Original editor: Wu said blockchain
This Space revolves around the largest hacker attack in the history of cryptocurrency that Bybit has recently encountered, which is also the largest theft in human history. Wu said Colin talked with Bybit executives Shunyet Jan and CEO Ben Zhou to introduce the details of the incident and the subsequent rescue. The incident involved the theft of Ethereum worth about US$1.5 billion, which was suspected to be the work of the North Korean hacker group Lazarus Group. Bybit restored the full withdrawal function within 12 hours by giving priority to retail investors, restricting institutional customers in a graded manner, and relying on the liquidity support of exchanges and OTC service providers such as Bitget. The liquidity problem has been solved. However, the possibility of recovering the stolen funds is extremely low. The company is working with the security team to investigate the root cause of the vulnerability, which involves technical problems or potential internal errors of Safe, a multi-signature cold wallet supplier. In addition, Bybit emphasized that it will rebuild user trust by improving security measures, optimizing risk control processes and transparent communication. At the same time, it admitted that this incident exposed the shortcomings of internal processes and crisis management, and will conduct a comprehensive review and improvement in the future.
Audio transcription is done by GPT and may contain errors. Please listen to the full podcast:
70% of Ethereum spot inventory was stolen, and the liquidity crisis has been resolved through lending and other means
Colin: Mr. Zhan, one of the things that everyone is most concerned about is the current situation of Bybit. For you, is the current liquidity completely perfect? Or is there still some liquidity gap?
Shunyet: Okay, what was stolen was only our Ethereum spot inventory, which accounted for about 70%. Because many customers had needs during that period, we suspended a lot of operations and allowed withdrawals in batches according to customer levels. So at that time, retail investors could basically withdraw their coins normally, but Ethereum could not be withdrawn. During that period, our inventory was indeed insufficient and customers could not withdraw it. For this, we would like to thank Grace, as well as exchanges such as Bitget and Matcha, and some market makers, who helped us gradually replenish our inventory. Some were through lending, some were direct exchanges, but mainly relied on the bridge model. Later, we met the withdrawal needs of all customers, and it was fully opened about 12 hours later, and even institutional customers could withdraw their coins. Now, our spot liquidity is no longer a problem.
Colin: Right, so your initial strategy was to prioritize retail withdrawals while communicating with institutional clients, right? But now it’s fully open, right?
Shunyet: Yes, it is completely open now.
Colin: So the main liquidity gap is concentrated on Ethereum, right? In addition to Bitget and Matcha, which other institutions have provided you with help?
Shunyet: I am not sure whether it is convenient to disclose the specific names, but the large OTC market makers that everyone knows are basically involved in supporting us.
Colin: Grace (Bitget CEO) mentioned earlier that the funds provided by Bitget do not require any collateral, no interest, and even no clear requirements for the repayment time. But not every company is like this, right? Have other institutions put forward some relevant conditions?
Shunyet: Yes, we have to thank Bitget again. Other OTC market makers may require some collateral. For example, we can use the companys treasury as collateral, which is enough to cover the $1.5 billion gap. So we will borrow Ethereum in a controllable way, such as pledging USDT or Bitcoin. But in comparison, Bitgets assistance amount is large and does not require any collateral, which is very prominent.
Colin: So at present, you think the whole incident has basically subsided, right? In addition, your liquidity is no longer so tight. Is it because the overall atmosphere has eased, especially the willingness of institutions and large investors to withdraw coins is not so strong?
Shunyet: Yes, we have many big clients here. Some of the so-called big clients have large trading volumes, while others have stored a lot of assets on Bybit. For those clients with large trading volumes, we have observed that because most of them are market makers, they may reduce some operations according to fund strategies, but still one-third to one-half of the funds remain on the exchange. As for those clients who hold a large amount of assets, their attitudes are basically divided into two types: one part completely trusts Bybit and does not move the funds; the other part may transfer the funds to other places in the short term. However, I think our peak period is completely over now.
How to restore user trust after a crisis: transparent review, publicizing the causes and strengthening safety measures
Colin: For Bybit, Grace seemed to have mentioned before that the funds stolen by the hackers this time are roughly equivalent to your annual profit. So at present, from the perspective of security companies or other institutions, this money is likely to be stolen by North Korean hackers, and it is unlikely to be recovered, right? Is this judgment relatively certain?
Shunyet: We certainly hope to recover it, but from the history of Lazarus Group, there are very few successful cases of recovery. I remember that the only part of them that was recovered before was that they withdrew some coins, such as USDT or USDC, which can be frozen and then destroyed again. But Lazarus Group may make some small mistakes in the early days, such as depositing funds in small exchanges. At that time, Ben had a good relationship with the leaders of various exchanges, and everyone was willing to help freeze these assets. But now, I think Lazarus Group will no longer make such low-level mistakes, so the possibility of recovery is indeed very low.
In addition, I have seen many people discussing that Lazarus Group now seems to be the 14th largest Ethereum holder in the industry. Some people have raised the question of whether a fork is needed to solve this problem. Because it does not look good for a sanctioned entity to become the 14th largest holder. However, this is not my focus. We are also observing, but this is not something we can decide.
Colin: I see. Another point, are you worried that after this incident, the reputation of the entire company and even the exchange will be damaged, and the trust of users and institutions will decline? Although we know that security issues may be a challenge that every exchange will face and it is an ongoing issue, many institutions and individuals have complained that Bybit’s security may not be good enough. Will this cause them to no longer trust you in the future?
Shunyet: Well, okay, I look at this from another angle. I only joined Bybit at the end of August last year. Before that, my company was one of the top three customers of Bybit, and I myself worked as a market maker. At that time, I also witnessed the situation of other exchanges, such as KuCoin, Binance, and of course the collapse of FTX. Now it seems that Binance is in a good situation. We have observed the situation of many exchanges, and we have to admit that although the trust of some users may be shaken, our response is to be transparent first. We will first investigate what went wrong - is there a loophole in the cooperative system, or is there something wrong with our internal rules, or is it a problem in the finance department, such as why the assets are not dispersed across multiple systems? We will conduct a thorough review internally and then make a decision.
Once we have sorted it out, we will definitely make it public so that we can rebuild trust. I think that to save the situation, the functions, products and ecology of our exchange are still very advantageous, but the most important thing now is trust. We have not been hacked before, so we have not encountered this problem, but now the first priority is to regain trust. To do this, we need to be very transparent and explain to everyone why the incident happened and what preventive measures we will take in the future. I think the company has already invested a lot of resources in this regard, but it may need to do more in the future.
Colin: Got it. Another question, you just mentioned that Bitget offered free support. I see many other exchanges, such as Binance, OKX, etc., have also offered to provide liquidity support. Have they contacted you, or have you contacted them?
Shunyet: Yes. In fact, I saw in some groups that many exchanges have offered to help. However, some may ask for a deposit or interest. Many OTC service providers have been working with us for a long time and know our profitability. They think that although the amount of money in this hacker attack sounds large, it is at most our profit for a year. So everyone thinks that we are still trustworthy and the situation is not that bad.
Of course, Bitgets assistance is relatively large and the conditions are more relaxed, which is very prominent. But there are many other institutions that have also provided support. I have been through similar situations before, such as when I worked on Wall Street during the 9/11 incident. At that time, Lehman Brothers even lost its office, and other companies took the initiative to lend offices to competitors. So this time, I was really happy to see that many of our competitors stood up in recent days and said, Do you need any support? Is there anything we can help with? This is not just for customers, but this attitude is also shown among competitors. I think this kind of cohesion is really special in the cryptocurrency industry.
Colin: Yes, I understand. Users may think it is too early to discuss this, but I see some users asking, what are the ways Bybit will regain user confidence in the future? I think it is a bit early to talk about this now. What is your current goal for this matter? What do you need to do next? Do you have a plan, or can you reveal something?
Shunyet: We are still working on it, but the first thing I just mentioned is to put trust first. To rebuild trust, our security must be greatly improved, which is the first step. In addition, we will return to Bybits original organic growth model. We understand the needs of retail investors very well and are good at serving retail and VIP customers. I think time is the best tool. As long as we handle this matter well, trust will naturally come back.
Colin: I see. So how is the morale of the entire company now? Facing this largest theft in human history, how is the state and morale of the employees within the company?
Shunyet: Ben is a very special person. He always focuses on how to solve problems. He will ask everyone: What is our current problem? For example, is it a lack of inventory, a lack of trust, or something else? Each of our departments will set up a special team to solve each problem. Now the focus is that we need to deeply understand what went wrong - is there a problem with our SOP (standard operating procedure) or a problem with the partner? Solve these problems first.
The second step is that after security is improved, we need to ensure better liquidity. Customers come to our platform and need good liquidity. So we will communicate with various market makers to see what support they need and what special assistance methods can be used in the short term to do this well, so that the user experience can gradually return to its original level. This is our most direct direction forward.
In addition, we are also considering some partners that we may not have expected. Because of this incident, we may need to re-process some matters and even disclose more information to everyone. For example, our reserve certificate was originally updated once a month, and now we are considering issuing another one after this incident is handled. We take these actions to enhance transparency.
Discussion on security improvements: multi-signature management, approval process, and employee management
Mirror: Because this security incident involves the issue of multi-signature, I would like to ask, do you have a special upgrade plan for multi-signature? How will you deal with it later?
Shunyet: Okay, we have always felt that the security issue of multi-signature is not too big, because we use tools like Safe, which should be quite reliable, right? However, after this incident, we did propose several solutions. First of all, no matter which technology is used, we think it is very safe, and we will continue to use a variety of different methods. In addition, in terms of multi-signature management, the signature authority is now concentrated in the hands of four or five people, and it may be dispersed in the future, such as assigning the authority of different currencies to different people. In addition, cold wallets must be dispersed in the future, and such large assets can no longer be placed in one wallet. These all seemed simple to us when we were discussing them, but thinking about it afterwards, why didnt we think of them before? But this is what we will definitely do in the future.
Mirror: I see. Have you ever considered adding the addresses of cold wallets and hot wallets directly to the whitelist and then fixing them?
Shunyet: This is something you can consider, but sometimes this will reduce flexibility. However, this is indeed a solution.
Mirror: Yes, thats right, because I saw many people proposed that you can do a rehearsal first to see if the execution result is transparent. I also think we can go a step further, such as doing a check before executing the signature, directly analyzing and parsing the bytecode in detail, and then doing some rehearsals. This may alleviate the risk of such attacks.
Shunyet: Well, I will indeed bring this suggestion to our security department for discussion. My background is more towards trading, so I will leave this aspect to the professional team to evaluate.
Mirror: There is also a previous incident, the incident in 2022 where an employee modified the Excel table data - although it was not considered theft. After that incident, did you upgrade the entire CRS (customer relationship system) process?
Shunyet: Yes. I think that many times, when we find a problem, we need to make improvements. That happened a long time ago, and we almost fixed it at that time. Now we have more control measures in our approval process. Because at the beginning, I also encountered this situation. Many exchanges have advanced technology, but the systems or processes in the middle and back-end are relatively simple. Our company has grown very fast, and some places have not been done well, but now all departments have adjusted. Even some very simple internal affairs need to go through the approval process. Sometimes it feels a bit annoying, but this way I won’t encounter similar problems again.
Mirror: Yes, because this is actually quite critical. Exchange business involves funds, and the things to be checked may be more complicated. I have another question. Many people mentioned Bybit this year, and the actual situation is the same. It seized a lot of dividends and became one of the three major exchanges. Will this lead to a substantial expansion of your staff? Will it have an impact on the existing risk control structure?
Shunyet: In fact, Bybit has fewer employees than some of our competitors because we pay great attention to selecting people who fit the Bybit culture. Not just anyone can join, so our recruitment process is relatively long. Our business is developing very fast, but the speed of introducing talents is sometimes slower than the business growth. However, whether it is risk control, business or product, we insist on doing so.
Will work with external teams to track funds, the possibility of rolling back Ethereum is low
Mirror: OK, then I will continue to ask. Mr. Zhan just mentioned that the money may not be recovered, but after reading some discussions in the community and the hackers operations, I think that even if it cannot be recovered, the probability of the hacker taking away the money completely is not high. However, I saw someone in the community saying that the hacker is doing some self-destructive operations on these Ethereums, and I would like to ask Boss Ben to confirm.
Ben: I can tell you what we are doing now. Our security team has contacted several external partners, and the well-known domestic SlowMist is also cooperating with us to conduct global tracking, including working with on-chain analysis companies to trace back what happened at the time, trying to figure out how this hacking incident happened. So far, there is no conclusion, because there are several suspicious points in this incident that are different from the past. First of all, it is not our hot wallet system that has a problem, but our supplier Safe, which is used to store multi-signature cold-signed Ethereum, has a problem. We are not sure whether there is a problem with their server or the user interface of each of our signatures. This is the first direction we are investigating. As for the fund tracking you mentioned, from our perspective, it is not so easy for these Ethereum to be laundered. I think this is a long process, and hackers will slowly try various money laundering methods. This incident is large in scale, but what makes me feel fortunate is that the entire industry is very united and everyone is helping us, and we are very grateful.
In fact, as long as the hacker transfers the funds to a cross-chain bridge, we can locate it almost immediately, and then ask the cross-chain bridge to help freeze it. So I think it will take a long time to completely clean up the $1.5 billion. Secondly, we didnt see any signs of self-destruction. He went to so much trouble to steal it, why would he self-destruct?
Colin: It wasnt self-destruction, Mantle rescued the money.
Ben: Yes. If the hacker tries any re-staking agreement now, we should be able to take some measures to deal with it. So he is also confronting us now. We have hired a bunch of people to keep an eye on him, and he is in a bit of an awkward situation now. Finally, some people, including some top projects and several big Vs on the Internet, have raised the question of whether Ethereum can consider a rollback as a whole. But most people believe that the last rollback was because 30% of Ethereum was stolen, and although the amount we have this time is large, it only accounts for about 0.3% to 0.4% of the total, so they should not consider rolling back. But we are also trying to contact Vitalik (founder of Ethereum) to see if he can give us any advice.
Colin: So would you ask or request him to do the rollback?
Ben: We will beg them to lend a helping hand, haha. But whether they can cooperate or not depends on their consideration.
Specific responses to the crisis: how to restore liquidity, optimize security strategies and follow-up plans
Colin: Ben, I actually asked Mr. Zhan just now. Do you think liquidity has been fully restored now? Including what Grace mentioned before, you may not need external support anymore.
Ben: Yes, I have to thank those partners who quickly offered a helping hand. Bitget should be the first one to help us, and they didn’t ask for any conditions at all. They really came to our rescue without even signing a contract. Thank you very much. And Matcha and Pie Network, these three companies have been lending us Ethereum, which really helped a lot.
Now our overall situation is completely stable. In about 12 hours, our deposit and withdrawal levels returned to normal. I posted a message on Twitter at the time that our withdrawal system no longer has any backlogs and all withdrawal requests have been processed. Compared with the second hour after the incident, which was the peak period, the system is not facing withdrawal pressure, but the problem of overall pressure resistance.
The withdrawal system had never seen so many people withdrawing money at the same time. At that time, we did system maintenance, adjusted the on-chain handling fees, optimized the risk control system, and handled a lot of related matters. At the same time, we contacted people in the background to borrow Ethereum to fill the gap. Now, the entire liquidity is completely fine.
Colin: Have you ever practiced similar scenarios before? For example, if something like this happens, what are the first and second steps?
Ben: Yes, I think many people, including most of the comments online, said that although this incident was unfortunate, our crisis public relations was not bad. Some people said that I was relatively calm when giving orders. I don’t think it was because of my personality, but because we had many tools to keep me calm. Our risk control level and the financial status of the financial system are accurate to the minute, so we know at any time what stage the system is running and what the customer’s withdrawal status is.
This allows us to handle things in a more orderly manner. These digital and visual dashboards allow us to plan the next steps step by step. For example, when withdrawing funds, we first deal with small customers, let them withdraw all their funds, and then gradually move on to the back. In addition, we will adjust according to the situation of different chains - which chain has funds, which chain does not, and how to allocate them. In my opinion, it is the data that allows everyone to advance the subsequent work in an orderly manner. In contrast, FTX was in a mess at the time, probably because they did not have any tools to assist in decision-making, which was unfortunate. Of course, at the company level, we have conducted drills for all crises, whether it is theft or system crashes, and there are so-called P-1 drills internally every month.
Colin: I see. So what are the next plans at this stage? For example, in the next day, three days, week, or month, do you have any important steps to be carried out one by one?
Ben: Yes, now we have several different links. First of all, in terms of security, the first step is to find out what happened. The second step is to track the funds. We will cooperate with external teams and even collaborate with Safe to figure out what happened and try to control the losses (damage control). Secondly, in terms of finance, for the funds we have temporarily borrowed now - not a cross-chain bridge, but a bridge loan in English, or a temporary loan in Chinese - we will repay the money as soon as possible through OTC transactions and other methods. At the same time, we are now more concerned about the changes in the withdrawal level, but at present, the panic of customers has passed.
From a business perspective, we are most concerned about the impact of this incident on the business, such as how many users, VIP customers, and institutions we have lost. We hope to make the next decision based on the impact report as soon as possible. For example, which country has the most users lost? How can we let users in these countries understand the current situation and know that there is actually no problem with our platform, and our hot wallet and data system are operating normally. This area will also be based on data to promote the next step of the plan.
Colin: OK, I understand. In fact, the first person that everyone discussed the most was CZ (Changpeng Zhao, founder of Binance). He suggested that you suspend withdrawals. I guess he might want you to do a security check to prevent other loopholes. I don’t know why you didn’t adopt his advice at the time. What was your consideration? Are you worried about other potential problems?
Ben: Yes, in fact, CZ and some other friendly companies, such as Binance, all sent signals of willingness to help. However, it took me about half an hour to notice their message because Twitter was blown up and I was still busy with live streaming. I think from their perspective, this suggestion is normal. If you don’t know the specific circumstances of the hack, you might think that there is a problem with our hot wallet. If it is really a problem with the hot wallet, then all withdrawals must be frozen. But our incident is different. There is no problem with our withdrawal system at all, and the internal system is running normally. It’s just that the tool used for multi-signature was stolen - you can understand it as an external tool that has a problem. So the rest of our parts can operate normally and there is no need to spend extra energy to shut down. After locking the problem in the first time, SlowMist said at a glance: The rest of your parts are completely fine. So we can make this decision with confidence.
In contrast, when other exchanges were hacked, it was mostly due to problems with internal codes or processes, or even employee operations. But we ruled out these possibilities immediately because the signatures were all handled by founders like me, and internal problems were directly denied. This allowed us to maintain the normal operation of the deposit and withdrawal system with confidence. So I think there is nothing wrong with CZs suggestion, but our situation is different.
Analysis of the source of security vulnerabilities: Insider, Trojan, Bybit internal or Safe code base vulnerability?
Colin: There is another point. Although the final security report has not come out yet, there is a saying that the user interfaces of several of your people have been attacked. Could there be an insider or something like that?
Ben: Yes, I think every possibility should be ruled out one by one, and it has not been completely ruled out yet. The first thing we did was to collect evidence, back up the computers of each operator, record all the operation links of the parties involved, and preserve the evidence. These data will be handed over to the police, external security assistance parties and our internal investigation team for use. Now it seems that all operations are not much different from before. But the strange thing is that there are several links in our security protocol that must be checked, such as URL, and we have done all of these.
As of today, I am not sure whether Safes multi-signature system is still frozen. They may still be investigating. They dare not draw a conclusion immediately. Is it that their server was hijacked and affected us, or is it that there is something wrong with each of our computers? Moreover, we found that everyone is in different locations and different network environments, and it feels difficult to be remotely controlled. There are various possibilities, but we cant determine which one to exclude now, so we are still investigating.
Mirror: So, Boss Ben, you mean that no traces of Trojans were found on the device, right?
Ben: Yes, we checked and found that there were no Trojans on the computers of all the people who signed. Of course, this was the result of our security teams first investigation. We are not sure whether there are any particularly powerful Trojans that we have not found yet. So we collected evidence first, sealed all the computers, and left behind the images and other data.
Hao: I saw that Safe seemed to have issued a statement saying that their code base has no vulnerabilities. I was wondering, if it was a common APT (advanced persistent threat) attack, such as a penetration attack, assuming that the terminal of one of your employees or executives was breached - for example, through social engineering phishing - that is just an access point to the intranet. I am curious, how could the hacker penetrate from a small point in the intranet to such an advanced system? In this process, did your security warning mechanism fail? There was no warning for such a long time? Will you conduct targeted investigations next time?
Ben: First of all, I want everyone to understand our situation. We have a complete withdrawal system, including hot wallets and warm wallets. Hot wallets automatically process withdrawals, while warm wallets require manual signatures. This is a system we developed ourselves. When we have some extra reserves, they are placed in cold wallets. You can think of cold wallets as HSBC. This incident was caused by a problem with HSBC - when I took the money back, it was intercepted and all was stolen. So the hackers who just mentioned infiltrating our system are actually not there. This is why we can keep withdrawals uninterrupted, and there is no problem with our normal internal withdrawal system.
We do face penetration attempts frequently. We have a whole set of protection measures, such as setting up a lot of honeypots in the system, and the white hat team and the red and blue team attacking and defending each other. Even our red team will send phishing emails to employees from time to time to test whether they are operating according to the security manual. This is the daily work of the exchange. But this time is different. The hacker did not break into our internal system. You can understand that we put the money in Safe, a cold wallet service provider. The biggest challenge this time is the problem outside. Back to your question, it was not attacked from our side, but through an external multi-signature link. We have four people responsible for signing, including me. I am not convenient to disclose the other few, but they are all people of this level.
The weirdest thing is that we were all in different network environments, and our computers were checked regularly, but no Trojans were found afterwards. We were not in the same place or even in the same country when we signed. One person signed and the next one signed, and we checked the URL and other things every time. So now we are still investigating which link went wrong. I cooperated with Safe, but I am not blaming them, and we are not sure where the problem lies. They didnt find the cause, and we dont know either. The final conclusion is still unclear, that is, how did this part go wrong?
Discussion Questions: Asset Protection, Team Response
Colin: I have another question, I wonder if Bybit can answer it: What is the scale of your own assets used for liquidity or reserves on a daily basis? As mentioned before, Bybit may have a profit of 1.5 billion US dollars a year, but you will definitely distribute dividends or use it for other expenses every year. Are the companys overall assets enough to fill this 1.5 billion US dollar hole?
Ben: The companys assets are definitely greater than this amount. I sent a tweet, you can go and see that our auditing agency has spoken out. This auditing agency has reviewed our financial and company accounts. There is a message on my Twitter that Hacken and his team did an audit for us. They have seen our fund account, which is the Treasury account. They immediately expressed their willingness to speak out, but they needed our consent. I was busy at the time, and after two or three hours I said no problem, and they issued a statement proving that they had audited our Treasury and confirmed that our cash and token reserves could fully cover the loss of $1.5 billion.
Colin: So for the company, how do you feel about the overall morale right now? How is the state of the employees?
Ben: I am very glad. I am very pleased with the execution and culture of our team. After the incident, almost everyone rushed to the office immediately. Because Bybit is a centralized office, I was doing a live broadcast in Singapore at the time, and our entire floor in Singapore was almost full of people. The security team, live broadcast team, media, public relations, and even legal affairs were all online. After we called the police, the Singapore police arrived at three or four in the morning, and even Interpol came this morning. The overall response speed was very fast. At least the dozens of people who reported directly to me that I could see basically did not sleep all night and kept contacting various parties.
I think the hardest working team is the customer service team, all of whom are online to answer customer questions. Risk control personnel are also working hard to handle withdrawal requests, and the heads of the public relations team and other departments are almost all on duty. The product and technical teams are also maintaining system stability. At the time, we were worried that it would cause other systems to crash. I immediately sent an internal letter to the entire company, saying that the next 24 to 48 hours would be very difficult, but I hope everyone will remain calm and handle this matter with a professional attitude. At the same time, we must stay online so that customers can contact us. I think at this moment, being online and contactable is the most important, including our institutional team, because many institutional customers are also worried. Now I have just slept for two hours, and some people have also taken a short break. The overall state is still quite excited, because there are still many problems to be solved.
I think the most difficult time has passed, and liquidity has been completely restored. Now customers deposits and withdrawals are completely normal, exactly the same as before.
Colin: I understand. In other words, the two most important aspects are: one is comprehensive security inspection, and the other is restoring the trust of institutions and users. We will mainly follow these two lines, right?
Ben: Yes, I think you are right. The first question is, what should we do with our Ethereum multi-signature? We are still using Safe, but we have moved the funds to our own hot wallet. This is obviously not a long-term solution, and we have to solve this problem. The next step is definitely at the business level. We will evaluate the overall impact of this incident through the impact report of the internal BI team, and then formulate the next operation plan.
Mirror: I just saw the Hacken certificate sent by Boss Ben, and it says the market value is 7.9 billion US dollars. What does this refer to? Is it Bybit’s own assets or customer assets as mentioned before?
Ben: Hacken did an audit for us and divided the user assets and our internal assets into two parts. They published the customer assets, but also reviewed our internal fund pool. However, they did not write down the specific figures because they were our internal data. What they promised was that they had confirmed that they could guarantee that our assets could fully cover the loss. This was the content of the post they posted at the time.
Ben thanks the industry for its support and will continue to optimize safety and crisis management
Colin: Ben, I see that many people online, especially the founders of Chinese-speaking projects and Western communities, are very supportive of Bybit. For example, Du Jun and Yuan Jie are also transferring Ethereum back to their Bybit accounts. Do you want to express your gratitude to them?
Ben: Yes, I really appreciate it. In this incident, many partners stepped up, and some were even on standby. From wallet-related, such as Fireblocks, Chainalysis, to other teams - I cant remember who they are now, because some people contacted me directly, and some contacted our team. In short, we feel the support of the entire industry in different links, and they are helping us in various ways. The well-known domestic platforms you just mentioned, such as Bitget, Matcha, and Pie, have all contacted us and directly provided lending support. Binance has also contacted us, and we are still communicating, but in the end we have borrowed enough money, so we didnt bother them again. There are also other exchanges, our partners, and various networks and market makers, almost all of which are providing assistance. So thank you very much.
Colin: Yes, I hope Bybit can recover from this incident. The loss is huge after all. Do you think this incident will have any impact on Bybits future development? Will it bring about some changes in thinking, or will there be any specific adjustments in the future?
Ben: To be honest, I havent had time to think deeply about this issue, but it will definitely have a big impact on us. From a security perspective, such as wallet deployment, we may be more cautious. We also found some problems that can be optimized during this crisis response. For example, the performance of the deposit and withdrawal system under high traffic, and the risk control system is a bit chaotic when there are a large number of tags, resulting in less than ideal overall efficiency. In addition, although our P-1 level response is very fast - we have drills, press a button, and almost the entire company can receive phone and text message notifications and go online quickly - but in some links, such as when such a big incident occurs, does the security person in charge have a clear division of labor? We will do a complete review of these later and optimize internal management.
Overall, the silver lining is that we can still handle this incident. I cant imagine what would happen if the loss reached $10 billion. I might have to consider selling the company. But we can handle it this time, so I havent thought that far. But from this perspective, our next step will be to adjust all processes and make some changes if such an incident happens again to see if we can handle it.
Colin: Yes, many people say that Bybit is not like other exchanges in history, at least no similar thefts have occurred in public disclosure. But this time it became the largest theft in history. Could it be that because it has never happened before, the internal vigilance has been relaxed?
Ben: I think there must be something I didn’t do well. For example, our cold signatures can be dispersed to several wallets, so we don’t have to put all Ethereum in one wallet. Fortunately, our USDT is also in a wallet of Safe, which is about 3 billion US dollars, twice that of Ethereum. But that wallet has been basically untouched because of sufficient USDT reserves. I guess the hacker may have lost patience after waiting for a while, or dare not touch USDT because USDT is easy to be frozen. So in hindsight, there are several simple ways to circumvent it.
First, why put $1.5 billion in one wallet? Cant we divide it into five? At least the loss will not be so concentrated. Maybe because we have never been stolen and are too confident in the deposit and withdrawal system, we dont think much about this link and pay more attention to the signature environment and computer security. I think this is a change in thinking. It is no longer about how to never be stolen, but assuming that it will be stolen, how to ensure that the loss will not leave us with nothing, but to control it within an affordable range.
Colin: Yes, although the amount is huge, as you said, fortunately, the company can still hold on. I hope you can recover as soon as possible.
Ben: Okay, thank you all for your support.
