Original Editor: Wu Says Blockchain
This Space revolves around the largest hacking incident in the history of the cryptocurrency field that Bybit recently encountered, which is also the largest theft in human history. Colin from Wu Says Blockchain conversed with Bybit executives Shunyet Jan and CEO Ben Zhou to introduce the details of the incident and the subsequent rescue efforts. The incident involved the theft of approximately $1.5 billion worth of Ethereum, allegedly carried out by the North Korean hacking group Lazarus Group. Bybit prioritized opening withdrawals for retail investors, imposed tiered restrictions on institutional clients, and leveraged liquidity support from exchanges like Bitget and OTC service providers to restore full withdrawal functionality within 12 hours. Currently, liquidity issues have been resolved. However, the likelihood of recovering the stolen funds is extremely low, and the company is working with security teams to investigate the root causes of the vulnerabilities, which may involve technical issues with the multi-signature cold wallet provider Safe or potential internal errors. Additionally, Bybit emphasized that it will rebuild user trust by enhancing security measures, optimizing risk control processes, and ensuring transparent communication, while admitting that this incident exposed deficiencies in internal processes and crisis management, and that a comprehensive review and improvement will be conducted in the future.
Audio transcription completed by GPT may contain errors. Please listen to the complete podcast:
70% of Ethereum Spot Inventory Stolen, Liquidity Crisis Resolved Through Lending and Other Means
Colin: Teacher Jan, the most concerning situation for everyone is, how is Bybit doing right now? Has your liquidity been completely restored, or are there still some gaps?
Shunyet: Well, what was stolen from us was only our Ethereum spot inventory, which accounted for about 70%. Because many customers had demands during that time, we paused a lot of operations and allowed withdrawals in batches based on customer levels. So at that time, retail investors could basically withdraw normally, but Ethereum could not be withdrawn. Our inventory was indeed insufficient during that period, and customers could not withdraw. For this, we want to thank Grace, as well as exchanges like Bitget and MEXC, and some market makers who helped us gradually replenish our inventory. Some were through lending, some were direct exchanges, but mainly relied on bridging models. Later, we met all customer withdrawal demands and fully opened up about 12 hours later, allowing even institutional clients to withdraw. Now, our spot liquidity is no longer an issue.
Colin: So your initial strategy was to prioritize opening withdrawals for retail investors while communicating with institutional clients, right? But now it has been fully opened, correct?
Shunyet: Yes, it has been fully opened now.
Colin: So the main liquidity gap was concentrated in Ethereum, right? Besides Bitget and MEXC, which other institutions helped you?
Shunyet: I'm not sure if it's convenient to disclose specific names, but those well-known large OTC market makers basically participated in supporting us.
Colin: Grace (CEO of Bitget) just mentioned that the funds provided by Bitget required no collateral, no interest, and even no specific repayment time. But not every institution is like that, right? Did any other institutions propose some related conditions?
Shunyet: Yes, we have to thank Bitget again. Other OTC market makers might require some collateral. For example, we could use the company’s treasury as collateral, and this part of the asset is completely sufficient to cover that $1.5 billion gap. So we would borrow Ethereum through controllable means, such as collateralizing USDT or Bitcoin. But comparatively, Bitget's assistance amount was larger and required no collateral, which is very outstanding.
Colin: So looking at it now, you feel that the entire incident has basically calmed down, right? Additionally, your liquidity is no longer so tight, is it because the overall atmosphere has eased, especially since the willingness of institutions and large holders to withdraw is not as strong?
Shunyet: Yes, we have many large holders here. The so-called large holders have either very high trading volumes or have deposited a lot of assets on Bybit. For those with high trading volumes, we observed that most of them are market makers, and they might reduce some operations based on fund strategies, but still, one-third to half of their funds remain on the exchange. As for those holding large amounts of assets, their attitudes are basically divided into two types: one part completely trusts Bybit and has not moved their funds; the other part may transfer their funds elsewhere in the short term. However, I believe our peak period has completely passed.
How to Restore User Trust After the Crisis: Transparent Review, Public Explanation, and Strengthening Security Measures
Colin: For Bybit, Grace seemed to mention earlier that the funds stolen by the hacker are roughly equivalent to your annual profit. So from the perspective of security companies or other institutions, it seems that this money is likely from North Korean hackers, and the chances of recovery are slim, right? Is this judgment relatively certain?
Shunyet: We certainly hope to recover it, but based on the history of the Lazarus Group, there are very few successful recovery cases. I remember the only part that was ever recovered was when they withdrew some coins, like USDT or USDC, which can be frozen and then destroyed. But the Lazarus Group might have made some small mistakes in the early days, such as depositing funds into small exchanges. At that time, Ben had good relationships with the leaders of various exchanges, and everyone was willing to help freeze those assets. But now, I think the Lazarus Group is unlikely to make such basic mistakes again, so the chances of recovery are indeed very low.
Additionally, I have seen many discussions suggesting that the Lazarus Group now seems to be the fourteenth largest holder of Ethereum in the industry, and some have proposed whether a fork is needed to resolve this issue. Because having a sanctioned entity as the fourteenth largest holder does not look good. However, this is not my focus; we are also observing, but this is not something we can decide.
Colin: Understood. One more thing, are you worried that after this incident, the reputation of the entire company and even the exchange's industry will be damaged, and the trust of users and institutions will decline? Although we know that security issues are challenges that every exchange may face and are ongoing topics, many institutions and individuals have already complained, feeling that Bybit's security may not be good enough. Will this lead them to distrust you in the future?
Shunyet: Well, I see this issue from another perspective. I only joined Bybit at the end of August last year, and my previous company was one of Bybit's top three clients, and I have also worked as a market maker. At that time, I witnessed the situations of other exchanges, such as KuCoin, Binance, and of course, the collapse of FTX. Now it seems that Binance is also doing well. We have observed the situations of many exchanges and have to admit that while some users' trust may be shaken, our response is to maintain transparency first. We will investigate what went wrong—whether it was a vulnerability in the cooperative system, an error in our internal rules, or a financial department issue, such as why assets were not diversified across multiple systems? We will conduct a thorough review internally and then make decisions.
Once we clarify things, we will definitely make it public, as this is the only way to rebuild trust. I believe that to turn the situation around, our exchange's functions, products, and ecosystem still have significant advantages, but the most important thing now is trust. We had never been hacked before, so we did not encounter this issue, but now the top priority is to regain trust. To achieve this, we need to be very transparent, explaining why the incident happened and what preventive measures we will take in the future. I think the company has already invested a lot of resources in this area, but we may need to do even more in the future.
Colin: Understood. One more question, you just mentioned that Bitget proactively provided support without charge. I see that many other exchanges, such as Binance, OKX, etc., also expressed their willingness to provide liquidity support. Did they contact you proactively, or did you reach out to them?
Shunyet: Yes, some did. In fact, I saw in some groups that many exchanges proactively offered help. However, some might require deposits or interest. Many OTC service providers have worked with us for a long time and know our profit situation. They feel that although this hacker attack sounds significant, it is at most our annual profit. So everyone believes we are still trustworthy, and the situation is not that bad.
Of course, Bitget's assistance amount is relatively large, and the conditions are more lenient, which is very outstanding. But many other institutions also provided support. I have experienced similar situations before, such as during the 911 incident when I was working on Wall Street, and Lehman Brothers lost their office, yet other companies proactively lent offices to competitors. So seeing many of our competitors step up these days saying, "What support do you need? Is there anything we can help with?" really makes me happy. This attitude is not just directed at customers but also shows among competitors. I think this sense of solidarity in the cryptocurrency industry is truly special.
Colin: Right, understood. Users may feel that it is too early to discuss this, but I see users asking what ways Bybit has to regain user confidence in the future. I think it might be a bit early to talk about this now. What are your current goals regarding this matter, and what do you need to do moving forward? Is there a plan, or can you reveal anything?
Shunyet: We are still researching, but the first thing I just mentioned is to prioritize trust. To rebuild trust, our security must be significantly enhanced, which is the first step. In addition, we will return to Bybit's original organic growth model. We understand retail investors' needs very well and are good at serving retail and VIP clients. I believe time is the best tool; as long as we handle this matter well, trust will naturally return.
Colin: Understood. How is the morale of the entire company now? Facing the largest theft in human history, what is the state and morale of the internal employees?
Shunyet: Ben is a very special person; he always focuses on how to solve problems. He asks everyone: What is our current problem? For example, is it a lack of inventory, a lack of trust, or something else? Each department will form dedicated teams to address each issue. The current focus is to deeply understand where the problems lie—whether our SOP (Standard Operating Procedures) has issues or if there are problems with our partners. First, we need to resolve these issues.
The second step is that after enhancing security, we need to ensure better liquidity. When customers come to our platform, they need good liquidity. Therefore, we will communicate with various market makers to see what support they need and what special assistance can be provided in the short term to restore user experience to its original level. This is our most direct way forward.
Additionally, we are also considering some potential partners that may not have been thought of before. Due to this incident, we may need to reprocess some matters and even disclose more information to everyone. For example, our reserve proof was originally updated once a month, but now we are considering releasing another one after this incident is resolved to enhance transparency.
Discussion on Improving Security Issues: Multi-Signature Management, Approval Processes, and Employee Management
Mirror: Since this security incident involves multi-signature issues, I want to ask if you have a dedicated upgrade plan for multi-signature? How will it be handled in the future?
Shunyet: Well, we have always felt that multi-signature security issues are not too significant because we use tools like Safe, which should be quite reliable, right? However, after this incident, we did propose several solutions. First, regardless of the technology used, we believe it is secure and will continue to use various different methods. Additionally, in multi-signature management, the signing authority is currently concentrated in the hands of four or five people, but in the future, it may be decentralized, such as assigning different permissions for different currencies to different people. Furthermore, future cold wallets must be decentralized; we can no longer keep such a large asset in one wallet. These are things we all felt were simple during discussions, and in hindsight, we wonder why we didn't think of them before. But these are definitely things we will do in the future.
Mirror: Understood. Have you considered directly adding the addresses of cold wallets and hot wallets to a whitelist and fixing them?
Shunyet: This can be considered, but sometimes it may reduce flexibility. However, this is indeed a solution.
Mirror: Hmm, right, because I see many people suggesting that you could do a rehearsal first to see if the execution results are transparent. I also think you could take it a step further, for example, by conducting a check before executing the signature, directly analyzing and parsing the bytecode in detail, and then doing some rehearsals. This might alleviate the risk of such attacks.
Shunyet: Hmm, I will definitely bring this suggestion to our security department for discussion. My background leans towards trading, so I will leave this to the professional team to evaluate.
Mirror: There was also a previous incident in 2022 where an employee modified Excel sheet data—although it wasn't considered theft. After that incident, did you upgrade the entire CRS (Customer Relationship System) process?
Shunyet: Yes. I believe that many times, once a problem is discovered, it needs to be improved. That incident was a long time ago, and we had almost fixed it at that time. Now our approval process has more control measures. Initially, I also encountered this situation where many exchanges had advanced technology, but the back-end systems or processes were relatively simple. Our company has grown rapidly, and some areas were not well managed, but now all departments have adjusted. Even some very simple internal matters now require an approval process. Sometimes it feels a bit annoying, but this way, we won't encounter similar problems again.
Mirror: Right, because this point is actually quite critical. The exchange business involves funds, and the checks may be more complex. I have another question: this year, many people mentioned Bybit, and the actual situation is that it has captured a significant opportunity, becoming one of the top three exchanges. Will this lead to a significant expansion of your staff? Will it affect the existing risk control structure?
Shunyet: In fact, Bybit has fewer employees than some of our competitors because we place great importance on selecting people who fit Bybit's culture. Not just anyone can easily join, so our recruitment process is relatively long. Our business is developing rapidly, but the speed of bringing in talent sometimes lags behind business growth. However, whether in risk control, business, or product areas, we are committed to this approach.
Jointly Tracking Funds with External Teams, Low Possibility of Rolling Back Ethereum
Mirror: Okay, then I will continue to ask. Teacher Jan just mentioned that this money might not be recoverable, but I have seen some discussions in the community and the hacker's operations, and I feel that even if it cannot be recovered, the probability of the hacker completely taking this money is also low. However, I saw someone in the community say that the hacker is doing some self-destructive operations on these Ethereums, and I would like to ask Boss Ben to confirm this.
Ben: I can share what we are currently doing. Our security team has contacted several external partners, and a well-known domestic company, Slow Mist, is also cooperating with us for global tracking, including working with on-chain analysis companies to trace what happened at that time, trying to figure out how this hacking incident occurred. So far, there is no conclusion because there are several suspicious points in this incident that are quite different from previous ones. First, it was not an issue with our hot wallet system, but rather a problem with the supplier Safe that we used to store multi-signature cold-signed Ethereum. We are still uncertain whether there is an issue with their server or if there was an error in the user interface for each signature. This is the first direction we are investigating. As for the funds tracking you mentioned, from our perspective, it is not so easy for these Ethereums to be laundered. I think this is a long process, and the hacker will slowly try various money laundering methods. This incident is large in scale, but I am relieved that the entire industry is very united, and everyone is helping us, for which we are very grateful.
In fact, as long as the hacker transfers the funds to a cross-chain bridge, we can almost immediately locate it and then ask the cross-chain bridge to assist in freezing it. Therefore, I believe it will take a long time for this $1.5 billion to be completely laundered. Secondly, regarding self-destruction, we have not seen any signs of it. Why would he go to such lengths to steal it only to self-destruct?
Colin: It's not self-destruction; it's that Mantle rescued this money.
Ben: Right. If the hacker tries any re-staking protocols now, we should be able to take some measures to respond. So he is currently in a standoff with us; we have a bunch of people watching him, and his situation is a bit awkward right now. Finally, indeed, some people, including some leading projects and several big names online, have suggested whether Ethereum can consider an overall rollback. However, most opinions believe that the last rollback was due to 30% of Ethereum being stolen, while this time, although the amount is large, it only accounts for about 0.3% to 0.4% of the total, so they probably won't consider a rollback. However, we are also trying to contact Vitalik (the founder of Ethereum) to see what advice he can give us.
Colin: Will you ask or request him to do a rollback?
Ben: We will beg them to lend a hand, haha. But whether they can cooperate depends on their considerations.
Specific Response to the Crisis: How to Restore Liquidity, Optimize Security Strategies, and Future Plans
Colin: Ben, I actually asked Teacher Jan earlier. Do you think liquidity has been fully restored now? Including what Grace mentioned earlier, you may not need external support as much anymore.
Ben: Yes, I must especially thank those partners who quickly extended a helping hand. Bitget was probably the first to help us, and they didn't mention any conditions at all; they really came to our aid without even signing a contract, which we are very grateful for. Also, MEXC and Pionex have been lending us Ethereum, which has really helped a lot.
Now our overall situation has completely stabilized. About 12 hours later, our inflow and outflow levels have returned to normal. I posted on Twitter that our withdrawal system has no backlog, and all withdrawal requests have been processed. Now, compared to the second hour after the incident—when it was at its peak—the system is facing not withdrawal pressure but issues with overall stress resistance.
The withdrawal system has never seen so many people withdrawing at the same time. At that time, we performed system maintenance, adjusted on-chain fees, optimized the risk control system, and handled a bunch of related matters. At the same time, we contacted back-end sources to borrow Ethereum to fill the gap. Now, the entire liquidity issue is completely resolved.
Colin: Have you ever rehearsed similar scenarios before? For example, what steps should be taken if such an incident occurs?
Ben: Yes, I think many people, including most comments online, say that although this incident is unfortunate, our crisis management has been quite good. Some say I remained calm while directing, and I think this is not due to personality but because we have many tools that help me stay calm. Our risk control levels and the financial status of our financial system are accurate to the minute, so we always know what step the system is at and how the customers' withdrawal status is.
This allows us to handle things in a more orderly manner. These data-driven, visual dashboards enable us to plan the next steps of action step by step. For example, during withdrawals, we first process small customers, allowing them to withdraw completely, and then gradually move to the next group. Additionally, we adjust based on the situation of different chains—where there is funding and where there isn't, and how to allocate it. In my view, this data-driven approach allows everyone to advance subsequent work in an orderly manner. In contrast, FTX was quite chaotic at that time, possibly because they had no tools to assist decision-making, which is quite unfortunate. Of course, at the company level, we have rehearsed for all crises, whether it is theft or system crashes; we have internal so-called P-1 level drills every month.
Colin: Understood. So what are the next steps in your current plan? For example, in the next day, three days, week, or month, do you have some important steps to carry out one after another?
Ben: Yes, now we are divided into several different stages. First, in terms of security, the first step is to clarify exactly what happened. The second step is to track the funds; we will cooperate with external teams and even collaborate with Safe to clarify the course of events and try to control the damage. Secondly, in terms of finance, regarding the funds we have temporarily borrowed—not from a cross-chain bridge, which is called a bridge loan in English—we will repay this money as soon as possible through OTC trading and other means. At the same time, we are now more focused on changes in withdrawal levels, but currently, it seems that customer panic has passed.
From a business perspective, we are most concerned about the impact of this incident on our business, such as how many users we have lost, how many VIP clients, and how many institutions. We hope to make the next decision based on the impact report as soon as possible. For example, which country's users have the most significant loss? How can we let users in those countries understand the current situation and know that our platform is actually fine, and that our hot wallets and data systems are operating normally? This area will also be advanced based on data for the next steps.
Colin: Okay, understood. In fact, the first time everyone discussed this, CZ (Binance founder Zhao Changpeng) suggested that you pause withdrawals. I guess he might hope you would conduct a security check to prevent any other vulnerabilities. I don't know why you didn't adopt his suggestion at that time; what were your considerations? Were you worried about other potential issues?
Ben: Yes, actually at that time, CZ and some other friendly companies, like Binance, also signaled their willingness to help. However, it took me about half an hour to notice their messages because Twitter was exploding, and I was busy with the live broadcast. I think from their perspective, this suggestion is quite normal. If the specifics of the hacking incident are unclear, one might assume that there was an issue with our hot wallet. If it were indeed a hot wallet problem, we would definitely have to freeze all withdrawals. But our situation is different; our withdrawal system did not have any issues, and the internal system was operating normally. It was just the tool used for multi-signature that was compromised—you can understand it as an external tool having a problem. Therefore, the remaining parts were functioning normally, and we did not need to expend extra effort to halt operations. Once we identified the problem, Slow Mist immediately said, "The remaining parts are completely fine." That’s why we could confidently make this decision.
In contrast, when other exchanges were hacked, it was mostly due to internal code or processes, or even employee operations going wrong. But we ruled out these possibilities right away because the signatures were all handled by founders like myself, so internal issues were directly dismissed. This allowed us to maintain the normal operation of the withdrawal and deposit system. So I think CZ's suggestion was not wrong; it was just that our situation was different.
Analysis of Security Vulnerability Sources: Insider, Trojan, Bybit Internal or Safe Codebase Vulnerabilities?
Colin: There’s another point; although the final security report hasn’t come out yet, there’s a claim that several of your user interfaces were attacked. Could there be an insider situation?
Ben: Yes, I believe we need to rule out any possibilities one by one; we haven’t completely ruled it out yet. Our first action was to collect evidence, backing up each operator's computer, recording all the actions of the parties involved, and preserving evidence. This information will later be provided to the police, external security partners, and our internal investigation team. So far, all operations do not seem significantly different from the past. However, strangely, there are several mandatory checks in our security protocol, such as the URL, and we have done all of those.
As of today, I am not sure whether Safe's multi-signature system is still in a frozen state; they might also be investigating. They dare not draw immediate conclusions about whether their server was hijacked and affected us or if there was a problem with each of our computers. Moreover, we found that everyone was in different locations and network environments, making it feel very difficult to be remotely controlled. There are various possibilities, but we cannot determine which one to rule out, so we are still investigating.
Mirror: So, Boss Ben, you mean there were no traces of Trojans found on the devices, right?
Ben: Yes, we have checked, and there are no Trojans on the computers of all the people involved in signing. Of course, this is the result of our security team's initial investigation; we are not sure if there might be particularly sophisticated Trojans that we haven’t discovered yet. So we first collected evidence, sealed the computers, and left behind images and other data.
Hao: I saw that Safe seems to have issued a statement saying their codebase has no vulnerabilities. I was thinking, if it were a common APT (Advanced Persistent Threat) attack, like a penetration attack, assuming one of your employees or executives' terminals was breached—say through social engineering phishing—that would only be an access point to the internal network. I’m curious how the hacker could penetrate from such a small point in the internal network to your advanced systems? Did your security alert mechanisms fail during this process? There was no hint for such a long time? Will you be investigating this specifically next?
Ben: First, I want everyone to understand our situation. We have a complete withdrawal system, including hot wallets and warm wallets. The hot wallet automatically handles withdrawals, while the warm wallet requires manual signatures; this is a system we developed ourselves. When we have some extra reserves, we put them into cold wallets. You can think of the cold wallet as HSBC. The issue in this incident was that there was a problem on the "HSBC" side—I was intercepted when trying to retrieve the funds, leading to everything being stolen. So the hacker penetrating our system is completely not the case. This is also why we have been able to maintain uninterrupted withdrawals; our internal withdrawal system has no issues.
We do face penetration attempts frequently. We have a whole set of protective measures, such as setting up many honeypots in the system, and we have a white hat team and red-blue teams engaging in mutual attacks and defenses. Even our red team occasionally sends phishing emails to employees to test whether they operate according to the security manual. This is part of the daily work of an exchange. But this time is different; the hacker did not breach our internal system. You can understand that we placed the funds into the service provided by Safe, and the biggest challenge this time was an external issue. To return to your question, it did not come from our side; it came through the external multi-signature process. We have four people responsible for signing, including myself, and I cannot disclose the other individuals, but they are all at that level.
The strangest part is that we are all in different network environments, and our computers are regularly checked, and we found no Trojans afterward. When we sign, we are not in the same place, not even in the same country; one person signs, and then the next one signs, and we check things like the URL each time. So now we are still investigating which link had the problem. I am collaborating with Safe, but not blaming them; we are also uncertain where the problem lies. They haven’t found the cause, and we don’t know either. The final conclusion is still unclear; we just don’t know how this part went wrong.
Discussion on Issues: Asset Protection, Team Response
Colin: There’s another question; I don’t know if Bybit is comfortable answering: what is the approximate scale of your own assets used for liquidity or reserves on a daily basis? Like previously mentioned, Bybit's annual profit might be $1.5 billion, but you must distribute dividends or use it for other expenses each year. Does the company’s overall assets cover this $1.5 billion gap?
Ben: The company's assets are definitely greater than that amount. I posted a tweet that you can check; our auditing firm has come forward to speak. This auditing firm has reviewed our finances and company accounts. There’s a message on my Twitter from Hacken, who helped us with the audit. They have seen our fund accounts, which is the Treasury account. They expressed their willingness to speak up immediately, but needed our consent. At that time, I was busy, and after two or three hours, I said it was fine, and they released a statement confirming that they audited our Treasury and verified that our cash and token reserves can fully cover the $1.5 billion loss.
Colin: So, for the company, how do you feel the overall morale is right now? How is the state of the employees?
Ben: I’m quite relieved; the execution power and culture of our team make me very gratified. After the incident, almost everyone rushed to the office immediately. Because Bybit operates in a centralized manner, I was live streaming in Singapore, and our entire floor in Singapore was almost filled with people. The security team, live streaming team, media, public relations, and even legal were all online. The Singapore police arrived at around three or four in the morning after we reported the incident, and even Interpol came this morning. The overall response speed was very fast; at least the dozens of people directly reporting to me basically didn’t sleep all night and were continuously contacting various parties.
I think the hardest hit was the customer service team, who were all online responding to customer inquiries. The risk control personnel were also working hard to handle withdrawal requests, and the heads of the public relations team and other departments were almost all on duty. The product and technical teams were also maintaining system stability; at that time, we were worried about triggering other system crashes. I sent an internal letter to the entire company immediately, saying that the next 24 to 48 hours would be very difficult, but I hoped everyone would remain calm and handle the matter professionally. At the same time, we needed to stay online so that customers could reach us. I think at such moments, being online and reachable is the most important, including for our institutional team, as many institutional clients were also very worried. I just slept for two hours, and some people also took a little rest. The overall state is still quite excited because there are still many issues to resolve.
I believe the most difficult time has passed, and liquidity has completely recovered. Now customer withdrawals and deposits are completely normal, just like before.
Colin: Understood. So, the next important aspects may be twofold: one is a comprehensive security check, and the other is restoring trust among institutions and users, mainly along these two lines, right?
Ben: Yes, I think you are correct. The first question moving forward is, what do we do about our Ethereum multi-signature? We are still using Safe, but we have already moved the funds to our own hot wallet, which is clearly not a long-term solution; we need to resolve this issue. The next step will definitely be at the business level; we will assess the overall impact of this incident through the influence report from our internal BI team and then formulate the next operational plan.
Mirror: I just looked at the proof from Boss Ben that Hacken posted, which states a market value of $7.9 billion. What does this refer to? Is it the previously mentioned Bybit's own assets or customer assets?
Ben: Hacken helped us with the audit, separating user assets and our internal assets into two parts. What they published was the customer asset portion, but they also reviewed our internal treasury. However, the specific numbers were not disclosed because that is our internal data. They promised that they have confirmed that our assets can fully cover the losses from this incident. This is what they posted at that time.
Ben thanks the industry for its support and will continue to optimize security and crisis management.
Colin: Ben, I see many people online, especially founders of projects in the Chinese-speaking community and the Western community, are quite supportive of Bybit. For example, Du Jun and Yuan Jie are also transferring Ethereum back to Bybit accounts. Do you want to express your gratitude to them?
Ben: Yes, I am really very grateful. During this incident, many partners stepped up, some even on standby at all times. From wallet-related services, like Fireblocks and Chainalysis, to other teams—I can’t quite remember everyone right now because some contacted me directly, while others reached out to our team. In short, we felt the support from the entire industry at different levels, all helping us in various ways. As you just mentioned, several well-known platforms in China, like Bitget, MEXC, and Pionex, proactively contacted us and directly provided lending support. Binance also reached out to us; we are still in communication, but in the end, we borrowed enough funds, so we didn’t trouble them further. Other exchanges, our partners, and various networks and market makers are almost all providing assistance. So I am really very thankful.
Colin: Yes, I hope Bybit can recover from this incident. After all, the loss is quite significant. Do you think this incident will have any impact on Bybit's future development? Will it bring about some changes in thinking or specific adjustments in the future?
Ben: To be honest, I haven't had the chance to think deeply about this issue yet, but it will definitely have a significant impact on us. From a security perspective, for example, in wallet deployment, we may become more cautious. During this crisis response, we also identified some issues that can be optimized. For instance, the performance of the deposit and withdrawal system under high traffic was not ideal, and the risk control system became a bit chaotic with a large number of tags, leading to overall inefficiency. Additionally, while our P-1 level response was quick—we have drills, and with the push of a button, almost the entire company can receive phone and text notifications and quickly come online—there were certain aspects, such as whether the security leader had clearly defined roles during such a significant event. We will conduct a complete review of these issues later to optimize internal management.
Overall, the silver lining in this unfortunate situation is that we were able to withstand this incident. I can't imagine what it would be like if the losses reached the scale of $10 billion; we might have to consider selling the company. But this time we could handle it, so I haven't thought that far ahead. However, from this perspective, we will adjust all processes moving forward, assuming that such incidents may happen again, we need to be able to withstand them and make some changes for that.
Colin: Yes, many people say that Bybit has not experienced similar thefts in its history, at least not publicly disclosed like other exchanges. But now that this has happened, it has become the largest in history. Could it be that because you haven't encountered this before, there was some internal complacency?
Ben: I definitely think there are areas where I could have done better. For example, our cold signing could have been distributed across several wallets instead of putting all the Ethereum in one wallet. This time, we were lucky that our USDT was also in one of Safe's wallets, amounting to about $3 billion, which is twice the amount of Ethereum. But that wallet had sufficient USDT reserves and had basically not been touched. I guess the hacker might have lost patience after waiting for a while or was afraid to touch the USDT because it can easily be frozen. So looking back, there were a few simple methods to avoid this.
First, why put $1.5 billion in one wallet? Couldn't it be divided into five? At least the losses wouldn't be so concentrated. Perhaps because we had never been hacked before, we were too confident in our deposit and withdrawal system and didn't think much about this aspect, focusing more on the signing environment and computer security. I think this is a shift in mindset; it's no longer about how to never be hacked, but rather about assuming that a hack will happen and figuring out how to ensure that the losses do not leave us with nothing, but rather keep them within a manageable range.
Colin: Yes, although the amount is large, as you said, the silver lining is that the company can still withstand it. I hope you can recover quickly.
Ben: Thank you all for your support.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
