to this incident:

Bybit uses Safe as the multi-signature solution for its Ethereum-related cold wallets. Ben Zhou was the last signer and used a Ledger hardware device for signing. It was found that the cold wallet was emptied 30 minutes after the signing.

The withdrawal service remains open continuously. Withdrawals of Bitcoin, stablecoins, SOL, etc. are normal. Ethereum withdrawals are delayed due to insufficient liquidity. Approximately 70% of the withdrawal requests were processed within the first two hours. Efforts are being made to obtain bridge loans to solve the problem, and about 80% of the stolen Ethereum has already obtained bridge loans.

Except for the Ethereum-related businesses, other products and services are basically normal. Market makers and partners have provided support, and products such as the Bybit Card and P2P are operating normally.

Bybit has a 1:1 reserve mechanism. With a total asset of approximately $20 billion, it can cover the losses. Customers’ funds are safe, and the losses will be borne by the company’s treasury.

The Bybit treasury is mainly composed of the assets of its partners and Bybit’s retained earnings. It is an insurance fund owned by the company’s partners, who keep their assets within the company. Currently, all the assets of the exchange are disclosed through the monthly Merkle proof of reserves. Usually, some of the counterparties and the size of the treasury are disclosed. Most of the assets in the treasury exist in the form of tokens, mainly Bitcoin and stablecoins, not all of which are Ethereum. This has also led to a liquidity shortage of Ethereum tokens. However, other collaterals such as Bitcoin and stablecoins can be used to obtain bridge loans to meet the withdrawal demands.

Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish