Conversation with Bybit’s CEO: From the brink of collapse to full recovery, how did Bybit save the crisis within 72 hours?

“One of my biggest fears is not being able to understand my limits and failing those who trust me.”

Compiled and compiled: Deep Trend TechFlow

Guest: Ben Zhou, CEO of Bybit

Moderator: Kevin Follonier

Podcast source: When Shift Happens

Original title: Bybit Founder: How I Survived The Biggest Crypto Theft Of All www.gushiio.com| E110

Broadcast date: February 27, 2025

introduction

Days after Bybit suffered a $1.5 billion Ethereum hack, host Kevin had an in-depth conversation with Ben, CEO of the exchange.

Through this conversation, we will learn how Bybit responded to the crisis in 72 hours, successfully processing 350,000 withdrawal requests, while quickly raising alternative funds to ensure uninterrupted operations.

This interview provided us with valuable experience on how to show leadership under extreme pressure and how to maintain user trust in the face of billions of dollars in risk.

Summary of wonderful views from the interview

• What cannot defeat you will eventually make you stronger.

• One of my biggest fears is not being able to understand my limits. There is another thing that scares me, and that is letting down those who trust me.

• My goal is to make sure our company is still around 10 years from now.

• Stress comes from the feeling of powerlessness that the problem is beyond your control.

• You must invest in your employees and leaders.

• Bybit has never been the first in the market, we are more like a dark horse.

• Transparency and timely communication are at the core of rebuilding trust, while always maintaining a professional attitude is the basis for earning community respect.

• Not your Key, not your coin.

• When your assets reach a certain size, you become a potential target, so it is important to decentralize asset storage locations.

• Involving key players in signing will put them under excessive psychological burden in a crisis.

• The beauty of our industry lies in transparency and direct communication between entrepreneurs and customers.

• Our company has an emergency response mechanism called P-1 incidents to deal with the most serious crises. We conduct drills every month to simulate various major events that may occur. We have a dedicated P-1 button that any employee can press. Once triggered, the system will automatically wake up all management layers and contact them one by one by phone. If someone does not answer, the system will automatically call the next person in charge until someone answers.

• When people feel stressed out, it’s often because they know something needs to be done but don’t take action. My approach is, whenever there is something that needs to be dealt with, I do it immediately, so stress is not a problem for me.

• In the face of a major crisis, the core of public relations is not the public relations team, but the founder and CEO himself. If at a time like this, I let the public relations team draft information and post it via Twitter, or let the public relations staff speak out, it will only backfire. Because in times of crisis, the public will not trust the statement of a public relations team, they need to hear a direct response from the founder or CEO.

• No matter what emergency happens, I have to deal with it myself and there is no one else to rely on. Instead of thinking about steps 1, 2, and 3 step by step, I will jump straight to the critical fourth or fifth step.

• Throughout the event, we kept the withdrawal channel fully open and customers could withdraw their assets at any time. Even in the face of similar bank runs, we have never refused any withdrawal request.

• Centralized exchanges remain crucial to the entire ecosystem. Most people need centralized products to enter the crypto world, and users may participate briefly because of market hotspots, but there is no intermediate platform for them to understand in depth or use for the long term.

• Although this hacking incident is regrettable, it also strengthened my goal to fight hackers to the end. In addition, we plan to launch a dedicated website this week called HackBounty.com, an aggregation platform focused on tracking stolen funds where anyone can post bounty missions and become a bounty hunter. Through this platform, we hope to help all victims track stolen funds while increasing accountability and transparency across the industry.

The fastest recovery case in encryption

Kevin: How do you feel about what happened?

Ben：

I think the positive thing about this incident lies in our transparency. We have shown the world how to respond to crises professionally, which has given many people renewed confidence in us. As the famous saying goes:“What cannot defeat you will eventually make you stronger. rdquo;So we have seen customers starting to return, including some VIP customers and institutional partners. I think we have also taken some innovative measures, such as tracking the flow of funds, which is a completely new attempt in the industry.

We plan to launch a new website. The entire team has been working for two consecutive days since the hacking incident to develop the website with the purpose of helping potential future victims track the flow of funds. You will see that its function is very special. Our design team also put a lot of effort into making many very cool designs.

Strategies for responding to a $1.5 billion hacking attack

Kevin：

Usually when a person encounters a hacking attack or similar disaster, they go through several stages: feeling violated, angry and frustrated, before they realize they are the one in charge of their destiny and eventually bounce back. And you seem to have skipped the first three stages and entered the last stage.What was your first reaction when you learned that your exchange had been hacked and lost as much as $1.5 billion?

Ben：

At that time, I received a call from the CFO, and when I received the call, I realized there might be a big problem. He told me that our wallets might have been hacked. I had just signed a deal involving 30,000 Ethereums, and then I realized that the situation was worse than I thought.

I asked him: Have we been hacked? rdquo;

He said: Yes. rdquo;

I asked again: Are all 30,000 Ethereums gone?” rdquo;

His voice began to tremble and he said: Not only does it seem that the entire wallet has been breached. There are approximately 410,000 Ethereum, with a total value of US$1.5 billion.& rdquo;

The next question I asked was, how did this happen?

The security team told me it was related to a transaction I signed, which they suspected had led to a security breach in the wallet. I continued to ask: Are other wallets safe? rdquo; They confirmed that only this wallet was affected.I confirmed it three times because this answer was crucial to my next decision. If the problem is under control, I can focus on solving the current crisis; if not, I may need to shut down the system to prevent further losses.After confirmation, I learned that the problem was limited to a cold wallet and that the vulnerability was found in Genesis Safe provided by a third party.

Next, I asked: In addition to this compromised wallet, do we have any other assets under Genesis Safe? rdquo; They replied that there is also a stablecoin wallet worth up to $3 billion. I immediately asked them to confirm whether the $3 billion was safe. They finally confirmed that the stablecoin wallets were not affected. At the time, I said to the CFO: Can we cover this loss with the company’s funds? rdquo; He replied yes. After hearing this answer, I breathed a sigh of relief.Because I know my clients ‘funds are safe, I don’t need to sell the company or seek outside investment for this.

I immediately contacted the COO, who briefed her on the situation, and she immediately launched the company’s crisis response procedures.Our company has an emergency response mechanism called P-1 incidents to deal with the most serious crises. We conduct drills every month to simulate various major events that may occur.

Kevin: Can you give an example to illustrate the previous P-1 incident? How large do they compare to this incident?

Ben：

There is no event comparable to this one. The previous P-1 incident may have been due to website downtime and transaction matching engine failure, causing users to be unable to conduct derivative transactions, or the withdrawal system to fail to respond in a short period of time. According to our definition, any event that affects more than 10,000 customers or results in losses of more than $1 million is classified as a P-1 event.

We have a dedicated P-1 button that any employee can press. Once triggered, the system will automatically wake up all management layers and contact them one by one by phone. If someone does not answer, the system will automatically call the next person in charge until someone answers.At the same time, teams are automatically assigned to an online conference room and begin recording events, assigning tasks, and implementing solutions.

How to balance judgment and process when making decisions?

Kevin: Will you tell everyone what happened?

Ben：In this case, we explained the situation to the team and told them that we had been hacked. When faced with crises like this, you must make sure that every member of the team knows what’s going on.

Kevin: You mentioned that your team has a complete set of emergency procedures. How important do these procedures play in crisis management? Because although the program is very important, in actual operation, judgment is also crucial. In this case, what are the respective weights of judgment and the program?

Ben：

Judgment plays a large part in such incidents, because each crisis is different.In past incidents, my role has been more internally oriented. For example, when a website goes down, I usually issue a short announcement to explain the problem to the customer, such as our website is temporarily inaccessible and the technical team is handling it. In this case, the customer can already perceive the existence of the problem, so we only need to confirm the problem and soothe the customer’s emotions. In fact, website downtime is one of the most serious situations for exchanges other than hacking attacks. You can imagine the impact on user experience and company reputation if a website outage occurred on a large platform like Binance or Bybit.

When dealing with this kind of problem, my main responsibility is to work with the technical team to identify the root cause of the problem. We need to gradually investigate whether it is a problem with Amazon’s Cloud Virtual Machine? Or is it a loading failure of the front-end page? Or is a new vulnerability introduced in the code? We will shut down the relevant system for testing according to specific circumstances until we find the problem.

But this hacking attack is completely different. Our system itself is operating normally and users have not noticed anything unusual, but we have suffered losses of up to US$1.5 billion. In this case, traditional emergency templates no longer apply. Faced with this unprecedented situation, we had to rethink our response strategies and rely entirely on judgment to deal with problems.

Why don’t you feel pressured in a crisis?

Kevin: How to make the right decisions in a high-pressure environment? Are there any challenges you have experienced in your personal life or entrepreneurship that will help you better cope with similar situations?

Ben：

For me, when faced with pressure or emergencies, I hardly feel pressure.When people feel stressed out, it’s often because they know something needs to be done but don’t take action. My approach is, whenever there is something that needs to be dealt with, I do it immediately, so stress is not a problem for me.

When the incident occurred, I knew clearly that there were things that I had no control over, such as a $1.5 billion loss. Losses of this scale are clearly beyond my current control, so I won’t waste my energy worrying about these unsolvable issues.

The next focus is how to deal with possible bank runs. Sooner or later, the market and users will learn about this incident. What do I need to do to calm the market and continue to build trust? Every move we take now will directly affect Bybit’s development destiny in the next 5 to 10 years.My goal is to ensure that our company is still around 10 years from now, and we need to handle this with professionalism and transparency to show the world that we can handle crises like this.

I quickly entered a combat mode.I have left home since I was 12 years old and lived alone in New Zealand. At that time, I was without the company of my parents and had to face various problems in my life alone, whether it was adapting to a boarding family, school matters, or emergencies in my life.

So no matter what emergency happens, I have to deal with it myself and there is no one else to rely on. Instead of thinking about steps 1, 2, and 3 step by step, I will jump straight to the critical fourth or fifth step.

Handling crisis public relations

Kevin: How do you manage public relations? To ensure Bybit remains ahead for the next 10 years, what steps have you taken to avoid becoming a public relations disaster?

Ben：

A big problem is that many people think that with a public relations department, they can handle all public relations matters, but this is not the case.In the face of a major crisis, the core of public relations is not the public relations team, but the founder and CEO himself. If at a time like this, I let the public relations team draft information and post it via Twitter, or let the public relations staff speak out, it will only backfire. Because in times of crisis, the public will not trust the statement of a public relations team, they need to hear a direct response from the founder or CEO.

When I realized that a bank run was imminent, I knew that customers would have a lot of questions to answer. So I first contacted my COO to make sure she could coordinate the team on customer calls and follow-up actions, while also having everyone go all out to deal with the next challenge. Then I drafted the first tweet myself because I wanted all media and the public to get accurate information directly from me. In fact, even my team didn’t fully understand the whole picture of the matter at that time, and the public relations team could only obtain details through second-hand information. As the founder, I am the only person who has complete knowledge of the facts and can speak directly, so I must personally take responsibility for public relations.

In incidents like this,The most dangerous thing is the opacity of information and the spread of speculation.If the market starts to suspect that Bybit will close or that we will run away, it will be devastating for the company. So after my first tweet was posted, we quickly organized an online live broadcast in about 40 minutes. During the live broadcast, I personally appeared on the scene to explain the whole incident to the public in detail.

At the time, the team suggested using Twitter Space, but I insisted on using live video. I thinkLetting everyone see my face and explain issues directly to the public as a founder and CEO is the key to building trust.。By facing the camera, I can convey real information to the outside world, showing that we are not hiding or shirking our responsibilities. This form of direct communication is more effective than any indirect statement or the substitution of others.

I can focus on the core work of crisis public relations because I have a strong team behind me. They are responsible for other matters, so I can concentrate on communicating with the public, which is not just about my personal efforts, but also the result of efficient execution by the entire team.

Ethereum shortage crisis: How to restore market stability?

Kevin: When facing a bank run, the first thing to do is to prevent the situation from getting worse. So what next? What other key partners do you need to contact? Who did you contact first? Why?

Ben：

In the event of a bank run,The top priority is to build trust.I want to personally deliver the message to customers and the market so that everyone knows we are taking action. Despite my preparations, I know that bank runs are inevitable.

Kevin: At that moment, what was the worst-case scenario that you were most worried about?

Ben：

The worst case scenario is that although Bybit’s customer assets were originally fully transparently supported 1:1, for some reason, we are in short supply with Ethereum. In other words, at that moment, we were unable to fully meet customers ‘needs for extracting Ethereum.

I hope clients can withdraw funds so that we can prove that our assets are indeed backed 1:1. However, the problem is that the asset customers want to withdraw most is Ethereum, and we are short of this part. Therefore, in order to quickly restore market trust and achieve my long-term goal of Bybit being able to exist for 50 to 100 years, we must fill the gap in Ethereum as soon as possible.

To solve this problem, I immediately assigned a finance team to contact partners and seek a bridge loan. This method is different from buying Ethereum directly on the market, because market buying will lead to price increases and increase our costs. The operation of bridge loans is relatively simple. We use existing assets, such as Bitcoin and USDT, as collateral and borrow equivalent Ethereum from partners.

Kevin: How did you convince your partners when the market panicked?

Ben：

Actually, you don’t need to be persuaded,If our assets can indeed cover the customer’s extraction needs, there will be no panic problem. What we are short of is Ethereum, not the overall assets.We also have Bitcoin, USDT and cash for operations, which can be used as collateral.

Customer assets are independently managed, but in order to make up for the shortage, I converted the company’s own assets into Ethereum to fill the gap. In this way, we have fully restored the 1:1 support ratio.

Kevin: Will customers or partners question the 1:1 standard?

Ben：

Typically, partners will ask for a higher mortgage ratio, such as 110% or 120%, depending on the type of mortgage asset provided. If it is Bitcoin, it may require 100% to 110%; if it is a stablecoin, the mortgage requirement will be lower, and for some volatile assets, the mortgage ratio may be higher.

What is a great leader?

Kevin: What are great leaders?

Ben：

In my opinion, great leaders need to remain calm at critical moments and be able to command the team clearly.For example, when a crisis occurs, I will clearly assign tasks: you are responsible for this, you are responsible for that. rdquo; This way everyone on the team can focus on their responsibilities. But in fact, in a crisis, some unexpected problems will always arise.

When we encountered a hacker attack, we immediately notified Safe and Genesis Safe platforms and asked them to suspend services to prevent more funds from being withdrawn. Although this measure effectively prevented further losses, it also brought new problems. Some of our partners, the institutions that provided us with bridge loans, told us after signing the contract that they could not complete the transfer because their funds were also trapped in Genesis Safe.

This is just the beginning of the problem. Even more difficult was that we had 3 billion USDT on the Safe platform, but I couldn’t use the funds due to the suspension of the platform, and we were facing a large number of withdrawal requests from customers. In our system, you can see the number of withdrawal applications, the distribution of funds in each wallet and our inventory in real time. Based on this trend forecast, our existing stablecoin reserves can only last for six hours, and then we have to use the 3 billion yuan, but the problem is that I can’t withdraw the money.

In this case, I chose to temporarily leave the live broadcast and let my colleagues continue to communicate with the public on my behalf. At the same time, I immediately contacted the Wallet team and asked them to stop identifying the specific cause of the hacking incident and focus on developing a new software set that would safely withdraw the funds. The team told me that they would complete development and testing as soon as possible to ensure that the 3 billion USDT was extracted. If this step cannot be completed, the company will face the risk of shutting down.

Therefore, I decisively decided to let the team go all out to complete this task.When faced with crises, leaders must remain calm and clear priorities. My primary goal is to ensure Bybit’s safe operations and allow customers to successfully complete withdrawals.

Completing all this is not the work of one person, but the result of the joint efforts of the entire team. We successfully resolved the shortage of Ethereum in three days and even quickly restored liquidity through OTC (OTC). The wallet team is responsible for technology development, the customer support team handles a large number of customer requests, and the agency team ensures that funds are restored to liquidity.

What made Ben feel stressful and his greatest fear

Kevin: What makes you feel stressed?

Ben：It could be my wife and children, and they were the only people who could make me feel stressed. No matter what they say, I can hardly refuse. So, frankly speaking, I deal with the pressure of work fairly well. In contrast, my family is the place where I really feel pressured.

Kevin: It seems that most things are going well now. So what is your biggest fear in life?

Ben：

I think one of my biggest fears is not being able to understand my limits. That’s why I always go all out at work because I don’t know where my potential lies.The most terrifying thing for me is that when I get old, I look back on my life and find that I haven’t tried my best to pursue my goals. This regret makes me feel scared.

There is another thing that scares me, and that is letting down those who trust me.Whether it’s my team or my customers, their trust in me is invaluable, and the last thing I want to see is to let them down. I think this is particularly important to me.

The only special moment that stopped me

Kevin: For you, when will you feel that you have reached a state of satisfaction? You can say that I am already very happy?

Ben： For me, moments of satisfaction may come when my energy and health are no longer enough to support me moving forward. I feel that this is the criterion by which I measure adequacy depends on my energy and health.“”—— If one day my body tells me I need to stop, that may be the moment when I feel satisfied.

Facing the most stressful moment

Kevin: One last question about stress. What was the most stressful moment you have ever experienced?

Ben：

The moment that makes me feel the most stressful is probably when I receive certain calls. As for the specific most stressful moment, I can’t remember it for the moment.

If the most recent one was to be mentioned, it should be an incident that our team has just experienced. But this time the situation is a little different because we tried our best to deal with it. I thinkSometimes the source of stress is not just the problem itself, but the feeling of powerlessness that the problem is beyond your control.

What is the next step after the crisis?

Kevin: What caused you to be hacked and lost $1.5 billion?

Ben：

Simply put, our Ethereum cold wallet was hacked. Currently, we are working with internal and external security teams to investigate specific attack methods and vulnerabilities.

We expect that the internal team may provide some preliminary findings tomorrow. At that time, we will release the details to the public, hoping to use our experience and lessons to prevent others from becoming victims of similar attacks again. However, if you want to know more specific content, you can ask me explicitly, otherwise I may be too general.

Kevin: You said thatsame dayDifferent measures will be taken on the first and second days respectively. We have discussed the emergency response for the day. So what have you done specifically since day one?

Ben：

The top priority on the first day is to ensure the safety of all users ‘assets. Within 12 hours, we completed all withdrawal operations to prevent further losses. The focus of the day was crisis management, including Incident Response Service, handling public relations, stabilizing market sentiment, and sending a clear message to the outside world: we are still operating normally.

The next day, I finally had some time to think about the company’s next strategy. The core tasks of the day included three aspects:the first, analyze impact reports and evaluate specific losses, such as which regions customers were affected, the scale of losses to institutional and VIP customers, and the liquidity situation;the second, cooperate with the business intelligence team to comprehensively sort out relevant data, and contact the external security team to further investigate the technical details of the incident;the third, began to develop a fund recovery plan to assess the possibility of recovering losses. These three tasks are my focus, and I will allocate my time as evenly as possible among these key areas.

How long will it take to rebuild?

Kevin: You mentioned that the company had enough funds to cover this loss. How long do you think it will take to make up for the $1.5 billion loss through the company’s revenue?

Ben：

You mean you want to know our annual income level, right? I have seen some estimates of our annual income, and overall these numbers are almost correct. However, it should be noted that the company also has other operating costs and expenses, which will affect the overall financial situation. Therefore, the specific time required to fully make up for the losses requires a comprehensive consideration of these factors.

Repurchase 400,000 ETH units

Kevin：You mentioned before that you can make up for this loss by buying back Ethereum,With Ethereum as a volatile asset, especially when prices may rise, how do you plan to complete the repurchase without adding additional losses?

Ben：

This is a hot issue currently being discussed in the market.we passed OTC All repurchase operations have been completed. Unlike purchasing directly on the exchange, OTC is a method specifically designed for large-value transactions and can avoid having a significant impact on market prices.Therefore, even processing transactions exceeding US$1 billion will not trigger sharp market fluctuations. If you see slight fluctuations in the price of Ethereum recently, it is mainly caused by market speculation, not our repurchase operations.

As of now, we have bought back approximately 300,000 Ethereum units, while the original total loss was 400,000 units. The remaining 100,000 pieces were obtained through borrowing, and this part of the funds is currently being gradually repurchased and converted. These loans are secured by my collateral and require interest payments. In the long run, it is not cost-effective to continue holding these loans, so I have the motivation to complete the repurchase and replace the funds as soon as possible. As of now, we have significantly narrowed the funding gap, and the repurchase work is advancing in an orderly manner.

Key decisions that helped Bybit tide over the storm

Kevin: When setting up an exchange or other business, you will always encounter moments when you choose to cut expenses in pursuit of rapid growth, but this is often one of the important reasons why companies fail in crises. Can you share some examples of how you chose not to cut spending, decisions that may have helped you get through this weekend?

Ben：

This is a very good question, and there are indeed many unknown details behind it. For example, we decided to keep the withdrawal functions of all systems completely normal during this incident. This is very rare when exchanges are hacked, as many exchanges suspend withdrawals in similar circumstances.

So how do we do it?The key is that we have a very compact operating system and strong real-time data support.Our system runs entirely based on real-time data, including all key indicators such as margin calculations and wallet balances. Unlike traditional systems with T+1 or 10-hour delays, our system can reflect the flow of funds in real time. This real-time capability allows us to quickly and accurately view the inventory on each chain and predict possible risks when we receive a withdrawal request. For example, in the case of a bank run, it is crucial to understand the difference between a 100% run and a 10% run. But the question is, how to obtain such information? People like FTX lack such capabilities. They do not have reliable data support to help management make calm decisions.

Thanks to these real-time systems, I am able to make many key decisions based on accurate data. This also reflects our continued investment in internal products, such as providing financial teams with clear capital flow data and providing risk teams with early warning mechanisms for lack of liquidity. Because of this, we were able to quickly generate impact reports in this incident, accurately identify affected countries and customer groups, and carry out targeted remedial actions.

The construction of these internal systems must not reduce expenses.If we save costs in these areas, I will be very disturbed, because it will directly affect our decision-making ability.

Invest in a first-class team

Kevin: This example is a good example of your investment in business intelligence systems that allow companies to monitor internal dynamics in real time and respond quickly to crises. Are there other examples?

Ben：

I think it is very important to invest in the team and ensure that the team can lead the company to achieve its goals。I firmly believe that we have a world-class team, which is verified by our actual performance. In the past 12 hours, we have processed approximately 350,000 withdrawal requests, all of which were completed within the specified time. This not only relies on the support of the back-office system, but also because each of our support team, approval team, review team and risk management team plays an excellent role in their respective positions. In my experience, few exchanges can complete such a huge workload in such a short period of time.

We quickly convened all team members and completed the task in an efficient manner, which fully reflected the accuracy of the company’s management. Like a properly managed ship, when a leak occurs, everyone knows their responsibilities and acts quickly. Our public relations team and live broadcast team also performed well, and all details were carefully designed and executed.

Our live broadcast team is very prepared. Even in emergencies, they maintained their professional standards and all details were accurately arranged. For example, when I leave to get the latest information, a clear time slide will appear on the screen saying we will be back at 6:30 or 10:00, rather than simply saying wait a moment. This allows customers to know clearly that we will be back on time, which enhances their sense of trust.

In addition, we also adjust the live broadcast time in real time based on the number of viewers. For example, after 1 hour and 45 minutes, the audience dropped from the original 40,000 to 4,000, and I realized this was the right time to end the live broadcast. If the audience is still high, I will continue to live. This flexibility and accuracy are inseparable from the team’s professional planning and execution capabilities.

So I think,Ultimately, you must invest in your employees and leaders. This investment is not easy because it requires many difficult screening processes. A good team cannot be built easily. You must set strict standards and stick to execution. It may take 10 people to be fired to find one person who truly fits the requirements.At Bybit, our recruitment process is very strict and many candidates fail the three-month trial period. We would rather spend more time screening than lower the standards. In the end, this strict screening mechanism helped us build a team that can truly lead the company to achieve its goals.

Why Bybit never launched a token

Kevin：

In addition to business intelligence, data analysis, real-time monitoring and team building, I also have one question that is very interesting to me:Bybit is one of the few exchanges that has not launched local tokens. Why have you never considered launching tokens?

Ben：

There are many reasons. We did have the idea of launching tokens, but we finally gave up. Frankly, when we entered this market, we had missed the best opportunity.

For example, Binance launched tokens, OKX launched tokens, and even some exchanges established later than us issued their own tokens, but I never quite understood the true meaning of issuing tokens. If an exchange is already profitable, it can raise funds through other methods. And if the exchange itself already has the ability to operate sustainably, no additional investment is usually needed. So why issue tokens? Typically,Tokens are designed to attract investors or to build a complete ecosystem to attract users to join, but Bybit has never tried to build its own ecosystem alone.

We have always seen ourselves as part of a larger ecosystem, rather than as isolated individuals. Our business model has worked closely with influencers and KOLs from the beginning to become part of their ecosystem. When we launched spot trading, we chose to work with existing ecosystems such as Solana and Ton rather than trying to build a system that competes with it. We found that this model avoids potential conflicts of interest. In contrast, because many exchanges have their own ecosystems, they not only need to compete with other exchanges, but also with Solana or other blockchain ecosystems, ultimately resulting in reduced cooperation opportunities.

I think building your own ecosystem is only feasible if you are the absolute leader in the market. If you have enough market share and resources, you can indeed expand your business through the ecosystem.but Bybit has never been the first in the market, we are more like a dark horse.As a result, we have never had the conditions to try to issue tokens or build ecosystems. In the end, we chose to focus on our core business rather than launch tokens.

Kevin: So, if things were different this weekend, assuming Bybit had its own token, would it be different?

Ben：

I don’t think it will make much difference. Frankly speaking, I don’t think the existence of tokens is directly related to this incident. If we had tokens, what impact do you think it would have?

Kevin：

Perhaps the market will start shorting tokens, causing token prices to fall rapidly, which may further deteriorate market sentiment and trigger more panic. In this way, you may face another crisis.

How to rebuild user trust after a crisis?

Kevin: I heard you experienced approximately $4 billion in withdrawals overnight. Faced with such pressure, how do you rebound and rebuild user trust?

Ben：

We have begun to gradually restore trust. I think the key lies in how to respond to the crisis.Transparency and timely communication are at the core of rebuilding trust, while always maintaining a professional attitude is the basis for earning community respect.。In this incident, despite the huge challenges it faced, Bybit still demonstrated a high degree of professionalism, which was widely recognized. Many users even praised us during the crisis and believed that our performance was trustworthy. This trust comes not only from users, but also recognized by global regulators.

We are applying for a license through multiple regulatory agencies. Over the past few days, many people have contacted us and said: Hey, I think Bybit is doing a very good job. rdquo; They even have more trust in the future and believe that if we encounter any incident or problem again, we will deal with it in this way.

So from this perspective, this is actually the best way to show the world how we do our work and our philosophy.

Cryptowallet security: Lessons learned from lessons

Kevin: In terms of risk management, what improvement measures will Bybit take in the future? I’m also thinking about a question: Is it reasonable to keep $1.5 billion in one wallet? How should we allocate funds? What amount is too much and what is not enough?

Ben：

This is a very important issue that has sparked a lot of discussion in the past few days, and our security team is actively studying new solutions to ensure that similar risks do not occur again. In the future, we plan to optimize the wallet system, such as dividing wallets to reduce risks. This way, even if a wallet is attacked, it will not have a significant impact on the overall funds.

We are also discussing which more advanced technical means to adopt.I think Ethereum’s development in this regard is worth reference, such as a smart contract wallet. These wallets can improve security through multi-signature and rights management, and can even avoid the risks of online signatures. Some of our current wallets rely on online signatures. Although this method is convenient, it cannot be considered a real cold wallet because it requires operation through a browser. In contrast, most of our bitcoins are stored in cold wallets, which are completely offline, and all signature and transaction operations are done in an offline environment. Unless someone physically intrudes, it is almost impossible to break this storage method.

So I think we will design something that focuses on areas that are physically impermeable. Yes, I think these are some of our key concerns.

Kevin：

This reminds me of one of the core issues in the cryptocurrency space: self-custody. In this industry, we often say it ‘s not your Key, not your coin. Usually this is a reminder to individual users, advising them not to deposit their assets on an exchange, but to choose self-custody. But when similar security incidents occur, this statement does not seem to make much difference. Your security measures are far more complex than the self-hosting methods of ordinary users, but they can still be attacked by hackers.

Does this mean that both individuals and institutions may face security risks? In your opinion, what is the future direction of self-custody?

Ben：

This is a good question. We do face a key challenge and that is that we are a very obvious target. For hackers, large exchanges like Bybit are one of their top targets. An important lesson we learned from this incident is thatWe are even larger than some of the security service providers we rely on.So, logically speaking, attacking us makes sense for hackers. Although I am not saying that this incident happened like this, it deserves our vigilance. No matter how tight security measures we adopt, as a big goal, we always face higher risks. Therefore, I don’t think relying on third-party solutions is an optimal option.

For ordinary users,“not your Key, the concept that it is not your currency is correct, but I think it also needs to be emphasized to spread risk”。When your assets reach a certain size, you become a potential target, so it is important to decentralize asset storage locations.For organizations like Bybit, we actually need to apply the concept of self-hosting to ourselves, using fully self-developed technology solutions rather than relying on third parties.

The sense of responsibility is the biggest lesson we learned from this incident. Although we invested a lot of resources to ensure security, problems still emerged in the end. This suggests that we were deficient in some decisions, such as choosing a solution that relied on browser signatures, which was clearly not secure enough. In the future, we need to focus more on developing and using autonomous security technologies rather than relying on industry standards. While industry standards provide some guarantees, they are not foolproof. The biggest problem with relying on third parties is that you transfer some of the responsibility to them, which can cause you to become less cautious on key issues.

Especially for an exchange like ours, the longer the operation time, the higher the probability of becoming a target.

Kevin: Especially for an exchange like ours, the longer it takes to operate, the higher the probability of becoming a target.

Ben：

After this incident, we communicated with some industry colleagues. I have found that many exchanges are using in-house developed security solutions.Their point is, why rely on third parties? Although there is not necessarily a problem with third parties, once an attack occurs, you lose control.This is a matter of life and death. You should not leave your own safe destiny in the hands of others. As far as Bybit is concerned, our Bitcoin and other crypto assets are mainly stored in a security system developed internally, but Ethereum’s processing is slightly more complex. Ethereum’s smart contract development is difficult and requires a dedicated team of experts, which is where we haven’t invested enough resources in the past. Looking back now, this is one of my biggest regrets. We should have considered these issues early in the policy formulation stage. Although we currently have relevant experts, the system has not yet been fully upgraded. This is an important issue that needs to be solved.

Comparison of security risks between ETFs and exchanges

Kevin: Did this weekend’s events cause people to feel ETFPay more attention to the needs of (exchange-traded funds)? ETFs require assets to be held in custody, and those assets also need to be stored somewhere. Do you think ETFs are managed in a way that faces similar security risks to Bybit? Or are the two completely different?

Ben：

Essentially, ETFs and exchanges do face similar risks, but it also depends on how the ETF keeps assets safe. It should be noted that as an exchange, Bybit’s operating model is very different from ETFs. Our code wallet solution requires frequent adjustments and maintenance, and requires redeployments almost weekly. The asset management of ETFs is relatively static, with deposits most of the time, and occasionally a small amount of withdrawals.

Exchanges process large amounts of deposits and withdrawals every day, including small and large transactions, while ETFs can choose safer but less efficient solutions because they operate less frequently. As an exchange, we must find a balance between efficiency and security. If the withdrawal processing time is too long, customers will be dissatisfied, so our system needs to complete the withdrawal operation within a few minutes.

Analysis of changes in Bybit assets before and after hacking

Kevin: What changes have occurred to Bybit’s assets and liabilities before and after the hacking incident?

Ben：

Before the attack, our client assets totaled approximately $20 billion. In the first few days after the attack, our total assets dropped to $14 billion, and then dropped further to $10 billion or $12 billion at one point. However, as market sentiment gradually recovered, total assets rebounded back to about $14 billion.

Kevin: How do you prove that your client’s assets are safe?

Ben：

Our asset reserves are independently audited to ensure a 1:1 match, which I don’t think any other exchange can claim.

Throughout the event, we kept the withdrawal channel fully open and customers could withdraw their assets at any time. Even in the face of similar bank runs, we have never refused any withdrawal request.If an exchange cannot match its reserves 1:1, it will usually choose to suspend or limit some withdrawals to buy time to raise funds. But we have never encountered such a situation at all. This is actually the biggest test of our reserve system.

The future belongs on the chain

Kevin: You always emphasize that the future is on the chain. Did this weekend’s events further highlight the importance of decentralized Bybit?

Ben：

My opinion has not changed.Although the future is indeed moving in the chain direction, this does not mean that centralized exchanges will be eliminated.I think this means that the infrastructure will get better and there will be more liquidity, just like the growth of cryptocurrencies in the past few years. From five years ago to today, the entire crypto industry has made tremendous progress, but this does not mean that the stock market is declining.

So my logic is,Centralized exchanges remain crucial to the entire ecosystem.Most people need centralized products to enter the crypto world, and users may participate briefly because of market hotspots, but there is no intermediate platform for them to understand in depth or use for the long term. This is the true meaning of a centralized exchange. It provides multiple ecosystems or products that allow users to stay, explore, and ultimately become local crypto users.

Then at some point, they may explore other places. Even most unattracted people usually still have accounts with a centralized exchange and may have some balances in both places, and in many cases, most of the balances are on the centralized exchange.

Image issues in the encryption industry

Kevin: Nowadays, new major events occur in the crypto industry almost every week. How can the public take this industry seriously? What do we need to do to get this industry taken more seriously?

Ben：

I agree that the industry does face some image issues, but we should also pay attention to the positive developments the industry has made. I don’t want to boast, but we have shown a different approach in responding to recent hacking incidents. I have seen someone comparing Bybit to FTX, but this is completely different. We completed the handling of the incident in just 3 days. This efficient response method is rare in the industry. Although this hacking incident is regrettable,But it also made me more determined to fight hackers to the end。In addition, we plan to launch a dedicated website this week to help victims better cope with losses.

I think this is not only a Bybit problem, but also a common challenge that the entire encryption industry needs to face. However, significant progress has been made in other aspects of the industry. Especially in the field of on-chain activities, many decentralized exchanges (DEX) provide solutions that can now solve problems that could not be solved in the past.

The encryption industry is still young, and if you look back at the early adoption stages of the Internet, there are also many problems and challenges. The infrastructure is not perfect, but it takes time. As a result, the encryption industry is still very young. I believe that most people no longer simply view cryptocurrencies as scams, and most countries are legalizing and regulating the crypto industry. Therefore, I think that although this road is full of challenges, it will only become more stable and higher.

Key lessons and biggest regrets

Kevin: You mentioned before that one of the biggest regrets is that there was no internal e-wallet infrastructure. In addition, are there anything else you regret?

Ben：

If we look at this weekend’s events, we do find some areas for improvement. For example, our withdrawal system can be designed to be more efficient and smoother. Even in crisis situations, we should try our best to ensure that customers can complete withdrawals quickly. The only regret is that we have made some customers wait, and they will think you are deliberately stopping them, but this is not our intention. I really hope we can make everyone withdraw money at any time. I hope to optimize the system in the future so that every customer can withdraw money smoothly at any time. This not only enhances customers ‘trust in us, but also makes them feel more at ease because they can clearly see that their assets are safely stored in their personal wallets. Therefore, we need to upgrade the system to perform better when similar incidents occur.

In addition, I also learned some important lessons in managing the wallet security team. For example, if many of you may not have noticed, my CFO was the first person to sign up, followed by one of our co-founders. Looking back now, one of my biggest regrets is, why should such a key role be the signatory? When the hacking occurred, he not only had to bear the pressure from the team, but also faced me, and even his family might be affected. Although we all know that this is the responsibility of external hackers, such as it is currently confirmed that it was done by North Korean hackers, he will still feel guilty and believe that he is responsible. I was very worried that he might eventually choose to leave the company, and he was an important partner who had worked side by side with me for 4 or 5 years. I trust him completely,But I ignored the fact that involving key players in signing would put an excessive psychological burden on them in a crisis.

Kevin: So who do you think is more suitable for this role?

Ben：

It should be someone I trust, but not necessarily a key person at the core of the company. At the end of the day, the signatory only needs to be a trustworthy person and does not need to take on too much corporate responsibility. If my CFO had not been involved in the signing process, he would not have been in this situation. Therefore, in the future, I will definitely adjust this process to avoid putting key personnel on such risks. I can’t imagine how much psychological pressure he was under this weekend. This incident made me feel very sorry and made me realize that process design needed to be more thorough.

Message to future entrepreneurs

Kevin: Do you have any suggestions for future entrepreneurs who want to enter the crypto industry? After all, similar crises may be inevitable.

Ben：

I think the beauty of our industry is transparency and direct communication between entrepreneurs and customers.We can compare ourselves with traditional financial industries, such as banks. Even banks are rarely able to deal with problems in such an open and transparent manner in the face of similar crises. In the crypto industry, transparency and direct communication between entrepreneurs and customers are crucial.

If someone has experienced an incident like this, I think transparency is the key to making sure communication is maintained. Let customers know you are here and the market will reward you for your transparency.

Why do encryption hackers succeed so often?

Kevin: You’ve been busy for three consecutive days. What will you do when you get home or office in half an hour?

Ben：

I still have some important things to deal with, such as whether we have found out the truth of the matter. We are forming a dedicated working group to track the flow of funds and hope to help the entire industry through this incident, not just solve our own problems. During this crisis, many partners in the industry took the initiative to lend a helping hand without even asking for anything in return. Therefore, I feel we have a responsibility to make some contributions. Whether it’s Lazarus or other hacking issues, these are ongoing challenges in the industry.

One of the big problems right now is that when you become a victim of hacking, you often feel very helpless. Hackers know you’re going after them, but they also know that if you’re just a personal victim or a small company, your resources are limited and you can’t track the flow of money over the long term. What’s even trickier is that hackers often disperse funds into small amounts, such as $100,000 each, and then transfer them through a mixer, Bridge or exchange. By the time you contact the exchange’s legal department, the funds have already been transferred and you may give up after a few attempts. This situation is very common in the industry.

At present, we lack a dedicated information platform to integrate relevant data for tracking funds. Although tools like Chainalysis exist, when you trace to an endpoint (such as a currency mixer, cross-chain bridge, or exchange), funds may have become untraceable or frozen.

Hackers often avoid using assets that can easily be frozen, such as USDC. They will use exchanges, currency mixers and cross-chain bridges to delay your time and energy. In the end, you may find that only two or three people are constantly switching exchanges, and even if these exchanges respond quickly, such as responding to you within half a day, the funds have already been transferred. Hackers are using this delaying tactic to win.

To solve this problem, we need to build an industry-level information platform. The platform can show where funds eventually become untraceable, such as currency mixers, and record the response speed rankings of these platforms. For example, 200 transactions totaling approximately US$50 million went to a currency mixer that could not be traced. Through such data, we can seek help from legal or regulatory agencies. If the funds are linked to Lazarus or other sanctioned organizations, we can take further action.

Lazarus Bounty plan: helping industry respond to hacking attacks

Ben：

We are launching a new website called HackBounty.com. This is an aggregation platform focused on tracking stolen funds, as I mentioned before.

The interesting thing about this platform is that anyone can become a bounty hunter. You can submit any financial leads you wish to follow. Once you submit the target funds and trace their final destination, we will register you as a bounty hunter for this lead. Afterwards, our team will contact the end of the capital flow and start a countdown. Destination agencies need to take action: either freeze funds or provide the next step in which funds will flow. If they fail to respond in a timely manner, such delays will be documented and publicly displayed on the platform. This way, people across the industry can see which institutions are not responding to victims ‘requests.

As an exchange, I am very aware of how this mechanism works.

Ultimately, I think we need to leverage the core advantages of blockchain——transparency, to solve problems in the blockchain industry.

HackBounty.com will aggregate all relevant information, and anyone can post bounty missions on the platform and become a bounty hunter. Through this platform, we hope to help all victims track stolen funds while increasing accountability and transparency across the industry.

Welcome to join the official social community of Shenchao TechFlow

Telegram subscription group: www.gushiio.com/TechFlowDaily
Official Twitter account: www.gushiio.com/TechFlowPost
Twitter英文账号：https://www.gushiio.com/DeFlow_Intern