On the night of February 21, Ben Zhou, the CEO of cryptocurrency exchange Bybit, logged into his computer to authorize what seemed to be a routine transaction involving a significant transfer of Ether, a widely-used digital currency. However, just half an hour later, Zhou received a distressing call from the company’s CFO, who informed him in a shaky voice that their system had been compromised. “All of the Ethereum is gone,” the CFO reported. This incident marked a dramatic turn of events as Zhou had unknowingly granted access to a group of hackers reportedly linked to North Korea, resulting in a staggering theft of $1.5 billion in cryptocurrencies—the largest heist in the history of the sector.
The audacious attack was facilitated by a basic vulnerability within Bybit’s security infrastructure, specifically its dependence on a free software solution. The hackers gained entry by leveraging a publicly accessible system that Bybit utilized to protect hundreds of millions of dollars in customer assets. Despite the availability of more advanced security tools from various firms, Bybit had continued to rely on this software developed by a provider known as Safe.
This breach sent shockwaves through the crypto markets, causing a significant decline in investor confidence at a critical juncture. During the tenure of the crypto-friendly Trump administration, industry leaders had been advocating for new regulations in the U.S. to simplify the process for individuals looking to invest in digital currencies. Coincidentally, the White House was set to host a “crypto summit” with President Trump and key industry figures just days later.
Experts in crypto security expressed deep concern regarding the implications of this heist for Bybit’s safety measures. According to one security firm’s analysis, the losses sustained were entirely avoidable, emphasizing that such an incident “should not have happened.” While Safe’s storage tool is prevalent in the crypto sector, it is more suitable for individual users rather than exchanges managing billions in customer funds, remarked Charles Guillemet, an executive from Ledger, a French crypto security company. “This really needs to change,” he asserted, highlighting the unacceptability of the current state of affairs.
In the aftermath of the hack, Bybit faced a chaotic 48-hour period. Although the exchange managed up to $20 billion in customer deposits, it lacked sufficient Ether reserves to cover the massive loss incurred. In a bid to stabilize the situation, Zhou sought financial assistance by borrowing from other companies and tapping into corporate reserves to address an influx of withdrawal requests. Surprisingly, he appeared calm on social media, stating that his stress levels were “not too bad” shortly after the heist.
As the crisis unfolded, the price of Bitcoin, a key indicator for the industry, plummeted by 20 percent—the most significant drop since the collapse of FTX, the exchange operated by the disgraced Sam Bankman-Fried, in 2022. In a recent interview, Zhou admitted that Bybit had been alerted to potential compatibility issues with Safe several months before the incident. “We should have upgraded and moved away from Safe,” he acknowledged, emphasizing that the company is now actively seeking alternatives.
Rahul Rumalla, Safe’s chief product officer, responded to the situation by stating that his team had introduced new security features aimed at protecting users. He emphasized the importance of ensuring that the entire industry learns from this incident to prevent similar occurrences in the future.
Established in 2018, Bybit serves as a trading platform where both day traders and professional investors can convert their fiat currencies into Bitcoin and Ether. Many users regard exchanges like Bybit as informal banks, where they securely store their crypto assets. Estimates indicate that Bybit ranks as the second-largest crypto exchange globally, facilitating the processing of tens of billions of dollars daily. Headquartered in Dubai, the exchange does not provide services to customers in the United States.
On the evening of February 21, Zhou was at his home in Singapore, completing some work before two other executives joined him to authorize a cryptocurrency transfer between accounts. Such routine transfers are designed to be secure, requiring multiple sign-offs to prevent unauthorized access. However, unbeknownst to them, hackers had already infiltrated Safe’s system, as highlighted in Bybit’s investigation of the breach. They compromised a developer’s computer at Safe, allowing them to implant malicious code to manipulate transactions.
A deceptive link sent via Safe prompted Zhou to approve the transfer, which turned out to be a trap. Once he authorized it, the hackers took control of the account and executed the theft of $1.5 billion in digital assets. The rapid outflows were recorded on the blockchain, a public ledger that tracks crypto transactions. Analysts swiftly identified the perpetrators as the Lazarus Group, a hacking organization associated with the North Korean regime.
Following the incident, Zhou rushed to Bybit’s office in Singapore to manage the escalating crisis. He took to social media to announce the hack and activated a crisis protocol known as P-1, which involved alerting all leadership team members. Around 1 a.m., he appeared on a livestream on X, energetically consuming a Red Bull while reassuring customers of Bybit’s financial stability. “Even if this hack loss is not recovered, all of clients’ assets are 1 to 1 backed,” he stated, assuring users that the company could absorb the loss.
However, those assurances failed to quell the panic. Within hours, approximately half of the digital currencies deposited on the platform—amounting to nearly $10 billion—were withdrawn, leading to a further downturn in the crypto market. To mitigate the fallout, other crypto firms extended their support. Gracy Chen, the CEO of rival exchange Bitget, provided Bybit with a loan of 40,000 Ether, roughly valued at $100 million, without any interest or collateral. “We never questioned their ability to pay us back,” Chen remarked.
While managing the crisis, Zhou shared updates on social media, posting screenshots of a health app indicating that his stress levels remained surprisingly stable. “Too focused commanding all the meetings. Forgot to stress,” he wrote, adding a touch of humor to the dire situation. “I think it will come soon when I start to really grasp the concept of losing $1.5B.”
After the theft, the North Korean hackers dispersed the stolen assets across a vast network of online crypto wallets, employing a money-laundering strategy they had previously used following other cyber heists. “Lazarus Group is on another level,” observed Haseeb Qureshi, a venture investor, on social media following the incident.
Security experts attributed the breach to Bybit’s inadequate risk management. To authorize the routine transfer that led to the hack, Zhou used a hardware tool created by Ledger, the crypto security firm. However, he noted that the device was not properly synchronized with Safe, preventing him from verifying the transaction details before approving it—a practice that poses significant risks in the crypto landscape. “Safe just does not give you the kinds of controls that you would want if you’re going to be frequently making operational transfers,” explained Riad Wahby, a computer engineering professor at Carnegie Mellon University and co-founder of the digital security firm Cubist. Zhou expressed regret for not strengthening Bybit’s defenses sooner, stating, “There’s a lot of regrets now. I should have paid more attention in this area.”
Despite the setback, Bybit continued its operations post-hack, successfully processing all withdrawal requests within 12 hours, Zhou reported. Shortly after the breach, he announced on social media that the company was orchestrating another transfer of about $3 billion in crypto. “This is a planned maneuver, FYI,” he clarified. “We are not hacked this time.”
