Dialogue with Bybit CEO: 72 hours full of fear and pressure, how did Bybit come out of the "gates of hell"?

Compiled & edited by TechFlow

Guest: Ben Zhou, Bybit CEO

Moderator: Kevin Follonier

Podcast source: When Shift Happens

Original title: Bybit Founder: How I Survived The Biggest Crypto Theft Of All Time | E110

Air Date: February 27, 2025

Introduction

A few days after Bybit suffered a $1.5 billion Ethereum hack, host Kevin had an in-depth conversation with the exchange's CEO Ben.

In this conversation, we will learn how Bybit responded to the crisis, successfully processing 350,000 withdrawal requests within 72 hours, while quickly raising alternative funds to ensure uninterrupted operations.

This interview provides us with valuable lessons on how to demonstrate leadership under extreme pressure and maintain user trust in the face of billions of dollars at stake.

Highlights from the interview

• What doesn't knock you down makes you stronger.

• One of my biggest fears is not knowing my own limits. Another is letting down the people who believed in me.

• My goal is to make sure our company is still around in 10 years.

• Stress comes from the feeling of powerlessness that problems are beyond your control.

• You have to invest in your people and leaders.

• Bybit has never been the number one in the market, we are more like a "dark horse".

• Transparency and timely communication are central to rebuilding trust, while maintaining a professional attitude at all times is fundamental to earning the respect of the community.

• Not your Key, not your Coin.

• When your assets reach a certain size, you become a potential target of attack, so it is important to diversify the storage locations of your assets.

• Involving key players in signing will place too much psychological burden on them during a crisis.

• The beauty of our industry lies in transparency and direct communication between entrepreneurs and customers.

• Our company has a contingency mechanism called "P-1 Events" to handle the most serious crises. We conduct drills every month to simulate various major incidents that may occur. We have a special P-1 button that any employee can press. Once triggered, the system automatically wakes up all management and contacts them one by one by phone. If someone does not answer, the system automatically calls the next person in charge until someone answers.

• When people are stressed it's often because they know something needs to be done but they don't take action. My approach is that if something needs to be done I do it immediately, so stress is not a problem for me.

• When facing a major crisis, the core of PR is not the PR team, but the founder and CEO themselves. If I ask the PR team to draft information and release it via Twitter, or ask the PR staff to speak out, it will only backfire. Because in times of crisis, the public will not trust the statements of a PR team, they need to hear a direct response from the founder or CEO.

• Whatever emergency arose, I had to handle it on my own, with no one else to turn to. Instead of thinking about steps one, two, and three, I would jump straight to the critical fourth or fifth step.

• Throughout the entire incident, we kept the withdrawal channel fully open, and customers could withdraw their assets at any time. Even in the face of a "bank run" situation, we did not refuse any withdrawal request.

• Centralized exchanges are still crucial to the entire ecosystem. Most people need centralized products to enter the crypto world. Users may participate briefly because of market hotspots, but there is no intermediate platform for them to understand in depth or use for a long time.

• Although this hack is regrettable, it has made me more determined to fight hackers to the end. In addition, we plan to launch a dedicated website this week called HackBounty.com, which is an aggregation platform focused on tracking stolen funds. Anyone can post a bounty task on the platform and become a bounty hunter. Through this platform, we hope to help all victims track down stolen funds while promoting accountability and transparency throughout the industry.

The fastest recovery in crypto

Kevin: How do you feel about what happened?

Ben:

I think the positive thing about this incident is our transparency. We showed the world how to deal with the crisis in a professional way, which made many people regain their confidence in us. As the famous saying goes: "What doesn't knock you down makes you stronger." So we have seen customers start to return, including some VIP customers and institutional partners. I think we have also taken some innovative measures, such as tracking the flow of funds, which is a brand new attempt in the industry.

We are planning to launch a new website. The entire team worked for two days straight after the hack to develop this website, which is intended to help future potential victims track the flow of funds. You will see that its functionality is very special. Our design team also put a lot of effort into it and made some very cool designs.

Strategies for dealing with a $1.5 billion hack

Kevin:

Usually when a person encounters a hack or similar disaster, they go through several stages: feeling violated, angry, and depressed, before they realize that they are the one in control of their own destiny and finally get back on their feet. You seem to have skipped the first three stages and entered the last one. What was your first reaction when you learned that your exchange had been hacked and the loss was as high as $1.5 billion?

Ben:

At that time, I got a call from my CFO, and when I got the call, I realized that something might be wrong. He told me that our wallet might have been hacked. I had just signed a transaction involving 30,000 Ethereum, and then I realized that the situation was worse than I thought.

I asked him, “Have we been hacked?”

He said, "Yes."

I asked again: “All 30,000 Ethereums are gone?”

His voice began to shake as he said, “More than that… it looks like the entire wallet was compromised. About 410,000 Ethereum, with a total value of $1.5 billion.”

The next question I asked was, how did this happen?

The security team told me that this was related to a transaction I signed, and they suspected that this caused a security vulnerability in the wallet. I continued to ask: "Are other wallets safe?" They confirmed that only this wallet was affected. I confirmed it three times because the answer was crucial to my next decision. If the problem has been controlled, I can focus on solving the current crisis; if not, I may need to shut down the system to prevent further losses. After confirmation, I learned that the problem was limited to a cold wallet and that the Genesis Safe provided by a third party had a vulnerability.

Next I asked, “Besides this compromised wallet, do we have other assets under Genesis Safe?” They replied that there was a stablecoin wallet with a value of $3 billion. I immediately asked them to confirm whether the $3 billion was safe. They eventually confirmed that the stablecoin wallet was not affected. At that time, I said to the CFO, “Can we use the company’s funds to cover this loss?” He replied that he could. After hearing this answer, I felt relieved because I knew that the customer’s funds were safe and I didn’t need to sell the company or seek external investment for this.

I immediately contacted my COO, who briefed me on the situation and initiated our crisis response procedures. We have a response mechanism called a P-1 event, which we use to handle the most severe crises. We run drills every month to simulate various major events that could occur.

Kevin: Can you give an example of previous P-1 incidents and how their scale compares to this one?

Ben:

There is no event like this. Previous P-1 events may be website downtime, trading matching engine failure, which prevents users from trading derivatives, or withdrawal system failure to respond for a short period of time. According to our definition, any functional failure that affects more than 10,000 customers or causes losses of more than $1 million is classified as a P-1 event.

We have a dedicated P-1 button that any employee can press. Once triggered, the system automatically wakes up all management and contacts them one by one by phone. If someone doesn't answer, the system automatically calls the next person in charge until someone answers. At the same time, the team is automatically assigned to an online meeting room to start recording the incident, assigning tasks, and implementing solutions.

When making decisions, how do you balance judgment and procedure?

Kevin: Are you going to tell everyone what's going on?

Ben: In this case, we explained the situation to the team and told them that we had been hacked. When facing a crisis like this, it is important to make sure that every member of the team knows what happened.

Kevin: You mentioned that your team has a complete set of emergency procedures. How important are these procedures in crisis management? Because although procedures are very important, judgment is also crucial in actual operations. In this case, what is the weight of judgment and procedures?

Ben:

Judgment plays a big role in these types of incidents, because every crisis is different. In previous incidents, my role was more internal-facing. For example, when a website goes down, I usually make a short announcement to explain the problem to customers, such as "our website is temporarily inaccessible, and the technical team is working on it." In this case, customers are already aware of the problem, and we just need to confirm the problem and calm the customer down. In fact, website downtime is one of the most serious situations for exchanges besides hacker attacks. You can imagine how much impact it would have on user experience and company reputation if a large platform like Binance or Bybit had a website outage.

When dealing with this kind of problem, my main responsibility is to work with the technical team to find the root cause of the problem. We need to step by step to find out whether it is a problem with the Amazon cloud server? Or a loading failure of the front-end page? Or a new vulnerability introduced in the code? Depending on the specific situation, we will shut down the relevant system for testing until we find the problem.

But this hack was completely different. Our systems were operating normally, and users didn’t notice anything unusual, but we suffered a loss of $1.5 billion. In this case, the traditional emergency response template no longer applies. Faced with this unprecedented situation, we had to re-formulate our response strategy and rely entirely on judgment to deal with the problem.

Why don’t you feel stressed during a crisis?

Kevin: How do you make the right decisions in high-pressure situations? Are there any challenges you’ve experienced in your personal life or in your entrepreneurial journey that have helped you better deal with similar situations?

Ben:

For me, I don't get stressed when faced with pressure or unexpected events. When people get stressed, it's often because they know something needs to be done, but they don't take action. My approach is that as long as there is something that needs to be done, I do it immediately, so stress is not a problem for me.

When the incident happened, I clearly knew that some things were beyond my control, such as the loss of $1.5 billion. This scale of loss is obviously beyond my current control, so I will not waste my energy worrying about these unsolvable problems.

The next focus is how to deal with a possible bank run. Sooner or later, the market and users will know about this incident. What do I need to do to calm the market and continue to build trust? Every step we take now will directly affect the fate of Bybit's development in the next 5 to 10 years. My goal is to ensure that our company still exists in 10 years. We need to handle this matter with professionalism and transparency to show the world that we can deal with such a crisis.

I quickly went into battle mode. I had left home at the age of 12 and lived alone in New Zealand. Without my parents, I had to face all kinds of problems in life on my own, whether it was adapting to a host family, school affairs, or unexpected situations in life.

So whatever emergency arose, I had to handle it on my own, with no one else to turn to. Instead of thinking about steps one, two, and three, I would jump straight to the critical fourth or fifth step.

Crisis public relations handling

Kevin: How do you manage PR? What steps do you take to avoid becoming a PR disaster in order to ensure Bybit remains at the forefront in the next 10 years?

Ben:

A big problem is that many people think that if they have a PR department, they can leave all PR matters to them, but this is not the case. In the face of a major crisis, the core of PR is not the PR team, but the founder and CEO himself. If at this time, I let the PR team draft information and release it through Twitter, or let the PR staff speak out, it will only backfire. Because in times of crisis, the public will not trust the statement of a PR team, they need to hear a direct response from the founder or CEO.

When I realized that a bank run was about to happen, I knew that customers would have a lot of questions that needed to be answered. So I first contacted my COO to ensure that she could coordinate the team to handle customer calls and follow-up actions, while keeping everyone focused on the challenges ahead. Then, I drafted the first tweet myself because I wanted all the media and the public to get accurate information directly from me. In fact, even my team didn’t fully understand the full picture at the time, and the PR team could only get details through second-hand information. As the founder, I was the only one who had full control of the facts and could speak directly, so I had to take the responsibility of PR myself.

In such an event, the most dangerous thing is the lack of transparency and the spread of speculation. If the market starts to suspect that Bybit will close or that we will run away, it will be a devastating blow to the company. Therefore, after my first tweet was published, we quickly organized an online live broadcast in about 40 minutes. In the live broadcast, I personally appeared on the screen to explain the ins and outs of the incident in detail to the public.

At that time, the team suggested using Twitter Space, but I insisted on choosing live video. I believe that letting everyone see my face and explaining the problem directly to the public as a founder and CEO is the key to building trust . By facing the camera, I can convey real information to the outside world, showing that we have nothing to hide and we have not shirked our responsibilities. This direct communication method is more effective than any indirect statement or having others speak for us.

I was able to focus on the core work of crisis public relations because I had a strong team behind me. They took care of other matters, so I could focus on communicating with the public. This was not only about my personal efforts, but also the result of the efficient execution of the entire team.

Ethereum Shortage Crisis: How to Restore Market Stability?

Kevin: When facing a bank run, the first thing to do is to prevent the situation from getting worse. So what's next? What other key partners do you need to contact? Who did you contact first? Why?

Ben:

In the event of a bank run, the first priority is to build trust. I will personally deliver the message to clients and the market to let everyone know that we are taking action. Despite these preparations, I know that a bank run is inevitable.

Kevin: What was the worst-case scenario that you were worried about at that moment?

Ben:

The worst case scenario is that although Bybit's customer assets are originally 1:1 fully transparently backed, for some reason we are short of Ethereum. That is, at that moment, we cannot fully meet the customer's demand for withdrawing Ethereum.

I want customers to be able to withdraw their funds, so that we can prove that our assets are indeed 1:1 backed. However, the problem is that the asset that customers want to withdraw the most is Ethereum, and we are short of this part. Therefore, in order to quickly restore market trust and achieve my long-term goal of Bybit existing for 50 to 100 years, we must fill the gap in Ethereum as soon as possible.

To solve this problem, I immediately assigned the financial team to contact partners to seek a "bridge loan". This method is different from buying Ethereum directly on the market, because market purchases will cause prices to rise and increase our costs. The operation of a bridge loan is relatively simple. We use existing assets, such as Bitcoin and USDT, as collateral to borrow an equivalent amount of Ethereum from partners.

Kevin: How did you convince your partners when the market was in panic?

Ben:

In fact, there is no need to convince. If our assets can indeed cover the withdrawal needs of customers, there will be no panic. What we are short of is Ethereum, not the overall assets. We also have Bitcoin, USDT and cash for operations, which can all be used as collateral.

Client assets were managed independently, but to make up for the shortfall, I converted the company’s own assets into Ethereum to fill the gap. This way, we were able to fully restore the 1:1 backing ratio.

Kevin: Will customers or partners question the 1:1 standard?

Ben:

Typically, partners will require a higher collateral ratio, such as 110% or 120%, depending on the type of collateral asset provided. If it is Bitcoin, it may require 100% to 110%; if it is a stablecoin, the collateral requirement will be lower, and for some volatile assets, the collateral ratio may be higher.

What makes a great leader?

Kevin: What makes a great leader?

Ben:

In my opinion, great leaders need to remain calm at critical moments and be able to clearly direct the team. For example, when a crisis occurs, I will clearly assign tasks: "You are responsible for this, you are responsible for that." This way everyone in the team can focus on their own responsibilities. But in fact, in a crisis, there will always be some unexpected problems.

When we were hacked, we immediately notified Safe and Genesis Safe platforms and asked them to suspend services to prevent more funds from being withdrawn. Although this measure effectively prevented further losses, it also brought new problems. Some of our partners, those who provided us with bridge loans, told us after signing the contract that they could not complete the transfer because their funds were also trapped in Genesis Safe.

This was just the beginning of the problem. To make matters worse, we had 3 billion USDT on the Safe platform, but I couldn’t use the funds because the platform was suspended, and we were facing a large number of withdrawal requests from customers. In our system, we can see the number of withdrawal requests, the distribution of funds in each wallet, and our inventory in real time. According to this trend forecast, our existing stablecoin reserves can only support six hours, and then we must use the 3 billion funds, but the problem is that I can’t withdraw the money.

Under these circumstances, I chose to temporarily leave the live broadcast and let my colleagues continue to communicate with the public on my behalf. At the same time, I immediately contacted the wallet team and asked them to stop finding out the specific cause of the hack and focus on developing a new software that can safely withdraw the funds. The team told me that they would complete the development and testing as soon as possible to ensure that the 3 billion USDT was withdrawn. If this step cannot be completed, the company will face the risk of closure.

Therefore, I made a decisive decision to let the team go all out to complete this task. When facing a crisis, leaders must keep a cool head and clarify priorities. My primary goal is to ensure the safe operation of Bybit and enable customers to complete withdrawals smoothly.

It was not the work of one person to accomplish all this, but the result of the joint efforts of the entire team. We successfully resolved the shortage of Ethereum within three days and even quickly restored liquidity through OTC (over-the-counter trading). The wallet team was responsible for technical development, the customer support team handled a large number of customer requests, and the institutional team ensured the liquidity of funds was restored.

Ben's biggest fear and stress

Kevin: What are some things that stress you out?

Ben: Probably my wife and kids, they are the only ones that stress me out. I can hardly say no to anything they say. So, to be honest, I handle the stress at work pretty well. In contrast, my family is where I really feel stressed.

Kevin: Now it seems like most things are going well. What is your biggest fear in life?

Ben:

I think one of my biggest fears is not knowing my own limits. That's why I always try my best at work, because I don't know what my potential is. The scariest thing for me is looking back on my life when I'm old and realizing that I didn't do my best to pursue my goals. I'm scared of that regret.

Another thing I fear is disappointing the people who trust me. Whether it's my team or my clients, their trust in me is priceless, and the last thing I want to see is disappointing them. I think this is particularly important to me.

The only special moment that makes me stop

Kevin: For you, when do you feel that you have reached a state of satisfaction and can say, "I am already very happy"?

Ben: For me, the moment of satisfaction would probably be when my energy and health no longer allow me to continue. I think that’s how I measure “enough” – based on my energy and health. If there comes a day when my body tells me that I need to stop, that’s probably the moment I’ll feel satisfied.

Facing the most stressful moments

Kevin: One last question about stress. What is the most stressful moment you have ever experienced?

Ben:

The most stressful moment for me is probably when I receive certain phone calls. As for the most stressful moment, I can't think of it at the moment.

If I had to name a recent one, it would be an incident that our team just went through. But this time it was a little different because we did our best to deal with it. I think sometimes the source of stress is not just the problem itself, but the feeling of powerlessness that the problem is beyond your control.

What’s next after the crisis?

Kevin: What led to you getting hacked and losing $1.5 billion?

Ben:

In short, our Ethereum cold wallet was hacked. We are currently working with internal and external security teams to investigate the specific attack method and vulnerability.

We expect that our internal team may have some preliminary findings tomorrow. At that time, we will release the details to the public, hoping that through our experience, others will not fall victim to similar attacks again. However, if you want to know more specific content, please ask me explicitly, otherwise I may be too general.

Kevin: You mentioned that there were different actions on the day , day one, and day two. We've talked about the emergency response on the day. So what did you do specifically starting from day one?

Ben:

The first priority on the first day was to ensure the safety of all users’ assets. Within 12 hours, we completed all withdrawal operations to prevent further losses. The focus of the day was crisis management, including emergency response, handling public relations, stabilizing market sentiment, and sending a clear message to the outside world: we are still operating normally.

On the second day, I finally had some time to think about the company's next strategy. The core tasks of the day included three aspects: first , analyzing the impact report and evaluating the specific losses, such as which regions of customers were affected, the scale of losses of institutional customers and VIP customers, and liquidity conditions; second , working with the business intelligence team to comprehensively sort out relevant data, and contacting the external security team to further investigate the technical details of the incident; third , starting to develop a fund recovery plan and assessing the possibility of recovering losses. These three tasks are the focus of my work, and I will distribute my time as evenly as possible to these key areas.

How long will it take to rebuild?

Kevin: You mentioned that the company has sufficient funds to cover this loss. How long do you think it will take to make up for this $1.5 billion loss through the company's revenue?

Ben:

You mean to know our annual revenue level, right? I have seen some estimates of our annual revenue, and overall these numbers are about right. However, it should be noted that the company has other operating costs and expenses, which will affect the overall financial situation. So how long it will take to fully make up for the losses needs to be considered comprehensively.

Repurchase 400,000 ETH

Kevin: You mentioned before that you can make up for this loss by buying back Ethereum. Given that Ethereum is a volatile asset, especially when the price may rise, how do you plan to complete the buyback without incurring additional losses?

Ben:

This is a hot topic in the market right now. We complete all of our buybacks through OTC , which is a method designed specifically for large transactions that avoids significant impact on market prices, unlike buying directly on exchanges. Therefore, even if we process transactions exceeding $1 billion, it will not cause drastic market fluctuations. If you see slight fluctuations in the price of Ethereum recently, it is mainly caused by market speculation, not our buyback operations.

So far, we have repurchased about 300,000 Ethereum, of the total amount of 400,000 initially lost. The remaining approximately 100,000 Ethereum was obtained through loans, which are also being gradually repurchased and converted. These loans are secured by my collateral and require interest payments. In the long run, it is not cost-effective to continue holding these loans, so I am motivated to complete the repurchase and replace this part of the funds as soon as possible. So far, we have significantly narrowed the funding gap and the repurchase work is progressing in an orderly manner.

Key decisions that helped Bybit overcome difficulties

Kevin: When you build an exchange or any other business, there are always moments when you have to cut costs in order to grow quickly, but this is often one of the biggest reasons why businesses fail in a crisis. Can you share some examples of when you chose not to cut costs, which may have helped you get through this weekend?

Ben:

This is a very good question, and there are indeed many unknown details behind it. For example, we decided to keep all systems fully functional during this incident. This is very rare when an exchange is hacked, because many exchanges will suspend withdrawals in similar situations.

So how do we do it? The key is that we have a very tight operating system and strong real-time data support. Our system runs entirely on real-time data, including all key indicators such as margin calculations and wallet balances. Unlike the T+1 or 10-hour delay of traditional systems, our system can reflect the flow of funds in real time. This real-time capability allows us to quickly and accurately view the inventory on each chain when we receive a withdrawal request and predict possible risks. For example, in the case of a bank run, it is crucial to know the difference between a 100% run and a 10% run. But the question is, how to get such information? FTX lacks such capabilities, and they do not have reliable data support to help management make calm decisions.

Thanks to these real-time systems, I was able to make many critical decisions based on accurate data. This also reflects our continued investment in internal products, such as providing clear data on fund flows to the finance team and early warning mechanisms for liquidity shortages to the risk team. Because of this, we were able to quickly generate impact reports in this incident, accurately identify the affected countries and customer groups, and carry out targeted remediation actions.

These are the internal systems that you cannot afford to cut costs on. I would be very uncomfortable if we were to skimp on these areas because it would directly impact our ability to make decisions.

Invest in a first-class team

Kevin: This is a great example of your investment in business intelligence systems, which enables the company to monitor internal dynamics in real time and respond quickly to crises. Are there any other examples?

Ben:

I believe it is very important to invest in the team and ensure that the team can lead the company to achieve its goals . I firmly believe that we have a world-class team, and this is proven by our actual performance. In the past 12 hours, we processed about 350,000 withdrawal requests, and all requests were completed within the specified time. This is not only due to the support of the back-end system, but also because everyone in our support team, approval team, audit team and risk management team has played an excellent role in their respective positions. In my experience, few exchanges can complete such a large amount of work in such a short time.

We quickly assembled all team members and completed the task in an efficient manner, which fully reflects the precision of the company's management. Like a well-managed ship, when a breach occurred, everyone knew their responsibilities and acted quickly. Our PR team and live broadcast team also performed well, and all details were carefully designed and executed.

Our live broadcast team was extremely well prepared. Even in emergency situations, they remained professional and all details were arranged precisely. For example, when I left to get an update, a clear time slide was displayed on the screen saying "We will be back at 6:30 or 10:00" instead of simply "Wait a minute." This made it clear to the customer that we would be back on time, which strengthened their trust.

In addition, we also adjust the live broadcast time in real time according to the number of viewers. For example, after 1 hour and 45 minutes, the number of viewers dropped from 40,000 at the beginning to 4,000, and I realized that it was the right time to end the live broadcast. If the number of viewers is still high, I will continue the live broadcast. This kind of flexibility and precision is inseparable from the professional planning and execution capabilities of the team.

So I think that ultimately you have to invest in your people and leaders. This investment is not easy because it requires going through many difficult screening processes. A good team is not formed casually, you have to set strict standards and stick to them. You may need to fire 10 people before you find one who really meets the requirements. At Bybit, our recruitment process is very strict, and many candidates cannot pass the three-month probation period. We would rather spend more time screening than lowering the standards. In the end, this rigorous screening mechanism helped us form a team that can truly lead the company to achieve its goals.

Why Bybit never launched a token

Kevin:

In addition to business intelligence, data analysis, real-time monitoring, and team building, I have another question that I am very interested in: Bybit is one of the few exchanges that has not launched a native token. Why have you never considered launching a token?

Ben:

There are many reasons. We did have the idea of launching a token, but we gave up. Frankly speaking, when we entered this market, we had already missed the best time.

For example, Binance has launched a token, OKX has also launched a token, and even some exchanges that were established later than us have issued their own tokens, but I still don’t quite understand the real meaning of issuing tokens. If an exchange is already profitable, it can raise funds in other ways. And if the exchange itself already has the ability to operate sustainably, it usually does not require additional investment. So why issue tokens? Usually, tokens are issued to attract investors or to build a complete ecosystem to attract users to join, but Bybit has never tried to build its own ecosystem alone.

We have always seen ourselves as part of a larger ecosystem, rather than an isolated entity. Our business model has been to work closely with influencers and KOLs from the beginning and become part of their ecosystem. When we launched spot trading, we chose to work with existing ecosystems such as Solana and Ton, rather than trying to build a competing system. We found that this model avoids potential conflicts of interest. In contrast, many exchanges have their own ecosystems, so they not only need to compete with other exchanges, but also with Solana or other blockchain ecosystems, which ultimately leads to fewer opportunities for cooperation.

I think building your own ecosystem is only feasible if you are the absolute leader in the market. If you have enough market share and resources, you can indeed expand your business through the ecosystem. But Bybit has never been the number one in the market, we are more like a "dark horse". Therefore, we have never had the conditions to try to issue tokens or build an ecosystem. In the end, we chose to focus on our core business without launching tokens.

Kevin: So, if the situation was different this weekend, assuming Bybit had its own token, would anything be different?

Ben:

I don't think it will make much of a difference. Frankly speaking, I don't think the existence of the token is directly related to this incident. If we had a token, what impact do you think it would have?

Kevin:

Perhaps the market will start to short the token, causing the token price to fall rapidly, which may further deteriorate market sentiment and cause more panic. In this way, you may face another crisis.

How to rebuild user trust after a crisis?

Kevin: I heard that you experienced about $4 billion in withdrawals overnight. In the face of such pressure, how did you bounce back and rebuild user trust?

Ben:

We have begun to gradually restore trust. I think the key lies in how we deal with the crisis. Transparency and timely communication are the core of rebuilding trust, and maintaining a professional attitude at all times is the basis for winning the respect of the community . In this incident, despite the huge challenges, Bybit still demonstrated a high degree of professionalism, which has been widely recognized. Many users even praised us during the crisis and believed that our performance was trustworthy. This trust comes not only from users, but also from global regulators.

We are in the process of applying for licenses through multiple regulators. In the last few days, a lot of people have contacted us and said, "Hey, I think Bybit is doing a really good job." They even have more trust in the future that if we have any incidents or problems again, we will handle it this way.

So from that perspective, this is actually the best way to show the world how we do our work and what our philosophy is.

Crypto wallet security: lessons learned

Kevin: In terms of risk management, what improvements will Bybit make in the future? I am also thinking about a question: Is it reasonable to store $1.5 billion in one wallet? How should we allocate funds? What amount is too much and what is not enough?

Ben:

This is a very important issue and has sparked a lot of discussion in the past few days. Our security team is actively researching new solutions to ensure that similar risks do not occur again. In the future, we plan to optimize the wallet system, such as splitting wallets to reduce risks. In this way, even if a wallet is attacked, it will not have a significant impact on the overall funds.

We are also discussing what more advanced technologies to adopt. I think Ethereum's development in this area is worth referring to , such as smart contract wallets. These wallets can improve security through multi-signature and permission management, and even avoid the risks of online signatures. Some of our current wallets rely on online signatures, which is convenient, but because they need to be operated through a browser, they cannot be considered true cold wallets. In contrast, most of our bitcoins are stored in cold wallets, which are completely offline, and all signatures and transaction operations are completed in an offline environment. Unless someone physically invades, it is almost impossible to break this storage method.

So I think we're going to design something that focuses on those areas that are physically impermeable. Yeah, I think those are some of our key focus areas.

The future of cryptocurrency self-custody

Kevin:

This brings me to a core issue in the cryptocurrency space - self-custody. In this industry, we often say "not your key, not your coin", which is usually a reminder to individual users to not store their assets on exchanges, but choose self-custody. But when similar security incidents occur, this statement does not seem to make much difference. Your security measures are far more sophisticated than the self-custody methods of ordinary users, but they can still be hacked.

Does this mean that both individuals and institutions may face security risks? In your opinion, what is the future direction of self-custody?

Ben:

That's a good question. We do face a key challenge in that we are a very obvious target. For hackers, large exchanges like Bybit are one of their preferred targets. One of the key lessons we learned from this incident is that we are even larger than some of the security service providers we rely on. Therefore, logically, it would "make sense" for hackers to attack us. While I'm not saying that this is how the incident happened, it is something we should be aware of. No matter how tight our security measures are, as a large target, we are always at a higher risk. Therefore, I don't think relying on third-party solutions is an optimal choice.

For ordinary users, the concept of "not your key , not your coin" is correct, but I think it is also necessary to emphasize "diversifying risks" . When your assets reach a certain scale, you will become a potential target of attack, so it is very important to disperse the storage location of your assets. For institutions like Bybit, we actually need to apply the concept of "self-custody" to ourselves and use completely self-developed technical solutions instead of relying on third parties.

Responsibility is the biggest lesson we learned from this incident. Although we invested a lot of resources to ensure security, problems still occurred in the end. This shows that we were inadequate in some decisions, such as choosing a solution that relied on browser signatures, which was obviously not secure enough. In the future, we need to focus more on developing and using our own security technology instead of relying on industry standards. Although industry standards provide some guarantees, they are not foolproof. The biggest problem with relying on third parties is that you transfer some of the responsibility to them, which may cause you to be less careful on key issues.

Especially for an exchange like ours, the longer we operate, the higher the probability of becoming a target of attack.

Kevin: Especially for an exchange like ours, the longer we operate, the higher the probability of becoming a target of attack.

Ben:

After this incident, we talked to some industry peers. I found that many exchanges are using internally developed security solutions. Their point of view is, why rely on a third party? Although the third party is not necessarily problematic, once an attack occurs, you lose control. This is a matter of life and death. You should not put your security fate in the hands of others. In Bybit's case, our Bitcoin and other crypto assets are mainly stored in internally developed security systems, but Ethereum is a little more complicated. Ethereum's smart contract development is more difficult and requires a dedicated team of experts, which is where we did not invest enough resources in the past. Looking back now, this is one of my biggest regrets. We should have considered these issues as early as the policy formulation stage. Although we currently have relevant experts, the system has not been fully upgraded, which is an important issue that needs to be addressed.

Comparison of security risks between ETFs and exchanges

Kevin: Has the events of this weekend brought more attention to the need for ETFs (Exchange Traded Funds)? ETFs require custody of assets, and those assets need to be stored somewhere. Do you think that ETF custody faces similar security risks as Bybit? Or are the two completely different?

Ben:

In essence, ETFs and exchanges do face similar risks, but it also depends on how ETFs ensure the safety of assets. It should be noted that Bybit, as an exchange, has a very different operating model from ETFs. Our code wallet solution requires frequent adjustments and maintenance, and needs to be redeployed almost every week. The asset management of ETFs is relatively static, with deposits most of the time and occasional small withdrawals.

Exchanges process a large number of deposits and withdrawals every day, including both small and large transactions, while ETFs can choose a more secure but less efficient solution because they operate less frequently. As an exchange, we must find a balance between efficiency and security. If withdrawals take too long to process, customers will be dissatisfied, so our system needs to complete withdrawal operations within a few minutes.

Analysis of Bybit assets changes before and after the hacker attack

Kevin: What changes have occurred in Bybit’s assets and liabilities before and after the hacker attack?

Ben:

Before the attack, our total client assets were about $20 billion. In the first few days after the attack, our total assets dropped to $14 billion, and then further dropped to $10 billion or $12 billion. However, as market sentiment gradually recovered, the total assets rebounded to around $14 billion.

Kevin: How do you prove that customers’ assets are safe?

Ben:

Our asset reserves are independently audited and ensure a 1:1 matching relationship, which I don’t think any other exchange can claim.

Throughout the incident, we kept the withdrawal channel fully open and customers could withdraw their assets at any time. Even in the face of a "bank run", we did not reject any withdrawal request. If an exchange's reserves cannot be matched 1:1, it usually chooses to suspend or limit some withdrawals to buy time to raise funds. But we did not encounter such a situation at all. This is actually the biggest test of our reserve system.

The future belongs on-chain

Kevin: You have always emphasized that "the future is on-chain". Does this weekend's incident further highlight the importance of decentralizing Bybit?

Ben:

My opinion has not changed. Although the future is indeed moving in the direction of on-chain, it does not mean that centralized exchanges will be eliminated. I think it means that the infrastructure will get better and there will be more liquidity, just like the growth of cryptocurrencies in the past few years. The entire crypto industry has made tremendous progress from five years ago to today, but this does not mean that the stock market is in recession.

So my logic is that centralized exchanges are still crucial to the entire ecosystem. Most people need centralized products to enter the crypto world. Users may participate briefly because of market hotspots, but there is no intermediate platform for them to understand in depth or use for a long time. This is the real significance of centralized exchanges, which provide multiple ecosystems or products for users to stay, explore, and eventually become native crypto users.

And then at some point, they might explore other places. Even most of the people who are not attracted, they usually still have accounts on centralized exchanges and may have some balances in both places, and in many cases, the majority of the balance is in centralized exchanges.

The crypto industry’s image problem

Kevin: With new major events happening almost every week in the crypto industry, how can the public take this industry seriously? What do we need to do to make this industry be taken more seriously?

Ben:

I agree that the industry does have some image issues, but we should also focus on the positive progress that the industry has made. I don't mean to brag, but we showed a different approach to the recent hack than in the past. I see people comparing Bybit to FTX, but this is completely different. We handled the incident in just 3 days, which is an efficient response that is rare in the industry. Although this hack is regrettable, it has also made me more determined to fight hackers to the end . In addition, we plan to launch a dedicated website this week to help victims better cope with their losses.

I think this is not just a problem for Bybit, but a common challenge for the entire crypto industry. However, other aspects of the industry have made significant progress. Especially in the field of on-chain activities, many decentralized exchanges (DEX) provide solutions that can now solve problems that could not be solved in the past.

The crypto industry is still young. If you look back at the early adoption stage of the Internet, there were many problems and challenges, and the infrastructure was not perfect, but it takes time. Therefore, the crypto industry is still very young. I believe that most people no longer simply regard cryptocurrencies as scams, and most countries are legalizing and regulating the crypto industry. Therefore, I think this road, although full of challenges, will only become more stable and higher.

Key Lessons and Biggest Regrets

Kevin: You mentioned earlier that one of your biggest regrets was not building an internal e-wallet infrastructure. Are there any other regrets you have?

Ben:

If we look at the events of this weekend, we did find some areas that need improvement. For example, our withdrawal system could be designed to be more efficient and smoother. Even in crisis situations, we should try to ensure that customers can complete withdrawals quickly. The only regret is that we made some customers wait, and they would think that you were deliberately blocking them, but this was not our intention, and I really hope that we can allow everyone to withdraw their funds at any time. I hope that in the future, the system can be optimized so that every customer can withdraw their funds smoothly at any time. This will not only enhance customers' trust in us, but also make them feel more at ease because they can clearly see that their assets are safely stored in their personal wallets. Therefore, we need to upgrade the system to perform better when similar incidents occur.

In addition, I also learned some important lessons in the management of the wallet security team. For example, many people may not notice that my chief financial officer (CFO) was the first person to sign, followed by one of our co-founders. Looking back now, one of my biggest regrets is why did I let such a key role be the signatory? When the hack happened, he not only had to bear the pressure from the team, but also had to face me, and even his family might be affected. Although we all knew that it was the responsibility of external hackers, such as the North Korean hackers who were confirmed to be responsible, he still felt guilty and believed that he was responsible. I was very worried that he might eventually choose to leave the company, and he was an important partner who had worked side by side with me for 4 or 5 years. I trusted him completely, but I ignored the fact that letting key roles participate in signing would put them under too much psychological burden in the crisis.

Kevin: Who do you think is more suitable for this role?

Ben:

It should be someone I trust, but not necessarily a key person at the core of the company. At the end of the day, the signatory only needs to be a trustworthy person without having to take on too much company responsibility. If my CFO had not been involved in the signing process, he would not have been in this situation. Therefore, in the future, I will definitely adjust this process to avoid putting key people at risk like this. I can't imagine how much psychological pressure he was under this weekend. This incident made me feel very regretful and made me realize that the process design needs to be more comprehensive.

A message to future entrepreneurs

Kevin: Do you have any advice for future entrepreneurs who want to enter the crypto industry? After all, similar crisis events may be difficult to avoid.

Ben:

I think the beauty of our industry lies in transparency and direct communication between entrepreneurs and customers. We can compare ourselves to the traditional financial industry, such as banks. Even banks, when faced with crises like this, rarely handle problems in such an open and transparent way. In the crypto industry, transparency and direct communication between entrepreneurs and customers are crucial.

If anyone is going through an incident like this, I think transparency is key, make sure you keep communicating. Let the client know you are here, and the market will reward you for that transparency.

Why do crypto hackers succeed so often?

Kevin: You have been busy for three days in a row. When you return home or to the office half an hour later, what will you do?

Ben:

I still have some important things to deal with, such as whether we have found out the truth of the matter. We are setting up a special task force to track the flow of funds and hope to help the entire industry through this incident, not just solve our own problems. In this crisis, many partners in the industry have taken the initiative to lend a hand, even without asking for anything in return. Therefore, I feel that we have a responsibility to make some contributions. Whether it is Lazarus or other hacker issues, these are ongoing challenges in the industry.

A big problem right now is that when you become a victim of a hack, you often feel very helpless. The hacker knows that you will track them down, but they also know that if you are just an individual victim or a small company, your resources are limited and you cannot track the flow of funds for a long time. What's more tricky is that hackers usually spread the funds into small amounts, such as $100,000 each, and then transfer them through mixers, cross-chain bridges, or exchanges. By the time you contact the legal department of the exchange, the funds have already been transferred, and you may give up after a few attempts. This situation is very common in the industry.

Currently, we lack a dedicated information platform to integrate relevant data for tracking funds. Although there are tools like Chainalysis, when you track to a certain end point (such as a mixer, cross-chain bridge or exchange), the funds may have become untraceable or frozen.

Hackers usually avoid using assets that are easily frozen, such as USDC. They will use exchanges, mixers, and cross-chain bridges to delay your time and energy. In the end, you may find that there are only two or three people constantly switching exchanges, and even if these exchanges respond quickly, such as replying to you within half a day, the funds have already been transferred. Hackers use this delaying tactic to win.

To solve this problem, we need to build an industry-level information platform. This platform can show where the funds end up becoming untraceable, such as mixers, and record the response speed ranking of these platforms. For example, there are 200 transactions totaling about $50 million flowing to a mixer, and the mixer cannot be traced. With such data, we can seek help from legal or regulatory agencies. If these funds are related to Lazarus or other sanctioned organizations, we can take further action.

Lazarus Bounty Program: Helping Industry Fight Hacker Attacks

Ben:

We are launching a new website called HackBounty.com. This is an aggregator platform focused on tracking stolen funds, as I mentioned before.

What’s interesting about this platform is that anyone can become a bounty hunter. You can submit any financial clues you wish to track. Once you submit the target funds and track their final destination, we will register you as a bounty hunter for this clue. Our team will then contact the end point of the funds flow and start the countdown. The end point institution needs to take action: either freeze the funds or provide the next flow of the funds. If they fail to respond in time, this delay will be recorded and publicly displayed on the platform. In this way, people across the industry can see which institutions are not responding to victims’ requests.

As an exchange owner, I am very familiar with how this mechanism works.

I don't want my users to see my exchange on the "non-cooperative list" because it would make people think we are helping sanctioned organizations, such as North Korea. Therefore, I will definitely set up a dedicated team to respond to these requests quickly. If it is a tool like Mixer, they may eventually be gradually included in the industry blacklist for non-cooperation.

Ultimately, I think we need to leverage blockchain’s core strength — transparency — to solve problems in the blockchain industry.

HackBounty.com will aggregate all relevant information, and anyone can post a bounty task on the platform and become a bounty hunter. Through this platform, we hope to help all victims track down stolen funds while promoting accountability and transparency in the entire industry.