On the evening of February 21, Ben Zhou, CEO of the cryptocurrency exchange Bybit, logged onto his computer for what he believed was a standard transaction. The firm was transferring a significant amount of Ether, a widely-used digital currency, from one account to another. However, his routine approval led to an unexpected crisis. Just thirty minutes later, he received a panicked call from Bybit’s chief financial officer, who informed him that their system had been compromised. “All of the Ethereum is gone,” the CFO revealed. This incident marked a catastrophic breach in which hackers allegedly linked to the North Korean government made off with $1.5 billion in cryptocurrencies, representing the largest theft in the history of the crypto industry.
To execute this remarkable cyberattack, the hackers took advantage of a vulnerability in Bybit’s security framework: their dependence on an open-source software product. They infiltrated the exchange by manipulating a publicly accessible system designed to protect hundreds of millions of dollars in customer funds. For years, Bybit had employed this storage software, developed by a company named Safe, despite the availability of more robust security solutions from other providers. The fallout from this breach caused crypto markets to experience significant declines and eroded trust within the industry at a vital juncture. With a crypto-friendly administration in power, industry leaders were advocating for new regulations in the U.S. that would facilitate greater public investment in digital currencies. On the same Friday, the White House was set to host a “crypto summit” featuring President Trump and key industry stakeholders.
Experts specializing in crypto security expressed deep concern over what the heist exposed about Bybit’s security measures. An analysis from one security firm concluded that the financial losses were “completely preventable,” asserting that such an event “should not have occurred.” Safe’s storage system is widely utilized across the crypto landscape but is more appropriate for casual users than for exchanges that handle vast sums of customer assets, noted Charles Guillemet, an executive at Ledger, a French crypto security firm that provides tailored storage solutions for businesses. “This really needs to change,” Guillemet emphasized. “It’s not an acceptable situation in 2025.”
The hack triggered a frantic 48-hour period for Bybit. Although the exchange manages customer deposits potentially worth as much as $20 billion, it lacked sufficient Ether to cover the losses incurred from the theft. Mr. Zhou, 38, scrambled to stabilize the company by borrowing from other firms and utilizing corporate reserves to accommodate a surge in withdrawal requests. On social media, he maintained a surprising level of calm, stating a few hours after the theft that his stress levels were “not too bad.”
As the crisis unfolded, Bitcoin, a key indicator for the crypto market, plummeted by 20 percent, marking its largest decline since the 2022 collapse of FTX, the exchange operated by the disgraced Sam Bankman-Fried. In a recent interview, Mr. Zhou admitted that Bybit had received prior warnings about potential issues with Safe. Three to four months before the breach, the company had observed that the software was not fully compatible with one of its other security systems. “We should have upgraded and moved away from Safe,” he acknowledged. “We’re definitely looking to do that now.”
Rahul Rumalla, Safe’s chief product officer, stated that his team had developed new security enhancements to safeguard users, asserting that Safe’s products serve as “the treasury backbone for some of the largest organizations in the space.” “Our responsibility is not only to rectify what transpired,” Rumalla explained, “but also to ensure that the entire ecosystem learns from it to prevent future incidents.” Founded in 2018, Bybit functions as a cryptocurrency marketplace where both day traders and institutional investors can exchange fiat currencies for Bitcoin and Ether. Many customers consider exchanges like Bybit as informal banks, depositing their crypto assets for safekeeping.
By various estimates, Bybit ranks as the second-largest cryptocurrency exchange globally, processing tens of billions of dollars in transactions daily. Headquartered in Dubai, it does not cater to customers in the United States. On February 21, while Mr. Zhou was at home in Singapore completing some work, he and two other executives were required to authorize the transfer of cryptocurrencies between accounts. Such routine transactions are designed to be secure, requiring multiple approvals to thwart theft.
However, unbeknownst to them, hackers had already infiltrated Safe’s system, as per Bybit’s internal audit of the breach. They compromised a computer belonging to a Safe developer, allowing them to implant malicious code that manipulated transactions. A link sent via Safe prompted Mr. Zhou to approve the transfer, which turned out to be a deceptive tactic. Once he authorized it, the hackers took control of the account, absconding with $1.5 billion in cryptocurrency.
The sudden outflows were recorded on the blockchain, a public ledger that tracks crypto transactions. Analysts quickly identified the perpetrators as the Lazarus Group, a cybercrime syndicate associated with the North Korean government. Following the breach, Mr. Zhou rushed to Bybit’s Singapore office to manage the unfolding crisis. He communicated the hack through social media and initiated an emergency protocol known as P-1, activating the entire leadership team. At around 1 a.m., he appeared on a livestream on X, energetically drinking a Red Bull while assuring customers that Bybit remained solvent. “Even if this hack loss is not recovered, all of clients’ assets are 1 to 1 backed,” he stated. “We can cover the loss.”
Despite his reassurances, the response was swift. Within hours, approximately half of the digital currencies deposited on the platform—nearly $10 billion—were withdrawn, resulting in a market downturn. In an effort to mitigate the fallout, other crypto firms stepped in to assist. Gracy Chen, CEO of the competing exchange Bitget, offered Bybit a loan of 40,000 Ether, valued at around $100 million, without any interest or collateral required. “We never questioned their ability to pay us back,” she remarked.
Amid crisis meetings, Mr. Zhou updated his followers on X, sharing images from a health app that indicated his stress levels were surprisingly stable. “Too focused commanding all the meetings. Forgot to stress,” he wrote. “I think it will come soon when I start to really grasp the concept of losing $1.5B.” Following the theft, the North Korean hackers proceeded to disperse the stolen funds across a vast network of online crypto wallets, a money-laundering tactic they had previously used in other heists. “Lazarus Group is on another level,” commented Haseeb Qureshi, a venture investor, on X after the incident.
Security analysts attributed the vulnerability directly to Bybit’s risk management practices. To authorize the routine transfer that led to the hack, Mr. Zhou utilized a hardware device designed by Ledger, the crypto security firm. However, this device was not synchronized with Safe, preventing him from verifying the complete details of the transaction he was approving—a risky practice in the crypto landscape. “Safe just does not provide the kinds of controls that you would want if you’re going to be frequently making operational transfers,” stated Riad Wahby, a computer engineering professor at Carnegie Mellon University and a co-founder of the digital security firm Cubist. Mr. Zhou expressed regret over not taking action earlier to strengthen Bybit’s security measures. “There’s a lot of regrets now,” he admitted. “I should have paid more attention in this area.”
Nonetheless, Bybit continued its operations following the hack, processing all withdrawals within 12 hours, according to Mr. Zhou. Shortly after the breach, he announced on X that the company was transferring another $3 billion in cryptocurrency. “This is a planned maneuver, FYI,” he clarified. “We are not hacked this time.”
