Original title: Bybit Founder: How I Survived The Biggest Crypto Theft Of All Time | E 110
Original source: When Shift Happens
Original translation: TechFlow
Guest: Ben Zhou, Bybit CEO
Moderator: Kevin Follonier
Podcast source: When Shift Happens
Air date: February 27, 2025
Introduction
A few days after Bybit suffered a $1.5 billion Ethereum hack, host Kevin spoke with the exchanges CEO Ben. Through this conversation, we will learn how Bybit responded to the crisis and successfully processed 350,000 withdrawal requests in 72 hours, while quickly raising alternative funds to ensure uninterrupted operations. This interview provides us with valuable lessons on how to demonstrate leadership under extreme pressure and how to maintain user trust in the face of billions of dollars at risk.
Highlights from the interview
· What doesn’t knock you down will make you stronger;
One of my biggest fears is not knowing my own limits. Another is letting down the people who believed in me.
· My goal is to ensure that our company still exists in 10 years;
Stress comes from the feeling of powerlessness that problems are beyond your control.
You must invest in your people and leaders;
Bybit has never been the number one in the market, we are more like a dark horse;
· Transparency and timely communication are at the core of rebuilding trust, while maintaining a professional attitude at all times is fundamental to earning the respect of the community;
Not your key, not your coin;
When your assets reach a certain size, you become a potential target of attack, so it is very important to diversify the storage locations of your assets;
· Involving key players in signing will put them under too much psychological burden during a crisis;
· The beauty of our industry lies in transparency and direct communication between entrepreneurs and customers;
Our company has an emergency mechanism called P-1 Event to deal with the most serious crises. We conduct drills every month to simulate various major incidents that may occur. We have a dedicated P-1 button that any employee can press. Once triggered, the system automatically wakes up all management and contacts them one by one by phone. If someone does not answer, the system automatically calls the next person in charge until someone answers;
When people feel stressed, it’s often because they know something needs to be done, but they don’t take action. My approach is that as soon as something needs to be done, I do it immediately, so stress is not a problem for me;
· When facing a major crisis, the core of public relations is not the public relations team, but the founder and CEO themselves. If at this time, I let the public relations team draft information and release it through Twitter, or let the public relations staff speak out, it will only backfire. Because in times of crisis, the public will not trust the statements of a public relations team, they need to hear a direct response from the founder or CEO;
Whatever emergency arises, I have to handle it on my own, with no one else to turn to. Instead of thinking about steps 1, 2, 3, I jump straight to the critical 4 or 5.
Throughout the entire incident, we kept the withdrawal channel fully open and customers could withdraw their assets at any time. Even in the face of a bank run, we did not reject any withdrawal request;
Centralized exchanges are still crucial to the entire ecosystem. Most people need centralized products to enter the crypto world. Users may participate briefly due to market hotspots, but there is no intermediate platform for them to gain a deeper understanding or use for a long time.
· Although this hack is regrettable, it also makes me more determined to fight hackers to the end. In addition, we plan to launch a dedicated website this week called HackBounty.com, which is an aggregation platform focused on tracking stolen funds. Anyone can post a bounty task on the platform and become a bounty hunter. Through this platform, we hope to help all victims track down stolen funds while increasing the sense of responsibility and transparency of the entire industry;
The fastest recovery in crypto
Kevin: How do you feel about what happened?
Ben: I think the positive thing about this incident is our transparency. We showed the world how to deal with crises in a professional way, which made many people regain confidence in us. As the famous saying goes, What doesnt knock you down makes you stronger. So we have seen customers start to return, including some VIP customers and institutional partners. I think we have also taken some innovative measures, such as tracking the flow of funds, which is a new attempt in the industry. We plan to launch a new website. The entire team worked for two consecutive days after the hacking incident to develop this website, with the aim of helping future possible victims track the flow of funds. You will see that its functions are very special. Our design team has also put a lot of effort and made many very cool designs.
Strategies for dealing with a $1.5 billion hack
Kevin: Usually when a person encounters a hack or similar disaster, they go through several stages: feeling violated, angry, and frustrated, before they realize that they are the one in control of their own destiny and finally get back on their feet. You seemed to have skipped the first three stages and entered the last one. What was your first reaction when you learned that your exchange had been hacked and the loss was as high as $1.5 billion?
Ben: I got a call from my CFO, and when I got the call I realized something was seriously wrong. He told me that our wallet might have been hacked. I had just signed a transaction involving 30,000 Ethereum, and then I realized that the situation was worse than I thought. I asked him, Have we been hacked? He said, Yes. I asked again, All 30,000 Ethereum is gone? His voice began to shake, and he said, More than that... It seems that the entire wallet has been compromised. About 410,000 Ethereum, with a total value of $1.5 billion.
The next question I asked was, how did this happen? The security team told me that it was related to a transaction I signed, and they suspected that this led to a security breach in the wallet. I continued to ask, Are other wallets safe? They confirmed that only this wallet was affected. I repeated this three times because the answer was crucial to my next decision. If the problem has been controlled, I can focus on solving the current crisis; if not, I may need to shut down the system to prevent further losses. After confirmation, I learned that the problem was limited to a cold wallet and that the Genesis Safe provided by a third party had a vulnerability.
Next I asked, “Besides this compromised wallet, do we have any other assets under Genesis Safe?” They responded that there was a stablecoin wallet with a value of $3 billion. I immediately asked them to confirm that the $3 billion was safe. They eventually confirmed that the stablecoin wallet was not affected. At that time, I said to the CFO, “Can we use the company’s funds to cover this loss?” He said yes. I was relieved to hear this answer because I knew that the customer’s funds were safe and I didn’t need to sell the company or seek external investment. I immediately contacted the COO, I briefed her on the situation, and she immediately initiated the company’s crisis response procedures. Our company has an emergency response mechanism called “P-1 Event” to deal with the most serious crises. We conduct drills every month to simulate various major events that may occur.
Kevin: Can you give an example of previous P-1 incidents and how their scale compares to this one?
Ben: No incident can compare to this one. Previous P-1 incidents may be website downtime, trading matching engine failure, which prevents users from trading derivatives, or the withdrawal system cannot respond for a short period of time. According to our definition, any functional failure that affects more than 10,000 customers, or any incident that causes losses of more than $1 million, is classified as a P-1 incident. We have a dedicated P-1 button that any employee can press. Once triggered, the system automatically wakes up all management and contacts them one by one by phone. If someone does not answer, the system automatically calls the next person in charge until someone answers. At the same time, the team will be automatically assigned to an online conference room to start recording the incident, assigning tasks, and implementing solutions.
When making decisions, how do you balance judgment and procedure?
Kevin: Are you going to tell everyone whats going on?
Ben: In this case, we explained the situation to the team and told them that we had been hacked. When facing a crisis like this, it is important to make sure that every member of the team knows what happened.
Kevin: You mentioned that your team has a complete set of emergency procedures. How important are these procedures in crisis management? Because although procedures are very important, judgment is also crucial in actual operations. In this case, what is the weight of judgment and procedures?
Ben: Judgment plays a big role in these types of incidents, because every crisis is different. In previous incidents, my role was more internal-facing. For example, when a website goes down, I usually make a short announcement to explain the problem to customers, such as our website is temporarily inaccessible, and the technical team is working on it. In this case, the customer is already aware of the problem, and we just need to confirm the problem and calm the customer. In fact, website downtime is one of the most serious situations for exchanges besides hacker attacks. You can imagine how much impact it would have on user experience and company reputation if a large platform like Binance or Bybit had a website outage.
When dealing with this kind of problem, my main responsibility is to work with the technical team to find the root cause of the problem. We need to investigate step by step. Is it a problem with the Amazon cloud server? Or is it a loading failure of the front-end page? Or is there a new vulnerability introduced in the code? Depending on the specific situation, we will shut down the relevant system for testing until we find the problem. But this hacker attack is completely different. Our system itself is operating normally, and users did not notice any abnormalities, but we suffered a loss of up to $1.5 billion. In this case, the traditional emergency template is no longer applicable. Faced with this unprecedented situation, we have to re-formulate a response strategy and rely entirely on judgment to deal with the problem.
Why don’t you feel stressed during a crisis?
Kevin: How do you make the right decisions in high-pressure situations? Are there any challenges you’ve experienced in your personal life or in your entrepreneurial journey that have helped you better deal with similar situations?
Ben: For me, I dont feel stressed when faced with pressure or emergencies. When people feel stressed, its often because they know something needs to be done, but they dont take action. My approach is that as long as there is something to deal with, I will do it immediately, so stress is not a problem for me. When the event happened, I clearly knew that there were some things I couldnt control, such as a loss of $1.5 billion. This scale of loss is obviously beyond my current control, so I wont waste my energy worrying about these unsolvable problems. The next focus is how to deal with possible bank runs.
Sooner or later, the market and users will learn about this incident. What do I need to do to calm the market and continue to build trust? Every step we take now will directly affect the fate of Bybits development in the next 5 to 10 years. My goal is to ensure that our company still exists in 10 years. We need to handle this matter with professionalism and transparency to show the world that we can deal with such a crisis. I quickly entered a combat mode. Since I was 12 years old, I left home and lived alone in New Zealand. At that time, I was without the company of my parents and needed to face various problems in life alone, whether it was adapting to the host family, school affairs, or emergencies in life.
So whatever emergency arose, I had to handle it on my own, with no one else to turn to. Instead of thinking about steps one, two, and three, I would jump straight to the critical fourth or fifth step.
Crisis public relations handling
Kevin: How do you manage PR? What steps do you take to avoid becoming a PR disaster in order to ensure Bybit remains at the forefront in the next 10 years?
Ben: A big problem is that many people think that if they have a PR department, they can leave all PR matters to them, but this is not the case. In the face of a major crisis, the core of PR is not the PR team, but the founder and CEO himself. If at this time, I let the PR team draft information and release it through Twitter, or let the PR staff speak out, it will only backfire. Because in a crisis, the public will not trust the statement of a PR team. They need to hear a direct response from the founder or CEO. When I realized that a bank run was about to happen, I knew that customers would have a lot of questions that needed to be answered.
So I first contacted my COO to make sure she could coordinate the team to handle customer calls and follow-ups, while keeping everyone focused on the next challenge. Then, I drafted the first tweet myself because I wanted all the media and the public to get accurate information directly from me. In fact, even my team didn’t fully understand the full picture at the time, and the PR team could only get details through second-hand information.
As the founder, I am the only one who has full control of the facts and can speak directly, so I have to take on the responsibility of public relations myself. In such an incident, the most dangerous thing is the lack of transparency of information and the spread of speculation. If the market begins to doubt that Bybit will close or that we will run away, it will be a devastating blow to the company.
Therefore, after my first tweet was published, we quickly organized an online live broadcast in about 40 minutes. In the live broadcast, I personally appeared on camera to explain the ins and outs of the incident in detail to the public. At that time, the team suggested using Twitter Space, but I insisted on choosing a live video broadcast. I believe that letting everyone see my face and explaining the problem directly to the public as a founder and CEO is the key to building trust. By facing the camera, I can convey real information to the outside world, showing that we have not concealed or evaded responsibility. This direct communication method is more effective than any indirect statement or speaking on behalf of others.
I was able to focus on the core work of crisis public relations because I had a strong team behind me. They took care of other matters, so I could focus on communicating with the public. This was not only about my personal efforts, but also the result of the efficient execution of the entire team.
Ethereum Shortage Crisis: How to Restore Market Stability?
Kevin: When facing a bank run, the first thing to do is to prevent the situation from getting worse. So whats next? What other key partners do you need to contact? Who did you contact first? Why?
Ben: In the event of a bank run, the first priority is to build trust. I personally communicate to clients and the market that we are taking action. Despite these preparations, I know that a bank run is inevitable.
Kevin: What was the worst-case scenario that you were worried about at that moment?
Ben: The worst case scenario is that although Bybits customer assets are originally fully transparently backed 1:1, for some reason, we are short of Ethereum. That is, at that moment, we cannot fully meet customers demand to withdraw Ethereum. I hope that customers can withdraw funds, so that we can prove that our assets are indeed 1:1 backed. However, the problem is that the asset that customers want to withdraw the most is Ethereum, and we are short of this part.
Therefore, in order to quickly restore market trust and achieve my long-term goal of Bybit existing for 50 to 100 years, we must fill the gap in Ethereum as soon as possible. To solve this problem, I immediately assigned the financial team to contact partners to seek a bridge loan. This method is different from buying Ethereum directly on the market, because market purchases will cause prices to rise and increase our costs. The operation of a bridge loan is relatively simple. We use existing assets, such as Bitcoin and USDT, as collateral to borrow an equivalent amount of Ethereum from partners.
Kevin: How did you convince your partners when the market was in panic?
Ben: Actually, there is no need to convince. If our assets can really cover the withdrawal needs of customers, there will be no panic. What we are short of is Ethereum, not the overall assets. We also have Bitcoin, USDT and cash for operations, which can be used as collateral. Customer assets are managed independently, but in order to make up for the shortage, I converted the companys own assets into Ethereum to fill the gap. In this way, we have fully restored the 1: 1 support ratio.
Kevin: Will customers or partners question the 1:1 standard?
Ben: Usually, partners will ask for a higher collateral ratio, such as 110% or 120%, depending on the type of collateral asset provided. If it is Bitcoin, it may require 100% to 110%; if it is a stablecoin, the collateral requirement will be lower, and for some volatile assets, the collateral ratio may be higher.
What makes a great leader?
Kevin: What makes a great leader?
Ben: In my opinion, great leaders need to stay calm at critical moments and be able to clearly direct the team. For example, when a crisis occurs, I will clearly assign tasks: You are responsible for this, you are responsible for that. This way everyone in the team can focus on their own responsibilities. But in fact, in a crisis, there will always be some unexpected problems. When we were hacked, we immediately notified the Safe and Genesis Safe platforms and asked them to suspend services to prevent more funds from being withdrawn.
While this measure effectively prevented further losses, it also brought new problems. Some of our partners, the institutions that provided us with bridge loans, told us after signing the contract that they could not complete the transfer because their funds were also trapped in Genesis Safe.
This was just the beginning of the problem. To make matters worse, we had 3 billion USDT on the Safe platform, but I couldn’t use the funds because the platform was suspended, and we were facing a large number of withdrawal requests from customers. In our system, you can see the number of withdrawal requests, the distribution of funds in each wallet, and our inventory in real time. According to this trend forecast, our existing stablecoin reserves can only support six hours, and then we must use the 3 billion funds, but the problem is that I can’t withdraw the money. In this case, I chose to temporarily leave the live broadcast and let my colleagues continue to communicate with the public on my behalf.
At the same time, I immediately contacted the wallet team and asked them to stop finding out the specific cause of the hack and focus on developing a new software that can safely withdraw the funds. The team told me that they would complete the development and testing as soon as possible to ensure that the 3 billion USDT was withdrawn. If this step could not be completed, the company would be at risk of being shut down. Therefore, I decisively decided to let the team go all out to complete this task. In the face of a crisis, leaders must keep a cool head and clarify priorities. My primary goal is to ensure the safe operation of Bybit and enable customers to complete withdrawals smoothly.
It was not the work of one person to accomplish all this, but the result of the joint efforts of the entire team. We successfully resolved the shortage of Ethereum within three days and even quickly restored liquidity through OTC (over-the-counter trading). The wallet team was responsible for technical development, the customer support team handled a large number of customer requests, and the institutional team ensured the liquidity of funds was restored.
Bens biggest fear and stress
Kevin: What are some things that stress you out?
Ben: Probably my wife and kids, they are the only ones that stress me out. I can hardly say no to anything they say. So, to be honest, I handle the stress at work pretty well. In contrast, my family is where I really feel stressed.
Kevin: Now it seems like most things are going well. What is your biggest fear in life?
Ben: I think one of my biggest fears is not knowing my own limits. That’s why I always try my best at work, because I don’t know what my potential is. The scariest thing for me is looking back at my life when I’m old and realizing that I didn’t do my best to pursue my goals. That kind of regret scares me.
Another thing I fear is disappointing the people who trust me. Whether its my team or my clients, their trust in me is priceless, and the last thing I want to see is disappointing them. I think this is particularly important to me.
The only special moment that makes me stop
Kevin: For you, when do you feel that you have reached a state of satisfaction and can say I am already very happy?
Ben: For me, the moment of satisfaction would probably be when my energy and health no longer allow me to continue. I think that’s how I measure “enough”—based on my energy and health. If one day, my body tells me that I need to stop, that’s probably the moment I’ll feel satisfied.
Facing the most stressful moments
Kevin: One last question about stress. What is the most stressful moment you have ever experienced?
Ben: The most stressful moments for me are probably when I get certain phone calls. I cant think of a specific stressful moment right now. If I had to say the most recent one, it would be an incident that our team just went through. But this time it was a little different because we did our best to deal with it. I think sometimes the source of stress is not just the problem itself, but the feeling of powerlessness that the problem is beyond your control.
What’s next after the crisis?
Kevin: What led to you getting hacked and losing $1.5 billion?
Ben: In short, our Ethereum cold wallet was hacked. We are currently working with internal and external security teams to investigate the specific attack methods and vulnerabilities. We expect that the internal team may provide some preliminary investigation results tomorrow. At that time, we will release the details to the public, hoping that through our lessons learned, others will not fall victim to similar attacks again. However, if you want to know more specific content, you can ask me explicitly, otherwise I may be too general.
Kevin: You mentioned that there were different actions on the day, day one, and day two. Weve talked about the emergency response on the day. So what did you do specifically starting from day one?
Ben: The first priority on the first day was to ensure the safety of all users assets. Within 12 hours, we completed all withdrawal operations to prevent further losses. The focus of the day was crisis management, including emergency response, handling public relations, stabilizing market sentiment, and sending a clear message to the outside world: we are still operating normally. On the second day, I finally had some time to think about the companys next strategy.
The core tasks of the day include three aspects: first, analyzing the impact report and assessing the specific losses, such as which regions of customers were affected, the scale of losses of institutional customers and VIP customers, and liquidity conditions; second, working with the business intelligence team to comprehensively sort out relevant data, and contacting the external security team to further investigate the technical details of the incident; third, starting to formulate a fund recovery plan and assessing the possibility of recovering losses. These three tasks are the focus of my work, and I will distribute my time as evenly as possible to these key areas.
How long will it take to rebuild?
Kevin: You mentioned that the company has enough funds to cover this loss. How long do you think it will take to make up this $1.5 billion loss through the companys revenue?
Ben: You mean to know our annual revenue level, right? I have seen some estimates of our annual revenue, and overall these numbers are about right. However, it should be noted that the company has other operating costs and expenses, which will affect the overall financial situation. So, how long it will take to fully make up for the losses needs to be considered comprehensively.
Repurchase 400,000 ETH
Kevin: You mentioned before that you can make up for this loss by buying back Ethereum. Given that Ethereum is a volatile asset, especially when the price may rise, how do you plan to complete the buyback without incurring additional losses?
Ben: This is a hot topic in the market right now. We complete all of our repurchases through OTC, which is different from buying directly on an exchange. OTC is a method designed specifically for large transactions that avoids significant impact on market prices. Therefore, even if we process transactions exceeding $1 billion, it will not cause drastic market fluctuations. If you see slight fluctuations in the price of Ethereum recently, it is mainly caused by market speculation, not our repurchase operations.
So far, we have repurchased about 300,000 Ethereum, of the total amount of 400,000 initially lost. The remaining approximately 100,000 Ethereum was obtained through loans, which are also being gradually repurchased and converted. These loans are secured by my collateral and require interest payments. In the long run, it is not cost-effective to continue holding these loans, so I am motivated to complete the repurchase and replace this part of the funds as soon as possible. So far, we have significantly narrowed the funding gap and the repurchase work is progressing in an orderly manner.
Key decisions that helped Bybit overcome difficulties
Kevin: When you build an exchange or any other business, there are always moments when you have to cut costs in order to grow quickly, but this is often one of the biggest reasons why businesses fail in a crisis. Can you share some examples of when you chose not to cut costs, which may have helped you get through this weekend?
Ben: This is a very good question. There are indeed many unknown details behind it. For example, we decided to keep the withdrawal function of all systems completely normal during this incident. This is very rare when an exchange is hacked, because many exchanges will suspend withdrawals in similar situations. So how did we do it? The key is that we have a very tight operating system and strong real-time data support. Our system runs entirely on real-time data, including all key indicators such as margin calculation and wallet balance.
Unlike the T+1 or 10-hour delay of traditional systems, our system can reflect the flow of funds in real time. This real-time capability allows us to quickly and accurately view the inventory on each chain when we receive a withdrawal request and predict possible risks. For example, in the case of a bank run, it is crucial to know the difference between a 100% run and a 10% run. But the question is, how to get such information? FTX lacks such capabilities, and they do not have reliable data support to help management make calm decisions.
Thanks to these real-time systems, I was able to make many critical decisions based on accurate data. This also reflects our continued investment in internal products, such as providing clear data on fund flows to the finance team and early warning mechanisms for liquidity shortages to the risk team. Because of this, we were able to quickly generate impact reports in this incident, accurately identify the affected countries and customer groups, and carry out targeted remediation actions. The construction of these internal systems is absolutely not a cost-cutting measure. If we save costs in these areas, I will feel very uncomfortable because it will directly affect our decision-making ability.
Invest in a first-class team
Kevin: This is a great example of your investment in business intelligence systems, which enables the company to monitor internal dynamics in real time and respond quickly to crises. Are there any other examples?
Ben: I think it is very important to invest in the team and ensure that the team can lead the company to achieve its goals. I firmly believe that we have a world-class team, and this is proven by our actual performance. In the past 12 hours, we have processed about 350,000 withdrawal requests, and all requests were completed within the specified time. This is not only due to the support of the back-end system, but also because everyone in our support team, approval team, audit team and risk management team has played an excellent role in their respective positions. In my experience, few exchanges can complete such a large amount of work in such a short period of time. We quickly convened all team members and completed the task in an efficient manner, which fully reflects the precision of the companys management. Just like a well-managed ship, when a breach occurs, everyone knows their responsibilities and acts quickly.
Our PR team and live broadcast team also performed well, and all details were carefully designed and executed. Our live broadcast team was very well prepared. Even in emergency situations, they remained professional and all details were arranged precisely. For example, when I left to get the latest information, a clear time slide was displayed on the screen, saying We will be back at 6:30 or 10:00 instead of simply saying Wait a moment. This made it clear to customers that we would be back on time, which strengthened their trust.
In addition, we also adjust the live broadcast time in real time according to the number of viewers. For example, after 1 hour and 45 minutes, the number of viewers dropped from 40,000 at the beginning to 4,000, and I realized that it was the right time to end the live broadcast. If the number of viewers was still high, I would continue the live broadcast. This kind of flexibility and precision is inseparable from the professional planning and execution capabilities of the team.
So I think that ultimately you have to invest in your people and leaders. This investment is not easy because it requires going through many difficult screening processes. A good team is not formed casually, you have to set strict standards and stick to them. You may need to fire 10 people before you find one who really meets the requirements. At Bybit, our recruitment process is very strict, and many candidates cannot pass the three-month probation period. We would rather spend more time screening than lowering the standards. In the end, this rigorous screening mechanism helped us form a team that can truly lead the company to achieve its goals.
Why Bybit never launched a token
Kevin: In addition to business intelligence, data analysis, real-time monitoring, and team building, I have another very interesting question: Bybit is one of the few exchanges that has not launched a native token. Why have you never considered launching a token?
Ben: There are many reasons. We did have the idea of launching a token, but we gave up in the end. Frankly speaking, when we entered this market, we had already missed the best time. For example, Binance launched a token, OKX also launched a token, and even some exchanges that were established later than us also issued their own tokens, but I still don’t quite understand the real meaning of issuing tokens. If an exchange is already profitable, it can raise funds in other ways. And if the exchange itself already has the ability to operate sustainably, it usually does not require additional investment.
So why issue tokens? Usually, tokens are issued to attract investors or to build a complete ecosystem to attract users to join, but Bybit has never tried to build its own ecosystem alone. We have always seen ourselves as part of a larger ecosystem, not an isolated individual. Our business model has been to work closely with influencers and KOLs from the beginning to become part of their ecosystem.
When we launched spot trading, we chose to work with existing ecosystems such as Solana and TON, rather than trying to build a competing system. We found that this model avoids potential conflicts of interest. In contrast, many exchanges have their own ecosystems and need to compete not only with other exchanges, but also with Solana or other blockchain ecosystems, which ultimately leads to fewer opportunities for cooperation.
I think building your own ecosystem is only feasible if you are the absolute leader in the market. If you have enough market share and resources, you can indeed expand your business through the ecosystem. But Bybit has never been the number one in the market, we are more like a dark horse. Therefore, we have never had the conditions to try to issue tokens or build an ecosystem. In the end, we chose to focus on our core business without launching tokens.
Kevin: So, if the situation was different this weekend, assuming Bybit had its own token, would anything be different?
Ben: I don’t think there will be much difference. Frankly speaking, I don’t think the existence of the token has anything to do with this incident. If we had a token, what impact do you think it would have?
Kevin: Maybe the market will start to short the token, causing the token price to fall rapidly, which may further deteriorate market sentiment and cause more panic. In this way, you may face another crisis.
How to rebuild user trust after a crisis?
Kevin: I heard that you experienced about $4 billion in withdrawals overnight. In the face of such pressure, how did you bounce back and rebuild user trust?
Ben: We have begun to gradually restore trust. I think the key lies in how we deal with the crisis. Transparency and timely communication are the core of rebuilding trust, and maintaining a professional attitude at all times is the basis for winning the respect of the community. In this incident, despite the huge challenges, Bybit still demonstrated a high degree of professionalism, which has been widely recognized. Many users even praised us during the crisis and believed that our performance was trustworthy.
This trust comes not only from users, but also from regulators around the world. We are applying for licenses through multiple regulators. In the past few days, many people have contacted us and said, Hey, I think Bybit is doing a great job. They even have more trust in the future that if we encounter any incidents or problems again, we will handle it in this way. So from this perspective, this is actually the best way to show the world how we work and our philosophy.
Crypto wallet security: lessons learned
Kevin: In terms of risk management, what improvements will Bybit make in the future? I am also thinking about a question: Is it reasonable to store $1.5 billion in one wallet? How should we allocate funds? What amount is too much and what is not enough?
Ben: This is a very important issue and has sparked a lot of discussion in the past few days. Our security team is actively researching new solutions to ensure that similar risks do not occur again. In the future, we plan to optimize the wallet system, such as splitting wallets to reduce risks. In this way, even if a wallet is attacked, it will not have a significant impact on the overall funds. We are also discussing what more advanced technical means to adopt. I think Ethereums development in this regard is worth referring to, such as Smart Contract Wallet. These wallets can improve security through multi-signature and permission management, and even avoid the risks of online signing.
Some of our current wallets rely on online signatures, which is convenient, but it is not a true cold wallet because it needs to be operated through a browser. In contrast, most of our Bitcoin is stored in cold wallets, which are completely offline, and all signatures and transactions are done in an offline environment. Unless someone physically invades, it is almost impossible to break into this storage method. So I think we will design something that focuses on those areas that are physically impenetrable. Yes, I think these are some of our key focuses.
The future of cryptocurrency self-custody
Kevin: This reminds me of a core issue in the cryptocurrency space - self-custody. In this industry, we often say not your key, not your coin, which is usually a reminder to individual users to not store their assets on exchanges, but to choose self-custody. But when similar security incidents occur, this statement does not seem to make much difference. Your security measures are much more complex than the self-custody methods of ordinary users, but they can still be hacked. Does this mean that both individuals and institutions may face security risks? In your opinion, what is the future development direction of self-custody?
Ben: Thats a great question. We do face a key challenge in that we are a very obvious target. For hackers, large exchanges like Bybit are one of their preferred targets. One of the key lessons we learned from this incident is that we are even larger than some of the security service providers we rely on. Therefore, logically, it makes sense for hackers to attack us. While Im not saying that this incident happened in this way, it is something we should be vigilant about. No matter how tight our security measures are, as a large target, we are always at a higher risk.
Therefore, I think that relying on third-party solutions is not the best option. For ordinary users, the concept of not your key, not your coin is correct, but I think it is also necessary to emphasize risk diversification. When your assets reach a certain scale, you will become a potential target of attack, so it is very important to diversify the storage location of your assets. For institutions like Bybit, we actually need to apply the concept of self-custody to ourselves and use completely self-developed technical solutions instead of relying on third parties.
The biggest lesson we learned from this incident was responsibility. Although we invested a lot of resources in security, problems still occurred. This shows that we were inadequate in some decisions, such as choosing a solution that relied on browser signatures, which was clearly not secure enough.
In the future, we need to focus more on developing and using our own security technologies, rather than relying on industry standards. While industry standards provide some assurance, they are not foolproof. The biggest problem with relying on a third party is that you transfer some of the responsibility to them, which can lead to you being less careful on key issues. Especially for exchanges like ours, the longer we operate, the higher the chances of becoming a target of attack.
Kevin: Especially for an exchange like ours, the longer we operate, the higher the probability of becoming a target of attack.
Ben: After this incident, we talked to some industry peers. I found that many exchanges are using internally developed security solutions. Their point of view is, why rely on a third party? Although the third party is not necessarily problematic, once an attack occurs, you lose control. This is a matter of life and death. You should not put your security destiny in the hands of others. In Bybits case, our Bitcoin and other crypto assets are mainly stored in internally developed security systems, but Ethereum is slightly more complicated. Ethereums smart contract development is difficult and requires a dedicated team of experts, which is where we have not invested enough resources in the past.
Looking back now, this is one of my biggest regrets. We should have considered these issues earlier in the policy making stage. Although we now have relevant experts, the system has not been fully upgraded, which is an important problem that needs to be solved.
Comparison of security risks between ETFs and exchanges
Kevin: Has the events of this weekend brought more attention to the need for ETFs (Exchange Traded Funds)? ETFs require custody of assets, and those assets need to be stored somewhere. Do you think that ETF custody faces similar security risks as Bybit? Or are the two completely different?
Ben: In essence, ETFs and exchanges do face similar risks, but it also depends on how ETFs ensure the safety of assets. It should be noted that Bybit, as an exchange, has a very different operating model from ETFs. Our code wallet solution requires frequent adjustments and maintenance, and needs to be redeployed almost every week. The asset management of ETFs is relatively static, with deposits most of the time and occasional small withdrawals.
Exchanges process a large number of deposits and withdrawals every day, including both small and large transactions, while ETFs can choose a more secure but less efficient solution because they operate less frequently. As an exchange, we must find a balance between efficiency and security. If withdrawals take too long to process, customers will be dissatisfied, so our system needs to complete withdrawal operations within a few minutes.
Analysis of Bybit assets changes before and after the hacker attack
Kevin: What changes have occurred in Bybit’s assets and liabilities before and after the hacker attack?
Ben: Before the attack, our total client assets were about $20 billion. In the first few days after the attack, our total assets dropped to $14 billion, and then further dropped to $10 billion or $12 billion. However, as market sentiment gradually recovered, the total assets rebounded to around $14 billion.
Kevin: How do you prove that customers’ assets are safe?
Ben: Our reserves are independently audited and ensure a 1:1 match, which I don’t think any other exchange can claim. Throughout the incident, we kept withdrawal channels fully open and customers could withdraw their assets at any time. Even in the face of a bank run, we did not refuse any withdrawal request. If an exchange cannot achieve a 1:1 match in its reserves, it usually chooses to suspend or limit some withdrawals to buy time to raise funds. But we did not encounter such a situation at all. This is actually the biggest test of our reserve system.
The future belongs on-chain
Kevin: You have always emphasized that the future is on-chain. Does this weekends incident further highlight the importance of decentralizing Bybit?
Ben: My opinion has not changed. Although the future is indeed moving in the direction of on-chain, it does not mean that centralized exchanges will be eliminated. I think it means that the infrastructure will get better and there will be more liquidity, just like the growth of cryptocurrencies in the past few years. From five years ago to today, the entire crypto industry has made great progress, but this does not mean that the stock market is declining. So my logic is that centralized exchanges are still crucial to the entire ecosystem.
Most people need centralized products to enter the crypto world. Users may participate briefly because of market hotspots, but there is no intermediate platform for them to understand in depth or use for a long time. This is the real significance of centralized exchanges. It provides multiple ecosystems or products for users to stay, explore, and eventually become native crypto users. Then at some point, they may explore other places. Even most people who are not attracted usually still have accounts on centralized exchanges and may have some balances in both places. In many cases, most of the balances are in centralized exchanges.
The crypto industry’s image problem
Kevin: With new major events happening almost every week in the crypto industry, how can the public take this industry seriously? What do we need to do to make this industry be taken more seriously?
Ben: I agree that the industry does have some image issues, but we should also focus on the positive progress that the industry has made. I dont mean to brag, but we responded to the recent hack in a different way than before. I see people comparing Bybit to FTX, but its completely different. We handled the incident in just 3 days, which is an efficient response that is rare in the industry. Although this hack is regrettable, it also makes me more determined to fight hackers to the end.
In addition, we plan to launch a dedicated website this week to help victims better cope with their losses. I think this is not only a problem for Bybit, but also a common challenge that the entire crypto industry needs to face. However, other aspects of the industry have made significant progress. Especially in the field of on-chain activities, many decentralized exchanges (DEX) provide solutions that can now solve problems that could not be solved in the past. The crypto industry is still young, and if you look back at the early adoption stage of the Internet, there are also many problems and challenges, and the infrastructure is not perfect, but this takes time.
Therefore, the crypto industry is still very young. I believe that most people no longer simply regard cryptocurrencies as scams, and most countries are legalizing and regulating the crypto industry. Therefore, I think this road, although full of challenges, will only become more stable and higher.
Key Lessons and Biggest Regrets
Kevin: You mentioned earlier that one of your biggest regrets was not building an internal e-wallet infrastructure. Are there any other regrets you have?
Ben: If we look at the events of this weekend, we did find some areas that need improvement. For example, our withdrawal system can be designed to be more efficient and smoother. Even in a crisis situation, we should try to ensure that customers can complete withdrawals quickly. The only regret is that we made some customers wait, and they would think you were deliberately blocking them, but this was not our intention. I really hope that we can allow everyone to withdraw money at any time.
I hope to optimize the system in the future so that every customer can withdraw money smoothly at any time. This will not only enhance customers trust in us, but also make them feel more at ease because they can clearly see that their assets are safely stored in their personal wallets. Therefore, we need to upgrade the system to perform better when similar incidents occur.
In addition, I also learned some important lessons in the management of the wallet security team. For example, many people may not notice that my chief financial officer (CFO) was the first person to sign, followed by one of our co-founders. Looking back now, one of my biggest regrets is why let such a key role be the signatory? When the hack happened, he not only had to bear the pressure from the team, but also had to face me, and even his family might be affected.
Although we all knew that it was the responsibility of external hackers, such as North Korean hackers, he still felt guilty and believed that he was responsible. I was very worried that he might eventually choose to leave the company, even though he was an important partner who had worked side by side with me for 4 or 5 years. I trusted him completely, but I ignored the fact that letting key players sign on would put them under too much psychological burden in the crisis.
Kevin: Who do you think is more suitable for this role?
Ben: It should be someone I trust, but not necessarily a key person in the core of the company. At the end of the day, the signatory only needs to be a trustworthy person without having to take on too much company responsibility. If my CFO had not been involved in the signing process, he would not have been in this situation. Therefore, in the future, I will definitely adjust this process to avoid putting key people at risk like this. I cant imagine how much psychological pressure he was under this weekend. This incident made me regret it very much and made me realize that the process design needs to be more comprehensive.
A message to future entrepreneurs
Kevin: Do you have any advice for future entrepreneurs who want to enter the crypto industry? After all, similar crisis events may be difficult to avoid.
Ben: I think the beauty of our industry is transparency and direct communication between entrepreneurs and customers. We can compare ourselves to the traditional financial industry, such as banks. Even banks, when faced with a crisis like this, rarely handle problems in such an open and transparent way. In the crypto industry, transparency and direct communication between entrepreneurs and customers is crucial. If anyone has experienced an event like this, I think transparency is key, make sure to keep communicating. Let customers know that you are here, and the market will reward you for your transparency.
Why do crypto hackers succeed so often?
Kevin: You have been busy for three days in a row. When you return home or to the office half an hour later, what will you do?
Ben: I still have some important things to deal with, such as whether we have found out the truth of the matter. We are setting up a special task force to track the flow of funds and hope to help the entire industry through this incident, not just solve our own problems. In this crisis, many partners in the industry have taken the initiative to lend a hand, even without asking for anything in return. Therefore, I feel that we have a responsibility to make some contributions. Whether it is Lazarus or other hacker issues, these are ongoing challenges in the industry.
A big problem at the moment is that when you become a victim of a hacker attack, you often feel very helpless. Hackers know that you will track them down, but they also know that if you are just an individual victim or a small company, your resources are limited and you cannot track the flow of funds for a long time. Whats more tricky is that hackers usually spread the funds into small amounts, such as $100,000 each, and then transfer them through mixers, cross-chain bridges, or exchanges. By the time you contact the legal department of the exchange, the funds have already been transferred, and you may give up after a few attempts. This situation is very common in the industry. At present, we lack a dedicated information platform to integrate relevant data for tracking funds. Although there are tools like Chainalysis, when you track to a certain end point (such as a mixer, cross-chain bridge, or exchange), the funds may have become untraceable or frozen. Hackers usually avoid using assets that are easily frozen, such as USDC. They will use exchanges, mixers, and cross-chain bridges to delay your time and energy.
Eventually, you might find that there are only two or three people who are constantly switching exchanges, and even if these exchanges respond quickly, such as replying to you within half a day, the funds have already been transferred. Hackers are using this delaying tactic to win. To solve this problem, we need to build an industry-level information platform. This platform can show where the funds eventually become untraceable, such as mixers, and record the response speed rankings of these platforms. For example, there are 200 transactions totaling about 50 million US dollars flowing to a mixer, and the mixer cannot be traced. With such data, we can seek help from legal or regulatory agencies. If these funds are related to Lazarus or other sanctioned organizations, we can take further action.
Lazarus Bounty Program: Helping Industry Fight Hacker Attacks
Ben: We are launching a new website called HackBounty.com. This is an aggregation platform focused on tracking stolen funds, as I mentioned before. The interesting thing about this platform is that anyone can become a bounty hunter. You can submit any funds you wish to track. Once you submit the target funds and track their final destination, we will register you as a bounty hunter for this trail.
Our team then contacts the destination of the funds and starts a countdown. The destination institution needs to take action: either freeze the funds or provide the next destination of the funds. If they fail to respond in time, this delay will be recorded and publicly displayed on the platform. In this way, people across the industry can see which institutions are unresponsive to victims requests. As an exchange, I am very aware of how this mechanism works. I dont want my users to see my exchange appear on the non-cooperation list because it will make people think that we are helping sanctioned organizations, such as North Korea.
Therefore, I will definitely set up a dedicated team to respond to these requests quickly. If it is a tool like Mixer, they may eventually be blacklisted by the industry for being uncooperative. Ultimately, I think we need to use the core advantage of blockchain - transparency, to solve problems in the blockchain industry. HackBounty.com will aggregate all relevant information, and anyone can post a bounty task on the platform and become a bounty hunter. Through this platform, we hope to help all victims track down the stolen funds while promoting accountability and transparency throughout the industry.
