Bybit CEO Reflects on Stressful 48 Hours, How Did the Security Breach Happen?

Original Article Title: "Wu Said Dialogue Bybit BEN, Shunyet: In-Depth Analysis of $1.5 Billion USD Theft Reason, Rescue Progress, and Future Plans"

Original Source: Wu Said Blockchain

This Space event focused on the recent cryptocurrency industry's largest-scale hack, which is also the largest theft in human history, Wu said Colin interviewed Bybit executives Shunyet Jan and CEO Ben Zhou to discuss the details of the event and the subsequent rescue. The incident involved the theft of approximately $1.5 billion worth of Ethereum, allegedly by the North Korean hacker group Lazarus Group. Bybit restored full withdrawal functionality within 12 hours by prioritizing retail withdrawals, imposing graded restrictions on institutional clients, and leveraging liquidity support from exchanges like Bitget and OTC service providers. The liquidity issue has been resolved. However, the likelihood of recovering the stolen funds is very low. The company is collaborating with a security team to investigate the root cause of the vulnerability, which may involve technical issues with the multi-signature cold wallet provider Safe or potential internal errors. Furthermore, Bybit emphasized its commitment to rebuilding user trust through enhanced security measures, optimized risk control processes, and transparent communication. They also acknowledged that the incident exposed shortcomings in internal processes and crisis management, and they plan to conduct a comprehensive review and improvement in the future.

The audio transcription was completed by GPT and may contain errors. Please listen to the full podcast:

Xiaoyuzhou:

https://www.xiaoyuzhoufm.com/episodes/67bb1532606e5c59404b67c4

YouTube:

https://youtu.be/PAv71v4kKxo

70% of Stolen Ethereum Spot Inventory Resolved Liquidity Crisis Through Borrowing and Other Means

Colin: Teacher Jan, one of the most concerning issues is the current situation of Bybit. For you, has the liquidity situation at Bybit been fully restored? Or are there still some liquidity gaps?

Shunyet: Okay, at that time, what was stolen was only our Ethereum spot inventory, which accounted for about 70%. Because many clients had demands during that period, we suspended many operations and allowed withdrawals in batches based on client levels. So at that time, retail clients could withdraw normally, except for Ethereum withdrawals. Our inventory was indeed insufficient during that time, and clients couldn't withdraw. For this, we want to thank Grace, as well as exchanges like Bitget, Matcha, and some market makers who helped us gradually replenish our inventory. Some were through borrowing, some were through direct exchanges, but mainly relied on a bridging model. Later on, we met all withdrawal demands from clients and fully resumed withdrawals about 12 hours later, including for institutional clients. Now, our spot liquidity is no longer an issue.

Colin: Yeah, so initially your strategy was to prioritize withdrawals for retail users while also engaging with institutional clients, is that right? But now it's fully open for everyone, correct?

Shunyet: Yes, it's fully open now.

Colin: So the main liquidity gap is concentrated on Ethereum, right? Besides Bitget and Matcha, which other institutions have helped you?

Shunyet: I'm not sure if it's appropriate to publicly disclose specific names, but most of the well-known major OTC market makers have participated in supporting us.

Colin: Earlier, Grace (Bitget CEO) mentioned that the funding provided by Bitget does not require any collateral, nor does it carry any interest, not even a specified repayment time. However, not every institution is like that, right? Have other institutions proposed some related conditions?

Shunyet: Yes, we must thank Bitget again. Other OTC market makers may require some collateral. For example, we can use the company's treasury as collateral, and those assets are more than enough to cover the $1.5 billion gap. So we will borrow Ethereum in a controlled manner, such as by pledging USDT or Bitcoin. However, compared to that, Bitget's assistance is larger in amount and does not require any collateral, which is very prominent.

Colin: So from your perspective, you think the whole event has basically subsided, right? Additionally, your current liquidity is no longer as tight, is it because the overall atmosphere has eased, especially with less strong withdrawal intentions from institutions and whales?

Shunyet: Yes, we have many whales here. By whales, some have a large trading volume, while others have substantial assets stored on Bybit. For those high-volume trading clients, we have observed that because many of them are market makers, they may adjust some operations based on fund strategies, but still, one-third to half of the funds remain on the exchange. As for clients holding a large amount of assets, their attitudes are basically divided into two types: some completely trust Bybit, and their funds have not moved; the others may transfer funds to other places in the short term. However, I think our peak has passed by now.

Rebuilding User Trust After a Crisis: Transparent Post-Mortem, Public Acknowledgment, and Security Enhancement

Colin: For Bybit, as Grace mentioned earlier, the funds stolen in this hack were roughly equivalent to your annual profit. So, from the perspective of a security company or another institution, it's likely that this money was taken by North Korean hackers, and the chances of recovering it are slim, right? Is this assessment relatively certain?

Shunyet: Of course, we hope to recover it, but based on the history of the Lazarus Group, there have been very few successful recovery cases. I remember in the past, the only part they managed to recover was when they had some coins that could be frozen and then destroyed, such as USDT or USDC. However, in the early days, Lazarus Group may have made some minor mistakes, like depositing funds into a small exchange. At that time, Ben had good relationships with the leaders of various exchanges, and everyone was willing to help freeze those assets. But now, I think Lazarus Group wouldn't make these low-level mistakes anymore, so the likelihood of recovery is indeed very low.

Additionally, I have seen many discussions where it seems that Lazarus Group is now the fourteenth largest Ethereum holder in the industry, and some have suggested whether a fork is needed to address this issue. Having a sanctioned entity as the fourteenth largest holder doesn't look good. However, this is not my main concern; we are also observing, but this is not something we can decide on.

Colin: Understood. One more thing, are you concerned that after this incident, the overall reputation of the company and even the exchange in the industry will be damaged, leading to a decrease in trust from users and institutions? Although we know that security issues may be a challenge faced by every exchange and are an ongoing issue, many institutions and individuals have already complained that Bybit's security may not be good enough. Will this lead them to no longer trust you in the future?

Shunyet: Well, I look at this issue from another perspective. I only joined Bybit at the end of August last year, and before that, my company was one of Bybit's top three clients, and I myself have been a market maker. At that time, I also witnessed the situation of other exchanges, such as KuCoin, Binance, and of course, FTX's crash. Looking at it now, Binance's situation is also good. We have observed the situations of many exchanges, and we have to admit that although the trust of some users may be shaken, our response is to first maintain transparency. We will investigate the root cause of the problem — whether there was a vulnerability in the systems we work with, or if there was an error in our internal rules, or if it was a finance department issue, such as why the assets were not diversified across multiple systems. We will conduct a thorough post-mortem internally and then make a decision.

Once we have sorted everything out, we will definitely make everything public so that we can rebuild trust. I believe that to turn the situation around, our exchange's features, products, and ecosystem still have a lot of advantages, but right now, the most important thing is trust. We haven't been hacked before, so we haven't encountered this issue, but now our top priority is to regain trust. To achieve this, we need to be very transparent, explain to everyone why the incident happened, and what preventive measures we will take in the future. I think the company has already invested a lot of resources in this area, but we may need to do more in the future.

Colin: I see. Another question, you mentioned earlier that Bitget voluntarily provided support. I've seen many other exchanges, such as Binance, OKX, and others, also voluntarily offering liquidity support. Have they reached out to you proactively, or have you reached out to them?

Shunyet: Some of them have. In fact, I saw in some groups that many exchanges have offered help proactively. However, some may require a deposit or interest. Many OTC service providers have been cooperating with us for a long time, know about our profit situation, and they think that although the amount of this hack sounds large, it is at most our annual profit. So everyone believes that we are still trustworthy, and the situation is not so bad.

Of course, Bitget's assistance amount is relatively large, and the conditions are also more lenient, which is very outstanding. But many other institutions have also provided support. I have experienced similar situations before, such as during the 9/11 incident when I worked on Wall Street. At that time, Lehman Brothers lost even its office, but other companies voluntarily offered office space to their competitors. So, when I see many competitors stand up these days and say, "What support do you need? What can we help with?" I am really happy. This attitude is not just for customers but is also shown between competitors. I think in the cryptocurrency industry, this kind of unity is really special.

Colin: Yes, I understand. Users may think it's too early to discuss this now, but I have seen some users asking, what ways does Bybit have in the future to regain user confidence? Maybe it's a bit early to discuss this now, but what are your current goals regarding this issue and what needs to be done in the future? Is there a plan, or can you reveal something?

Shunyet: We are still studying this at the moment, but as I just mentioned, the first thing is to prioritize trust. To rebuild trust, our security must be significantly enhanced, and this is the first step. In addition to this, we will return to Bybit's original organic growth model. We understand the needs of retail investors very well and are also good at serving retail and VIP clients. I think time is the best tool, as long as we handle this matter well, trust will naturally return.

Colin: I see. How is the overall morale of the company now? In the face of the largest theft in human history, how are the internal employees of the company feeling and what is the morale like?

Shunyet: Ben is a very special person; he always focuses on how to solve the problem. He will ask everyone: What is our current problem? For example, is it a lack of inventory, a lack of trust, or something else? Each department will establish a dedicated team to address each issue. The current focus is for us to deeply understand where things went wrong — whether it's our SOP (Standard Operating Procedure) that's at fault or if it's our partner. We need to address these issues first.

The second step is, after enhancing security, we need to ensure better liquidity. When customers come to our platform, they need good liquidity. So, we will communicate with various liquidity providers to see what support they need and what special assistance can be provided in the short term to get this right, gradually restoring the user experience to its original level. This is our most direct path forward.

Additionally, we are also considering some potential unexpected partners. Because of this incident, we may need to readdress some matters and even disclose more information to everyone. For example, our reserve proof was originally updated monthly, and now we are considering releasing another one after this incident is resolved, taking these actions to enhance transparency.

Discussion on Security Improvements: Multisig Management, Approval Process, and Employee Management

Mirror: Since this security incident involved multisig, I wanted to ask, do you have a specific upgrade plan for multisig? How will it be handled in the future?

Shunyet: Okay, we have always believed that multisig security issues aren't that significant because we use tools like Safe, which should be quite reliable, right? However, after this incident, we have indeed put forward several solutions. First, regardless of the technology used, even if we consider it very secure, we will continue to use multiple different methods. In addition, in multisig management, the signing authority is currently concentrated in the hands of four to five people, and in the future, it may be decentralized, such as assigning permissions for different currencies to different individuals. Also, in the future, cold wallets must be diversified; we can no longer keep such large assets in a single wallet. These are things we thought were quite straightforward in our discussions, and upon reflection, we wonder why we didn't think of them before? But these are things we will definitely do in the future.

Mirror: Understood. Have you considered adding the cold wallet and hot wallet addresses to a whitelist and then locking them down?

Shunyet: This can be considered, but sometimes it may reduce flexibility. However, it is indeed a solution.

Mirror: Hmm, yes, because I've seen many people suggest that you could do a dry run first to see if the execution results are transparent. I also think we could take it a step further, such as conducting a check before executing the signature, directly analyzing and parsing the bytecode in detail, and then doing some dry runs. This may help mitigate the risk of such attacks.

Shunyet: Hmm, this suggestion is something I will definitely bring up for discussion with our security team. My background leans more towards transactions, so I will leave this aspect to a professional team for assessment.

Mirror: Another thing from before, the 2022 incident where an employee modified Excel data — —though not considered theft. After that incident, did you upgrade the entire CRM (Customer Relationship Management) process?

Shunyet: Yes, we did. I think many times, once an issue is discovered, it needs to be improved. That incident was a long time ago, and we had almost fixed it by then. Now our approval process has more control measures. At the beginning, I also encountered this kind of situation, where many exchanges have advanced technology, but the backend systems or processes are relatively simple. Our company grew rapidly, and some areas were not well managed, but now all departments have made adjustments. Even for simple internal transactions, they need to go through an approval process. Sometimes it may feel a bit annoying, but this way we won't encounter similar problems again.

Mirror: Yes, because this is actually quite crucial. Exchange businesses involve funds, so what needs to be checked may be more complex. I have another question. Many people have mentioned Bybit this year, and indeed, it has seized a great opportunity, jumping to become one of the top three exchanges. Will this lead to a significant expansion of your team? Will it affect your existing risk management structure?

Shunyet: Actually, Bybit's number of employees is slightly fewer than some of our competitors because we focus greatly on selecting people who fit Bybit's culture. Not everyone can easily join, so our hiring process tends to be longer. Our business is growing rapidly, but sometimes the pace of talent acquisition can be slower than business growth. However, whether it's in risk management, business, or product aspects, we are sticking to this approach.

Tracking of External Team for Joint Funds Likely Low Probability of Ethereum Rollback

Mirror: Well, then I will continue to ask. Just now, Teacher Zhan mentioned that this money may not be recoverable, but after looking at some discussions in the community and the hacker's activities, I feel that even if it cannot be recovered, the probability of the hacker completely taking away this money is not high. However, I saw someone in the community mention that the hacker is performing some self-destructive operations on this Ethereum, so I would like to ask Boss Ben to confirm.

Ben: I can tell everyone about what we are currently doing. Our security team has already contacted several external partners, and SlowMist, a well-known domestic security firm, is also cooperating with us in conducting comprehensive tracking. This includes retracing what happened at the time with the help of on-chain analysis companies, attempting to understand how this hacking incident actually occurred. So far, there is no conclusion yet because this incident has several suspicious points that differ from the past.

Firstly, it was not a problem with our hot wallet system, but an issue with our supplier Safe that we used to store Ethereum in a multi-signature cold wallet. We are not sure whether their servers had issues or if there was a problem in each user interface link of our signatures. This is the first direction we are investigating. Regarding the fund tracking you mentioned, from our perspective, it is not so easy for this Ethereum to be laundered out. I think it will be a long process, and the hacker will slowly attempt various money laundering methods. This incident is of a large scale, but what makes me feel fortunate is that the entire industry is very united, everyone is helping us, and we are very grateful.

Actually, as long as the hacker transfers the funds to some cross-chain bridge, we can almost immediately locate it and then request the bridge's assistance in freezing it. So, to completely launder this $1.5 billion, I think it will require a very long period. Secondly, regarding self-destruction, we have not seen any signs of it. After putting in so much effort to steal it, why would they self-destruct?

Colin: It's not self-destruction, Mantle over there rescued this money.

Ben: Yes. If the hacker now attempts any re-collateralization protocols, we should be able to take some measures in response. So, he is now in a standoff with us, and we have a bunch of people watching him. His current situation is a bit awkward as well. Lastly, indeed, some people, including some top projects and a few online influencers, have proposed whether Ethereum can consider a complete rollback. However, most opinions believe that the last rollback was due to 30% of Ethereum being stolen, and although the amount this time is substantial, it only accounts for about 0.3% to 0.4% of the total, so they should not consider a rollback. However, we are also trying to contact Vitalik (Founder of Ethereum) to see what advice he can give us.

Colin: Would you ask or request him to do a rollback?

Ben: We would beg them for help, haha. But whether they can cooperate or not depends on their considerations.

Specific Crisis Response: How to Restore Liquidity, Optimize Security Strategy, and Future Plans

Colin: Ben, I actually asked Teacher Zhan earlier. Do you think liquidity has fully recovered now? Including Grace's previous mention, perhaps you no longer need external support as much.

Ben: Yes, I have to specially thank those partners who quickly lent a helping hand. Bitget should be the first one that helped us, and they didn't even mention any conditions at all. They truly came to our aid, didn't even sign a contract, just provided help directly, so I'm very grateful. Also, Matcha and PieDAO, these three have been lending us Ethereum, which was a great help.

Now our overall situation is completely stable. In about 12 hours, our deposit and withdrawal levels returned to normal. I posted a message on Twitter at the time, our withdrawal system no longer had any backlog, and all withdrawal requests were processed. Now, compared to the second hour after the incident — which was the peak period, the system is no longer facing withdrawal pressure but rather an overall stress capacity issue.

Our withdrawal system had never seen so many people withdrawing at the same time. At that time, we performed system maintenance, adjusted on-chain fees, optimized risk control systems, and handled a bunch of related transactions. At the same time, we contacted people in the background to borrow Ethereum to fill the gap. Now, the entire liquidity is completely fine.

Colin: Have you ever simulated similar scenarios before? For example, what should be done in the first and second steps once this kind of thing happens?

Ben: Yes, I think many people, including most online comments, say that although this event was unfortunate, our crisis communication was handled well. Some say I was calm in command, but I think it's not because of my personality, but because we have many tools that help me stay calm. Our risk control status and the financial status of our financial systems are accurate to the minute, so we always know which step the system is at and how the customers' withdrawals are.

This allows us to handle things more orderly. These data-driven, visual dashboards allow us to plan the next steps step by step. For example, during withdrawals, we first deal with small customers, let them all withdraw, and then gradually move backward. Also, we will adjust according to the situation of different chains — which chain has funds, which chain does not, and how to allocate. In my opinion, this data-driven approach allows everyone to systematically advance the follow-up work.

On the other hand, FTX was very chaotic at the time, perhaps because they had no tools to assist in decision-making, which was rather unfortunate. Of course, at the company level, we have conducted drills for all kinds of crises, whether it's a hack or a system failure, and we have internal so-called P-1 level drills every month.

Colin: I see. So, what are the plans for the next stage? For example, in the next day, three days, one week, one month, do you have some important steps to take sequentially?

Ben: Yes, currently we are dividing it into several different stages. First is regarding security, the first step is to find out exactly what happened. The second step is to trace the funds, we will collaborate with external teams, even cooperate with Safe to understand what happened and try to control the damage. Next is on the financial side, for the funds we have borrowed temporarily — not a cross-chain bridge loan, we will repay these funds as soon as possible through OTC trading and other means. At the same time, we are now more focused on the changes in the withdrawal level, but at the moment, it seems that the customer panic has passed.

From a business perspective, what we are most concerned about is the impact of this incident on the business, such as how many users we have lost, how many VIP customers, and how many institutions. We hope to make decisions based on the impact report as soon as possible. For example, which country has lost the most users? How can we make users in these countries understand the current situation, know that our platform is actually fine, and that our hot wallet and data system are operating normally? In the follow-up, this area will also advance the next plan based on data.

Colin: Alright, understood. In fact, what everyone discussed most at the time was CZ (Changpeng Zhao, Binance's founder), who suggested you pause withdrawals. I guess he might have wanted you to conduct a security check in case there were other vulnerabilities. I don't know why you didn't adopt his suggestion at the time, how did you consider it? Are you worried about other potential issues?

Ben: Yes, in fact, at that time CZ and some other friendly competitors, such as Binance, signaled their willingness to help. However, after they sent the messages, it took me about half an hour to notice because Twitter was exploding at the time, and I was busy with the live stream. I think from their perspective, this suggestion was very normal. If you are not clear about the specifics of the hack event, you might think there was an issue with our hot wallet. If it really was an issue with the hot wallet, then all withdrawals would have to be frozen for sure.

However, this incident is different for us. Our withdrawal system has not been affected at all, and our internal systems are running smoothly. It's just the tool used for multi-signature that was compromised — you can think of it as an external tool malfunctioning. Therefore, the remaining part of our operations can continue as usual without the need to expend extra effort to stop everything. As soon as we identified the issue, SlowMist promptly said, "The remaining part of your systems is completely fine." This assurance allowed us to confidently make this decision.

On the contrary, when other exchanges were hacked, most of the incidents were due to internal code or processes, or even employee error. However, we quickly ruled out these possibilities because signatures are managed by individuals at the founder level, eliminating internal issues outright. This enabled us to comfortably maintain the normal operation of our withdrawal and deposit systems. So, I think CZ's suggestion is not wrong; it's just that our situation is different.

Analysis of Security Vulnerability Sources: Insider Threat, Trojan Horse, Bybit Internal Issue, or Safe Codebase Vulnerability?

Colin: Another point, although the final security report is not out yet, there's a theory that the user interfaces of several team members were targeted. Could there be an insider threat or a similar situation?

Ben: Yes, I believe every possibility must be thoroughly investigated, and at the moment, nothing has been ruled out completely. Our immediate action was to preserve evidence by backing up the computers of all staff involved, documenting every step taken by the parties, and retaining evidence. These materials will be provided to the police, external security partners, and our internal investigation team for further analysis. Looking back, all operations didn't differ significantly from the usual. However, what's peculiar is that several essential checkpoints in our security protocol, like URLs, were all validated.

As of today, I'm not sure if Safe's multi-signature system is still in a frozen state; they might be conducting their investigation as well. They are also cautious not to draw immediate conclusions about whether it was their servers being compromised and affecting us or if there were issues with each person's computer. Moreover, we discovered that each individual was in different locations and network environments, making remote control seem unlikely. There are various possibilities, but at present, we cannot definitively rule out any, so the investigation continues.

Mirror: So, Ben, you're saying that there was no trace of a trojan on the devices, correct?

Ben: Yes, we have verified; there was no trojan found on the computers of those involved in the signing process. Of course, this was the initial finding of our security team. It's still uncertain if there is a sophisticated trojan that we haven't detected yet. Therefore, we proceeded with the evidence collection, sealing the computers and preserving images and other data.

Hao: I saw that Safe seems to have issued a statement saying that their codebase has no vulnerabilities. I was thinking, if it's a common APT (Advanced Persistent Threat) attack, such as a penetration attack, suppose one of your employees or executives' endpoints was compromised — like through social engineering — that would only be an entry point within the intranet. I'm curious, how could the hacker pivot from such a small point in the intranet to your advanced system? In this process, did all your security alert mechanisms fail? Was there no indication for such a long time? Will you be conducting targeted investigations next?

Ben: First, I want everyone to understand our situation. We have a complete outgoing fund system, including hot wallets and warm wallets. The hot wallet automatically processes outgoing transactions, while the warm wallet requires manual signatures, which is a system we developed internally. When we have some extra reserves, we store them in cold wallets. You can think of the cold wallet as HSBC Bank. This incident is a problem on the 'HSBC Bank' side — when I tried to withdraw the funds, it was intercepted, resulting in all of it being stolen. So, the mentioned hacker penetrating our system is entirely false. That's also why we have been able to maintain uninterrupted outgoing transactions; there are no issues with our normal outgoing fund system internally.

We do indeed face penetration attempts regularly. We have a full set of protective measures, such as setting up many honeypots within the system, as well as a white-hat team and a red-blue team engaging in offensive and defensive strategies. Even our red team periodically sends out phishing emails to employees to test if they are following security protocols. This is part of the exchange's daily operation. But this time is different; the hacker did not breach our internal system.

You can understand that we placed the funds in the service provided by Safe, this cold wallet service provider. The biggest challenge this time was an external issue. Going back to your question, the breach did not originate from our end but rather through an external multi-signature process. Four people are responsible for signing, including myself, and the others, I cannot reveal, but they are at the same level.

The most puzzling thing is that we are all in different network environments, our computers are regularly scanned, and no trojans were found afterwards. We do not sign in the same place, not even in the same country. One person signs, then the next, each time checking things like URLs. So now we are still investigating where the issue occurred. I am working with Safe, but not blaming them; we are also unsure where the problem lies. They did not find the cause, and we don't know either. The final conclusion is still unclear; we are still figuring out what exactly went wrong in this area.

Issue Discussion: Asset Protection, Team Response

Colin: I have another question, not sure if Bybit is convenient to answer: approximately what is the scale of your own assets used for liquidity or reserves on a daily basis? Like it was mentioned before, Bybit may have a yearly profit of around 1.5 billion USD, but you definitely distribute dividends or use it for other expenses every year. Are the overall company assets enough to cover this 1.5 billion USD gap?

Ben: The company's assets are absolutely greater than that amount. I posted a tweet about this, you can go check it out, our audit firm has already come forward to speak. This audit firm has reviewed our finances and company accounts. There's a tweet on my Twitter mentioning Hacken, who conducted the audit for us. They have seen our funds account, which is our Treasury account. They were willing to speak up immediately, but they needed our agreement. At that time, I was busy, and after two to three hours, I said it was okay, and they issued a statement confirming that they audited our Treasury, ensuring that our cash and token reserves are fully able to cover this 1.5 billion USD loss.

Colin: So, for the company, how do you feel about the overall morale right now? How are the employees doing?

Ben: I am quite fortunate, I am very pleased with the execution and culture of our team. After the incident, almost everyone rushed to the office almost immediately. Because Bybit has a centralized office, I was doing a live broadcast in Singapore at that time, and almost a whole floor in our Singapore office was filled with people. The security team, the live broadcast team, the media, public relations, and even legal, were all online. After we reported to the Singapore police, they arrived at around three or four in the morning, and even Interpol came this morning. The overall response time was very fast, at least from the dozens of people who directly reported to me, basically not sleeping all night, continuously coordinating with various parties.

I think the hardest hit are the customer service team, as they are all online responding to customer inquiries. The risk control team is also working hard to process withdrawal requests, and the heads of the public relations team and other departments are almost all on duty. The product and tech teams are also ensuring system stability, as we were worried it might cause other systems to crash. I sent an internal email to the entire company immediately, saying the next 24 to 48 hours would be very tough, but hoped everyone would stay calm and deal with this matter professionally.

At the same time, stay online so that customers can reach us. I think in moments like these, being online and reachable is the most important, including our institutional team, as many institutional clients are also very worried. I just slept for two hours, and some others also took a quick break. The overall mood is still quite exhilarated because there are still many issues to resolve.

I feel like the most difficult time is behind us, and liquidity has fully recovered. Now client deposits and withdrawals are completely normal, just like before.

Colin: Understood. So, going forward, perhaps the two most important aspects will be: one, a comprehensive security check, and two, rebuilding trust with institutions and users, mainly following these two paths, right?

Ben: Right, I think you're right. The first thing going forward is, what are we going to do with our Ethereum multisig? We are still using Safe for now, but we have moved the funds to our own hot wallet. This is clearly not a long-term solution, so we need to address this issue. The next step is definitely on the business side. We will assess the overall impact of this event through the internal BI team's impact report and then devise the next operational plan.

Mirror: I just looked at the proof provided by Ben's boss from Hacken, and it says the market value is $79 billion. What does this refer to? Is it the previously mentioned Bybit's own assets or customer assets?

Ben: Hacken conducted an audit for us, separating user assets and our internal assets into two parts. They published the part related to customer assets, but they also reviewed our internal asset pool. However, the specific numbers were not disclosed because that is our internal data. They promised that they have verified and can ensure that our assets can fully cover this loss. This is the content of the post they made at that time.

Ben Thanks Industry Support, Will Continuously Enhance Security and Crisis Management

Colin: Ben, I've seen many people online, especially project founders in the Chinese-speaking community, as well as the Western community, who are very supportive of Bybit. For example, Du Jun, Yuanjie, they are transferring Ethereum back to the Bybit account. Do you want to express your gratitude to them?

Ben: Yes, I'm really very grateful. In this incident, many partners have come forward, some are even on standby. From wallet-related partners like Fireblocks, Chainalysis, to other teams — —I can't remember everyone clearly now because some contacted me directly, and some reached out to our team. In any case, we feel the support of the entire industry in various ways, all helping us. As you just mentioned, several well-known platforms in China, such as Bitget, Matcha, and Paiwang, contacted us proactively and provided direct lending support. Binance also reached out to us, we are still in communication, but in the end, we have borrowed enough funds, so we didn't trouble them further. There are other exchanges, our partners, as well as various networks and market makers, almost all are providing assistance. So, I'm really very thankful.

Colin: Yeah, I hope Bybit can recover from this incident. The loss this time was quite significant after all. What do you think will be the impact of this incident on Bybit's future development? Will it bring about some changes in mindset, or will there be any specific adjustments in the future?

Ben: To be honest, I haven't had a chance to deeply think about this question yet, but it will certainly have a significant impact on us. From a security perspective, such as wallet deployment, we may be more cautious. In this crisis response, we also found some issues that can be optimized. For example, the performance of the fund transfer system under high traffic, the risk control system is a bit chaotic with a large number of flags, leading to overall inefficiency. Also, although our P-1 response is very fast — we have drills, with the press of a button, almost the entire company can receive phone and SMS notifications and quickly go online — but in some aspects, such as when such a major event occurs, is the security officer's role clearly defined? We will conduct a complete review and optimize internal management later.

Overall, fortunately, we were able to withstand this incident. I can't imagine what it would be like if the loss reached the level of 10 billion USD; we might have to consider selling the company. But this time we managed to hold on, so I haven't thought that far ahead. However, from this perspective, our next step will be to adjust all processes. Assuming such an event happens again, we can withstand it and make some changes accordingly.

Colin: Yeah, many people say that Bybit has not experienced a theft like other exchanges in its history, at least not publicly disclosed. But this time, once it happened, it became the largest one in history. Will there be some relaxation internally because we haven't encountered such incidents before?

Ben: I think there are definitely areas where I didn't do well. For example, our cold signatures could definitely be distributed to several wallets, rather than putting all Ether in one wallet. This time was lucky; our USDT is also in a safe wallet, about 30 billion USD, which is twice as much as Ethereum. But that wallet hasn't been used much due to the sufficient USDT reserves. I guess the hacker may have waited for a while and ran out of patience, or dared not touch the USDT because it's easy to freeze. So in hindsight, there are a few simple ways to mitigate.

First, why put 15 billion USD in one wallet? Why not split it into five? At least the loss wouldn't be so concentrated. Perhaps because we've never been robbed, we were too confident in the fund transfer system and didn't think much about this part, focusing more on the signing environment and computer security. I think this is a mindset shift, no longer thinking about how to never be stolen but assuming that we will be stolen from, how to ensure that the loss is not enough to leave us with nothing but controlled within a bearable range.

Colin: Yes, although the amount is substantial, as you said, fortunately, the company is still holding up. Hopefully, you can recover soon.

Ben: Great, thank you all for your support.

Original Article Link