Original Article Title: Bybit Founder: How I Survived The Biggest Crypto Theft Of All Time | E110
Original Source: When Shift Happens
Original Translation: Deep Tide TechFlow

Guest: Ben Zhou, Bybit CEO

Host: Kevin Follonier

Podcast Source: When Shift Happens

Release Date: February 27, 2025

Introduction

A few days after Bybit suffered a $1.5 billion Ethereum hack, host Kevin had an in-depth conversation with the exchange's CEO Ben. Through this dialogue, we will understand how Bybit responded to the crisis within 72 hours, successfully processed 350,000 withdrawal requests, swiftly raised replacement funds, and ensured uninterrupted operations. This interview provides us with valuable insights, showcasing how to demonstrate leadership under extreme pressure and maintain user trust in the face of billions of dollars in risk.

Key Interview Highlights

· What doesn't knock you down will ultimately make you stronger;

· One of my biggest fears is not being able to understand my own limits. Another thing that frightens me is letting down those who trust me;

· My goal is to ensure our company still exists in 10 years;

· Pressure comes from the sense of powerlessness when the problem is beyond your control;

· You must invest in your employees and leaders;

· Bybit has never been a market leader; we are more like a "dark horse";

· Transparency and timely communication are at the core of rebuilding trust, while consistently maintaining a professional attitude is the foundation of earning community respect;

· Not your Key, not your coin;

· When your assets reach a certain scale, you become a potential target, so diversifying asset storage locations is crucial;

· Involving key roles in signing will prevent them from bearing excessive psychological burden in a crisis;

· The beauty of our industry lies in transparency and direct communication between entrepreneurs and customers;

· Our company has an emergency protocol called the "P-1 Event," designed to address the most severe crises. We conduct drills every month, simulating various critical events that could occur. We have a dedicated P-1 button that any employee can press. Once triggered, the system automatically alerts all management and initiates phone calls one by one. If someone doesn't answer, the system will dial the next responsible person until someone picks up;

· When people feel a lot of pressure, it's often because they know something needs to be done but haven't taken action. My approach is that as soon as something needs to be dealt with, I take immediate action, so stress is not an issue for me;

· In the face of a major crisis, the core of public relations is not the PR team but the founder and CEO themselves. If at such times, I were to have the PR team draft a message for Twitter or have PR personnel speak out, it would backfire. Because in a crisis, the public will not trust a PR team's statement; they need to hear directly from the founder or CEO;

· No matter what emergency arises, I have to handle it myself; there is no one else to rely on. I don't follow a step-by-step approach thinking about the first step, the second step, the third step; instead, I jump directly to the critical fourth or fifth step;

· Throughout the entire event, we always kept withdrawal channels fully open, allowing customers to withdraw their assets at any time. Even in situations akin to a "bank run," we have never turned down any withdrawal request;

· Centralized exchanges remain crucial for the entire ecosystem. Most people need centralized products to enter the crypto world; users may participate briefly due to a market frenzy, but there isn't an intermediary platform for them to delve deeper into understanding or long-term use;

· While the recent hack incident was regrettable, it has also strengthened my resolve to fight hackers to the end. Additionally, we plan to launch a dedicated website this week called HackBounty.com, which is an aggregation platform focused on tracking stolen funds where anyone can post bounty tasks and become a bounty hunter. Through this platform, we hope to assist all victims in tracking stolen funds while enhancing the industry's sense of responsibility and transparency;

The Fastest Recovery Case in the Crypto Space

Kevin: What are your thoughts on what has happened?

Ben: I believe the positive aspect of this incident lies in our transparency. We have shown the world how to professionally handle a crisis, which has restored confidence in many people. As the famous saying goes, "What doesn't kill you only makes you stronger." Therefore, we have already seen clients returning, including some VIP clients and institutional partners. I think we have also taken some innovative measures, such as tracking fund flows, which is a new attempt in the industry. We plan to launch a new website. The entire team has been working continuously for two days since the hacking incident to develop this website, aimed at helping potential future victims track fund flows. You will see that its functionality is very special. Our design team has also put in a lot of effort and created many very cool designs.

Strategy for Addressing a $1.5 Billion Hack

Kevin: Typically, when a person encounters a hack or a similar disaster, they go through several stages: feeling violated, angry and disillusioned, and then they realize they are in control of their destiny and eventually bounce back. You seem to have skipped the first three stages and jumped straight to the last one. When you learned that your exchange was hacked, resulting in a loss of up to $1.5 billion, what was your initial reaction?

Ben: At that time, I received a call from the CFO, and when I answered the call, I realized that there might be a big problem. He told me that our wallet might have been compromised. I had just signed off on a transaction involving 30,000 Ethereum, and then I realized that the situation was worse than I had imagined. I asked him, "Are we being hacked?" He said, "Yes." I then asked, "Is all 30,000 Ethereum gone?" His voice started trembling as he said, "Not just that… it seems the entire wallet has been breached. Approximately 410,000 Ethereum, totaling $1.5 billion."

The next question I asked was, how did this happen? The security team told me that it was related to a transaction I had signed, and they suspected it had caused a security vulnerability in the wallet. I continued to inquire, "Are the other wallets secure?" They confirmed that only this wallet was affected. I confirmed this three times because the answer was critical to my next decision. If the issue was contained, I could focus on resolving the current crisis; if not, I might need to shut down the system to prevent further losses. After confirmation, I learned that the issue was limited to one cold wallet and that a vulnerability had appeared in the Genesis Safe provided by a third party.

Next, I asked, "Apart from this breached wallet, do we have other assets under Genesis Safe?" They replied that there was another stablecoin wallet worth up to $3 billion. I immediately requested confirmation of the safety of this $3 billion. They eventually confirmed that the stablecoin wallet was not affected. At that moment, I asked the CFO, "Can we cover this loss with the company's funds?" He replied affirmatively. Upon hearing this answer, I felt relieved because I knew that clients' funds were safe and I did not need to sell the company or seek external investment. I immediately contacted the COO and briefly explained the situation to her, and she promptly initiated the company's crisis response procedures. Our company has an emergency mechanism called a "P-1 event" to handle the most serious crises. We conduct drills every month to simulate various major events that may occur.

Kevin: Can you give an example to illustrate the previous P-1 events? How do they compare in scale to this event?

Ben: There is no event that can compare to this one. Previous P-1 events may have included website outages, trading engine failures that prevented users from engaging in derivative trading, or temporary unresponsiveness of the withdrawal system. By our definition, any incident affecting over 10,000 customers or resulting in over $1 million in losses is classified as a P-1 event. We have a dedicated P-1 button that any employee can press. Once triggered, the system automatically wakes up all management and initiates phone calls one by one. If someone does not answer, the system dials the next responsible person until someone picks up. Simultaneously, the team is automatically routed to an online meeting room to begin documenting the event, assigning tasks, and implementing solutions.

How do you balance judgment and procedure in decision-making?

Kevin: Would you tell everyone what exactly happened?

Ben: In this scenario, we explained the situation to the team, informing them that we had experienced a hack. In times of crisis like this, it is crucial to ensure that every member of the team is clear on what has occurred.

Kevin: You mentioned that your team has a well-established set of emergency procedures. In crisis management, how effective have these procedures been? Because while procedures are essential, judgment is equally critical in practice, so how do you weigh judgment against procedures in this situation?

Ben: Judgment plays a significant role in events like these because each crisis is unique. In past events, my role was more internally facing. For example, when the website went down, I would typically release a brief statement to customers, acknowledging the issue and stating that the technical team was handling it. In this scenario, customers were already aware of the problem, and we only needed to confirm the issue and reassure them. In fact, a website outage is one of the most severe situations for an exchange, apart from a hack. You can imagine the impact on user experience and company reputation if a large platform like Binance or Bybit experienced a website outage.

When dealing with such issues, my primary responsibility is to collaborate with the technical team to identify the root cause. We need to troubleshoot step by step: Is it an issue with the Amazon cloud servers? Or a frontend page loading failure? Or a new vulnerability introduced in the code? Based on the specifics, we would selectively shut down related systems for testing until we pinpoint the issue. However, this hack is entirely different. Our systems were functioning normally, and users did not perceive any anomalies, yet we suffered losses of up to $1.5 billion. In this scenario, the traditional emergency playbook no longer applied. Faced with this unprecedented situation, we had to redefine our response strategy and rely entirely on judgment to address the problem.

Why Don't I Feel Stress in a Crisis?

Kevin: How do you make the right decisions in a high-pressure environment? Have there been any challenges you've faced in your personal life or entrepreneurial journey that have helped you better deal with similar situations?

Ben: For me, when facing pressure or emergencies, I basically don't feel stressed. When people feel a lot of pressure, it's often because they know there's something that needs to be done but they haven't taken action. My approach is that as soon as there is something to be dealt with, I go do it immediately, so stress is not a problem for me. When events unfold, I am well aware that there are things beyond my control, such as a $1.5 billion loss. Losses of this magnitude are clearly beyond my current scope of control, so I don't waste energy worrying about unsolvable issues. The focus now is on how to deal with a potential bank run.

Markets and users will eventually learn of this event, and I need to figure out how to calm the market and continue to build trust. Every move we make now will directly impact Bybit's destiny in the next 5 to 10 years. My goal is to ensure our company still exists in 10 years. We need to handle this with a professional attitude and transparency, showing the world that we can deal with such a crisis. I quickly went into a battle mode. Since the age of 12, I left home and lived alone in New Zealand. At that time, I was without my parents' company, needing to face various issues in life alone, whether it was adapting to the host family, school affairs, or sudden situations in life.

So no matter what emergency occurs, I have to handle it myself, with no one else to rely on. I don't think step by step from first to third; I go straight to the key fourth or fifth step.

Crisis Communication Handling

Kevin: How do you manage PR work? What measures have you taken to avoid becoming a PR disaster to ensure Bybit maintains its leading position in the next 10 years?

Ben: A major issue is that many people think that with a PR department, they can hand over all PR matters to them, but that's not the case. When facing a major crisis, the core of PR is not the PR team but the founder and CEO themselves. If at a time like this, I have the PR team draft information and release it via Twitter, or have PR personnel come forward to speak, it will backfire. Because in a crisis moment, the public will not trust statements from a PR team; they need to hear directly from the founder or CEO. When I realized a bank run was about to happen, I knew customers would have a lot of questions that needed answering.

So, the first thing I did was to contact my COO to ensure she could coordinate the team to handle client calls and follow-up actions, while ensuring everyone was fully dedicated to facing the upcoming challenge. Next, I personally drafted the first tweet because I wanted all media and the public to receive accurate information directly from me. In fact, at that time, not even my team fully understood the full picture, and the PR team could only obtain details through second-hand information.

As the founder, I was the only one who fully grasped the facts and could speak out directly, so I had to personally take on the responsibility of public relations. In such an event, the most dangerous thing is the opacity of information and the spread of speculation. If the market were to start suspecting that Bybit was going to shut down or that we were going to rug pull, it would deal a devastating blow to the company.

Therefore, after my first tweet was posted, we quickly organized an online live stream within about 40 minutes. In the live stream, I appeared in person to explain to the public in detail the ins and outs of the event. At that time, the team suggested using Twitter Spaces, but I insisted on choosing a video live stream. I believe that showing my face and as the founder and CEO directly explaining the issue to the public is key to building trust. By facing the camera, I could convey true information to the outside world, showing that we were not hiding anything and were not shirking responsibility. This direct mode of communication is more effective than any indirect statement or having others speak on my behalf.

I was able to focus on the core work of crisis PR because I had a strong team supporting me. They took care of other matters, allowing me to concentrate on communicating with the public. This was not just about my personal efforts but also the result of the entire team's efficient execution.

Ethereum Liquidity Crisis: How to Restore Market Stability?

Kevin: When facing a bank run, the first thing to do is prevent the situation from worsening. What's next? Which key partners do you need to contact? Who did you reach out to first? Why?

Ben: In the case of a bank run, the top priority is to build trust. I need to personally communicate information to clients and the market, letting everyone know we are taking action. Although I had made these preparations, I was aware that a bank run was inevitable.

Kevin: At that moment, what was the worst-case scenario you were most worried about?

Ben: The worst-case scenario was that, even though Bybit's client assets were originally fully transparently supported at a 1:1 ratio, we faced an Ethereum liquidity crisis due to certain reasons. That is, at that moment, we could not fully meet the clients' Ethereum withdrawal demands. I hoped clients could withdraw their funds to prove that our assets were indeed 1:1 supported. However, the issue was that the asset clients most wanted to withdraw was Ethereum, and we happened to be short on that part.

Therefore, in order to quickly restore market trust and achieve my long-term goal for Bybit to exist for 50 to 100 years, we must promptly fill the Ethereum gap. To address this issue, I immediately assigned the finance team to contact partners to seek a "bridge loan." This method is different from directly purchasing Ethereum on the market, as market purchases would cause price hikes, increasing our costs. The operation of a bridge loan is relatively simple; we use existing assets such as Bitcoin and USDT as collateral to borrow an equivalent amount of Ethereum from partners.

Kevin: How did you convince partners during the market panic?

Ben: There was actually no need to convince them. If our assets can indeed cover customer withdrawal demands, there is no panic. What we lacked was only Ethereum, not overall assets. We still have Bitcoin, USDT, and operational cash that can be used as collateral. Customer assets are managed independently, but to cover the shortfall, I converted the company's proprietary assets into Ethereum to fill this gap. This way, we have fully restored the 1:1 reserve ratio.

Kevin: Will customers or partners question the 1:1 standard?

Ben: Typically, partners may require a higher collateral ratio, such as 110% or 120%, depending on the type of collateralized asset provided. If it's Bitcoin, they might require 100% to 110%; if it's a stablecoin, the collateral requirement would be lower, and for assets with higher volatility, the collateral ratio might be higher.

What Makes a Great Leader?

Kevin: What makes a great leader?

Ben: In my view, a great leader needs to stay calm in critical moments and be able to clearly direct the team. For example, when a crisis occurs, I would allocate tasks clearly: "You are responsible for this, you are responsible for that." This way, each person in the team can focus on their duties. However, unexpected issues always arise in a crisis. When facing a hack, we immediately notified the Safe and Genesis Safe platforms to request a service pause to prevent further fund withdrawals.

While this measure effectively prevented further losses, it also brought new problems. Some of our partners, the institutions that provided us with bridge loans, informed us after signing contracts that they could not complete transfers because their funds were also locked inside Genesis Safe.

This is just the beginning of the issue. What's even more challenging is that we hold 3 billion USDT on the Safe platform, but due to the platform's service suspension, I couldn't access these funds at that time when we were facing a high volume of customer withdrawal requests. Within our system, we could see in real-time the number of withdrawal requests, the fund distribution in each wallet, and our inventory status. Based on this trend prediction, our existing stablecoin reserve could only support us for six hours, and afterwards, we would need to access that 3 billion fund, but the issue was that I couldn't withdraw that money. In this scenario, I chose to temporarily step away from the live broadcast and let my colleagues continue communicating with the public on my behalf.

Meanwhile, I immediately contacted the wallet team requesting them to halt investigating the specifics of the hack and focus on developing a new software that could securely withdraw this fund. The team informed me that they would expedite the development and testing to ensure the extraction of these 3 billion USDT. If this step couldn't be achieved, the company would face the risk of shutdown. Therefore, I decisively decided to have the team go all out to accomplish this task. In times of crisis, leaders must keep a cool head and identify priorities clearly. My topmost goal was to ensure the secure operation of Bybit and enable customers to complete their withdrawals smoothly.

Completing all of this was not the work of one person but the result of the collective efforts of the entire team. Within three days, we successfully resolved the Ethereum shortage issue and even swiftly restored liquidity through OTC (over-the-counter) transactions. The wallet team handled the technical development, the customer support team dealt with the high volume of customer requests, and the institutional team ensured the liquidity recovery.

Things that Stress Ben Out and His Greatest Fear

Kevin: What are some things that stress you out?

Ben: It's probably my wife and kids; they are the only ones who can stress me out. Whatever they say, I can hardly refuse. So honestly, I handle work-related stress quite well. In contrast, it's the family that truly stresses me out.

Kevin: It seems like most things are going pretty smoothly now. So what is your biggest fear in life?

Ben: I think one of my biggest fears is not being able to understand my own limits. That's also why I always give my all at work because I don't know where my potential lies. The scariest thing for me is when I grow old and look back on my life, realizing that I didn't fully strive to achieve my goals, such regret is what scares me.

Additionally, there is another thing that frightens me, and that is to betray those who trust me. Whether it's my team or my clients, their trust in me is invaluable, and what I least want to see is to disappoint them. I feel that this is especially important to me.

The Sole Special Moment that Makes Me Pause

Kevin: For you, when do you feel you have reached a state of contentment and can say "I am already very happy"?

Ben: For me, a moment of contentment may arise when my energy and health can no longer sustain me moving forward. I think this is my measure of "enough" — depending on my energy and health condition. If one day my body tells me to stop, that may be the moment I feel content.

Facing the Most Stressful Moment

Kevin: One last question about stress. What has been the most stressful moment you have experienced?

Ben: The most stressful moment for me may have been when receiving certain phone calls. As for the specific most stressful moment, I can't think of one off the top of my head. If I were to mention the most recent one, it should be an event that our team has just gone through. However, the situation this time was somewhat different because we did our utmost to deal with it. I feel that sometimes the source of stress is not just the problem itself but rather that sense of helplessness when the problem is beyond your control.

What Is the Next Step After the Crisis?

Kevin: What caused you to be hacked and lose $1.5 billion?

Ben: In simple terms, our Ethereum cold wallet was targeted in a hacker attack. Currently, we are working with internal and external security teams to investigate the specific attack methods and vulnerabilities. We expect the internal team to provide some initial investigation results tomorrow. At that time, we will publicly disclose details, hoping that through our experience, we can prevent others from becoming victims of similar attacks again. However, if you wish to know more specific details, you can ask me directly, otherwise, I might speak too broadly.

Kevin: You mentioned that you would take different actions on the day, first day, and second day. We have discussed the emergency response on the day. So, starting from the first day, what did you specifically do?

Ben: The top priority on the first day was to ensure the security of all user assets. Within 12 hours, we completed all withdrawal operations to prevent further losses. The focus of the day was on crisis management, including emergency response, handling public relations, stabilizing market sentiment, while conveying a clear message to the outside world: we are still operating normally. By the second day, I finally had some time to think about the company's next strategic steps.

The core tasks of the day included three aspects: first, analyzing impact reports, assessing specific loss scenarios, such as which regions' customers were affected, the scale of losses for institutional clients and VIP clients, and liquidity conditions; second, collaborating with the business intelligence team to comprehensively review relevant data while engaging with external security teams to further investigate the technical details of the event; third, initiating the formulation of a fund recovery plan and assessing the possibility of recovering losses. These three tasks were my focus, and I aimed to evenly distribute my time among these key areas as much as possible.

How Long Will It Take to Rebuild?

Kevin: You mentioned that the company has enough funds to cover this loss. How long do you think it would take to recoup this $1.5 billion loss through the company's revenue?

Ben: Are you asking about our annual revenue level? I've seen some estimates of our annual revenue, and overall, those numbers are about right. However, it's important to note that the company has other operating costs and expenses that will affect the overall financial situation. Therefore, to fully recover the loss, we need to consider all these factors.

Repurchasing 400,000 ETH

Kevin: You mentioned earlier that repurchasing Ethereum could help offset this loss. Given Ethereum's high volatility as an asset, especially when prices may be rising, how do you plan to execute the repurchase without incurring additional losses?

Ben: This is currently a hot topic in the market. We completed all repurchase operations through OTC, which is different from buying directly on an exchange. OTC is a method designed for large-scale transactions and can avoid significant impact on market prices. Therefore, even when handling transactions exceeding $1 billion, it does not cause significant market fluctuations. If you've noticed slight fluctuations in Ethereum's price recently, it's mainly due to market speculation, not our repurchase operations.

So far, we have bought back approximately 300,000 Ethereum out of the initial 400,000 lost. The remaining 100,000 Ethereum was acquired through loans, which are currently being gradually repurchased and converted. These loans were secured by my collateral and also incurred interest. In the long run, it is not cost-effective to continue holding onto these loans, so I am motivated to complete the buyback and replace this portion of the funds as soon as possible. As of now, we have significantly reduced the funding gap, and the buyback process is progressing smoothly.

Key Decisions That Helped Bybit Weather the Storm

Kevin: When building an exchange or any other business, there are moments when you face choices to cut costs in pursuit of rapid growth, but this is often a key reason why businesses collapse in a crisis. Can you share some examples of decisions you made not to cut costs, and how these decisions may have helped you get through this weekend’s difficulties?

Ben: This is a very good question, and there are indeed many unknown details behind it. For instance, we decided to keep all withdrawal functions of our systems fully operational during this incident. This is very rare for an exchange to do in the event of a hack because many exchanges would suspend withdrawals under similar circumstances. How did we achieve this? The key lies in our highly streamlined operational systems and robust real-time data support. Our systems operate entirely based on real-time data, including margin calculations, wallet balances, and all other critical metrics.

Unlike traditional systems with a T+1 or 10-hour delay, our systems can reflect fund movements in real-time. This real-time capability allows us to quickly and accurately assess on-chain inventory upon receiving withdrawal requests and anticipate potential risks. For example, in a bank run scenario, understanding the difference between a 100% run and a 10% run is crucial. But the question is, how to obtain such information? Exchanges like FTX lack this capability; they do not have reliable data support to assist management in making calm decisions.

Thanks to these real-time systems, I could make many critical decisions based on accurate data. This also reflects our ongoing investment in internal products, such as providing clear fund flow data to the finance team and offering a liquidity shortage alert mechanism to the risk team. It is imperative not to cut costs in the development of these internal systems. If we were to save costs in these areas, I would be very uneasy because it would directly impact our decision-making ability.

Investing in a First-Class Team

Kevin: This example clearly demonstrates your investment in the business intelligence system, enabling the company to monitor internal dynamics in real time and respond quickly to crises. Are there any other examples?

Ben: I believe that investing in the team to ensure they can lead the company to achieve its goals is crucial. I firmly believe that we have a world-class team, a fact that has been validated by our actual performance. In the past 12 hours, we have processed approximately 350,000 withdrawal requests, all of which were completed within the specified timeframe. This achievement is not solely dependent on the support of the backend system but also due to the outstanding performance of our support team, approval team, audit team, and risk management team, each of whom excelled in their respective roles. From my experience, few exchanges can handle such a massive workload in such a short period of time. We swiftly mobilized all team members and efficiently completed the task, showcasing the precision of our company management. Like a well-managed ship, when a loophole appears, everyone is aware of their responsibilities and acts promptly.

Our PR team and live broadcast team also delivered exceptional performances, with all details meticulously designed and executed. Our live broadcast team was thoroughly prepared. Even in emergency situations, they maintained their professionalism, with every detail carefully arranged. For instance, when I left to gather the latest information, a clear time slide would be displayed on the screen stating, "We will be back at 6:30 or 10:00," instead of a simple "Please wait." This allowed customers to know precisely when we would return, enhancing their trust.

Furthermore, we adjusted the live broadcast time in real-time based on viewer numbers. For example, after 1 hour and 45 minutes, the audience numbers dropped from the initial 40,000 people to 4,000 people, indicating to me that it was the right time to end the broadcast. If the viewership remained high, I would continue the broadcast. This flexibility and precision were only possible due to the team's professional planning and execution.

Therefore, I believe that ultimately, you must invest in your employees and leaders. This investment is not easy, as it requires going through many difficult screening processes. An excellent team is not something you can easily put together; you must set strict standards and stick to them. It may take firing 10 people to find one who truly fits the requirements. At Bybit, our recruitment process is highly rigorous, with many candidates unable to pass the three-month probation period. We prefer to spend more time screening rather than lowering our standards. In the end, this strict screening process helped us build a team that can truly lead the company towards its goals.

Why Bybit Has Never Launched a Token

Kevin: In addition to business intelligence, data analysis, real-time monitoring, and team building, I also have a question that I am very interested in: Bybit is one of the few exchanges that has never launched a native token. Why have you never considered launching a token?

Ben: There are many reasons. We did consider launching a token at one point but ultimately decided against it. To be honest, when we entered this market, we had already missed the optimal timing. For example, Binance launched a token, OKX also launched a token, and even some exchanges established after us have issued their own tokens. However, I have never truly understood the real purpose of issuing a token. If an exchange is already profitable, it can easily raise funds through other means. Moreover, if the exchange itself is already capable of sustainable operation, additional investment is usually not needed.

So why issue a token? In most cases, tokens are used to attract investors or to build a complete ecosystem to draw in users, but Bybit has never attempted to independently build its own ecosystem. We have always seen ourselves as part of a larger ecosystem rather than existing in isolation. From the beginning, our business model has been closely tied to working with influencers and KOLs, becoming a part of their ecosystem.

When we launched spot trading, we chose to partner with existing ecosystems like Solana and Ton rather than trying to establish a competing system. We found that this approach avoided potential conflicts of interest. In contrast, many exchanges with their own ecosystems not only need to compete with other exchanges but also compete with ecosystems like Solana or other blockchain ecosystems, ultimately leading to fewer opportunities for collaboration.

I believe that only when you are the absolute leader in the market, building your own ecosystem is feasible. If you have enough market share and resources, you can indeed expand your business through the ecosystem. But Bybit has never been the top player in the market; we are more like a "dark horse." Therefore, we have never had the conditions to try issuing a token or building an ecosystem. In the end, we chose to focus on our core business and did not launch a token.

Kevin: So, if the circumstances were different this weekend and let's assume Bybit had its own token, would there be any difference?

Ben: I don't think there would be a significant difference. Honestly, I don't think the presence of a token is directly related to this weekend's event. If we had a token, what impact do you think it would have?

Kevin: Perhaps the market will start shorting the token, causing a rapid price drop, which may further deteriorate market sentiment, triggering more panic. In this case, you may be facing another crisis.

How to Rebuild User Trust After a Crisis?

Kevin: I heard that you experienced around 4 billion USD in withdrawals overnight. Faced with such pressure, how did you bounce back and rebuild user trust?

Ben: We have already begun to gradually restore trust. I think the key is how to deal with a crisis. Transparency and timely communication are at the core of rebuilding trust, while maintaining a professional attitude is the foundation for earning community respect. In this event, despite facing a huge challenge, Bybit has still demonstrated a high level of professionalism, which has been widely recognized. Many users even praised us during the crisis, believing that our performance is trustworthy.

This trust comes not only from users but has also been recognized by global regulatory bodies. We are applying for licenses with multiple regulatory agencies. In the past few days, many people have contacted us saying, "Hey, I think Bybit is doing very well." They even have more trust in the future, believing that if we encounter any events or issues again, we will handle them in this way. So from this perspective, this is actually the best way to show the world how we operate and the essence of our philosophy.

Cryptocurrency Wallet Security: Lessons Learned

Kevin: In terms of risk management, what improvement measures will Bybit take in the future? I am also pondering a question: Is it reasonable to hold 1.5 billion USD in one wallet? How should we allocate funds? What amount is considered too much, and what is not enough?

Ben: This is a very important question that has sparked many discussions in the past few days. Our security team is actively researching new solutions to ensure that similar risks do not occur again. In the future, we plan to optimize the wallet system, such as by splitting wallets to reduce risks. This way, even if one wallet is attacked, it will not have a significant impact on the overall funds. We are also discussing which more advanced technological means to adopt. I think Ethereum's development in this area is worth considering, such as Smart Contract Wallets. These wallets can enhance security through multi-signature and permission management, and can even mitigate the risk of online signatures.

Some of our current wallets rely on online signatures, which, while convenient, are not considered true cold wallets because they require browser interaction. In contrast, most of our Bitcoin is stored in cold wallets that are completely offline, where all signatures and transaction operations are conducted in an offline environment. Unless there is a physical breach, it is almost impossible to compromise this storage method. Therefore, I believe we will design something that focuses on areas that are physically impenetrable. Yes, I think these are some of our key focus areas.

The Future Trend of Cryptocurrency Self-Custody

Kevin: This reminds me of a core issue in the cryptocurrency field—self-custody. In this industry, we often say, "Not your keys, not your coins," usually as a reminder to individual users to not keep their assets on exchanges but to opt for self-custody. However, when similar security incidents occur, this mantra seems to make little difference. Your security measures are much more complex than those of ordinary self-custody users, yet they can still be susceptible to hacker attacks. Does this mean that both individuals and institutions may face security risks? In your view, what is the future direction of self-custody?

Ben: This is a great question. We do indeed face a key challenge, which is that we are a very obvious target for attacks. For hackers, large exchanges like Bybit are one of their preferred targets. One important lesson we learned from this incident is that our scale even surpasses some of the security service providers we rely on. Therefore, logically speaking, attacking us is "worthwhile" for hackers. While I'm not saying that's how this incident unfolded, it's something to be mindful of. No matter how tight our security measures are, as a high-profile target, we always face higher risks.

Therefore, I believe relying on third-party solutions is not the optimal choice. For individual users, the concept of "Not your keys, not your coins" is correct, but I think the emphasis should also be on "diversifying risks." When your assets reach a certain scale, you become a potential target, so diversifying asset storage locations is crucial. For institutions like Bybit, we actually need to apply the concept of "self-custody" to ourselves, using fully in-house developed technological solutions instead of relying on third parties.

Sense of responsibility is the most significant lesson we learned from this incident. While we have invested heavily in safeguarding security, issues still arose. This indicates that we have shortcomings in certain decisions, such as opting for a browser signature-dependent solution, which was evidently not secure enough.

In the future, we need to focus more on developing and using proprietary security technology rather than relying on industry standards. While industry standards provide some level of assurance, they are not foolproof. The biggest issue with third-party reliance is that you are transferring some of your responsibility to them, which can make you less cautious on critical issues. Especially for exchanges like ours, the longer the operation time, the higher the probability of becoming a target for attacks.

Kevin: Especially for exchanges like ours, the longer the operation time, the higher the probability of becoming a target for attacks.

Ben: After this incident, we had discussions with some industry peers. I found that many exchanges are using internally developed security solutions. Their view is, why rely on third parties? While third parties may not necessarily be problematic, once an attack occurs, you lose control. This is a life-or-death issue. You should not hand over your security fate to others. In the case of Bybit, our Bitcoin and other crypto assets are mainly stored in internally developed security systems, but Ethereum processing is a bit more complex. Ethereum's smart contract development is more challenging and requires a dedicated expert team, which is an area where we did not allocate enough resources in the past.

Looking back now, this is one of my biggest regrets. We should have considered these issues much earlier in the policy-making stage. Although we now have relevant experts, the system has not been fully upgraded, which is a crucial issue that needs to be addressed.

Comparison of ETF and Exchange Security Risks

Kevin: Did this weekend's event make people more concerned about the need for ETFs (Exchange-Traded Funds)? ETFs require asset custody, and these assets need to be stored somewhere. Do you think the custody model of ETFs faces similar security risks to Bybit? Or are they completely different?

Ben: Fundamentally, ETFs and exchanges do face similar risks, but it also depends on how ETFs safeguard asset security. It is important to note that Bybit as an exchange operates quite differently from ETFs. Our code wallet solution requires frequent adjustments and maintenance, requiring almost weekly redeployment. ETF asset management is relatively static, mostly in deposit status most of the time with occasional withdrawals.

Exchanges handle a large volume of deposits and withdrawals every day, including small and large transactions, while ETFs can opt for a more secure but less efficient solution because of their lower operational frequency. As an exchange, we must strike a balance between efficiency and security. If withdrawal processing times are too long, customers will be dissatisfied, so our system needs to complete withdrawal operations within minutes.

Analysis of Bybit Asset Changes Before and After Hack

Kevin: What were the asset and liability changes for Bybit before and after the hack?

Ben: Before the attack, our total customer assets were approximately $20 billion. In the initial days after the attack, our asset total dropped to $14 billion, and at one point further dropped to $10 billion or $12 billion. However, as market sentiment gradually recovered, the asset total bounced back to around $14 billion.

Kevin: How do you prove that customer assets are secure?

Ben: Our asset reserve has been independently audited, ensuring a 1:1 matching relationship, which I believe no other exchange can claim. Throughout the entire event, we have always kept withdrawal channels fully open, allowing customers to withdraw their assets at any time. Even in the face of a situation similar to a "bank run," we have never rejected any withdrawal requests. If an exchange's reserve cannot achieve a 1:1 match, they typically choose to suspend or restrict withdrawals to buy time to raise funds. However, we have not encountered such a situation at all. This is actually the greatest test of our reserve system.

The Future Belongs to On-Chain

Kevin: You have always emphasized "The future is on-chain." Did this weekend's event further highlight the importance of decentralized Bybit?

Ben: My viewpoint has not changed. While the future is indeed moving towards being on-chain, it does not mean that centralized exchanges will be eliminated. I believe this means that the infrastructure will get better, there will be more liquidity, just like the growth of the cryptocurrency space in recent years. From five years ago to today, the entire crypto industry has made significant progress, but it does not mean that the stock market is declining. So my logic is that centralized exchanges are still crucial to the entire ecosystem.

Most people need centralized products to enter the crypto world. Users may participate briefly due to market hype, but there is no intermediate platform for them to delve deeper or use long-term. That's the real value of centralized exchanges; they offer multiple ecosystems or products that allow users to stay, explore, and eventually become native crypto users. Then at some point, they may go explore elsewhere. Even for most uninterested individuals, they usually still have accounts on centralized exchanges and may have some balance in both places, with most balances in centralized exchanges in many cases.

The Image Problem in the Crypto Industry

Kevin: Nowadays, the crypto industry seems to experience a major event almost every week. How can the public take this industry seriously? What do we need to do to ensure that this industry is taken more seriously?

Ben: I agree that this industry does face some image problems, but we should also focus on the positive progress the industry has made. Not to pat ourselves on the back, but we showcased a different approach in dealing with the recent hacking incident. I've seen comparisons between Bybit and FTX, but they are vastly different. We resolved the event in just 3 days, a level of swift response not commonly seen in the industry. While the hack was unfortunate, it solidified my resolve to fight hackers.

Additionally, we plan to launch a dedicated website this week to help victims better cope with their losses. I believe this is not just a Bybit issue but a common challenge the entire crypto industry needs to face. However, significant progress has been made in other aspects of the industry. Particularly in on-chain activities, many decentralized exchanges (DEXs) provide solutions that can now address previously unsolvable issues. The crypto industry is still young, and if you look back at the early adoption phase of the internet, there were also many problems and challenges, with imperfect infrastructure, but it takes time.

Therefore, the crypto industry is still very young. I believe that most people no longer simply see cryptocurrency as a scam, with many countries legalizing and regulating the crypto industry. So, while the road ahead is challenging, I think it will only get more stable and rise higher.

Key Lessons Learned and Greatest Regret

Kevin: You've mentioned before that one of your greatest regrets is not establishing internal e-wallet infrastructure. Besides that, are there other things that you regret?

Ben: Looking at the events of this past weekend, we did identify areas for improvement. For example, our withdrawal system could be designed to be more efficient and seamless. Even in crisis situations, we should strive to ensure that customers can complete withdrawals quickly. The only regret is that we made some customers wait, and they may think you are deliberately holding them back, but that was not our intention. I truly wish we could enable everyone to withdraw at any time.

I hope that in the future, we can optimize the system so that every customer can smoothly withdraw at any time. This will not only enhance customer trust in us but also make them feel more at ease, as they can clearly see their assets securely stored in their personal wallets. Therefore, we need to upgrade the system to perform better in similar events.

In addition, in managing the Wallet Security Team, I also learned some important lessons. For example, many people may not have noticed that my Chief Financial Officer (CFO) was the first signatory, followed by one of our co-founders. Looking back now, one of my biggest regrets is why I allowed such a key role to be a signatory? When the hack occurred, he not only had to endure pressure from the team, but also face me, and even his family could be affected.

Although we all know this is the responsibility of external hackers, such as the current confirmation being from North Korean hackers, he still feels guilty and responsible. I am very concerned that he may eventually choose to leave the company, and he is an important partner who has fought alongside me for 4-5 years. I trust him completely, but I overlooked this fact: involving key personnel in signing puts them under too much psychological burden in a crisis.

Kevin: So who do you think is more suitable for this role?

Ben: It should be someone I trust, but not necessarily a core key person in the company. In the end, the signatory only needs to be a trustworthy person without having to bear too much company responsibility. If my CFO does not participate in the signing process, he would not be in such a situation. Therefore, in the future, I will definitely adjust this process to avoid letting key personnel take on such risks. I can't imagine how much psychological pressure he endured over the weekend, which makes me very regretful and makes me realize that process design needs to be more thorough.

A Message to Future Entrepreneurs

Kevin: For future entrepreneurs looking to enter the crypto industry, do you have any advice? After all, similar crisis events may be hard to avoid.

Ben: I believe the beauty of our industry lies in transparency and direct communication between entrepreneurs and customers. We can compare ourselves to the traditional financial industry, such as banks. Even banks, when faced with similar crises, rarely handle issues in such an openly transparent manner. In the crypto industry, transparency and direct communication between entrepreneurs and customers are crucial. If someone experiences such an event, I think transparency is key, ensuring to maintain communication. Let customers know you are here, and the market will reward you for your transparency.

Why Do Crypto Hackers Succeed Repeatedly?

Kevin: You've been busy for three days in a row, returning home or to the office in half an hour. What will you do?

Ben: I still have some important matters to address, such as whether we have already ascertained the truth of the matter. We are forming a dedicated task force to track the flow of funds and hope to help the entire industry through this incident, not just solve our own problems. During this crisis, many partners in the industry have voluntarily offered help, even without asking for anything in return. Therefore, I feel that we have a responsibility to make some contributions. Whether it's Lazarus or other hacker issues, these are ongoing challenges in the industry.

One major issue currently is that when you become a victim of a hack, you often feel very helpless. Hackers know you will pursue them, but they also know that if you are just an individual victim or a small company, your resources are limited and you cannot trace the flow of funds long-term. What's trickier is that hackers often split funds into small amounts, such as $100,000 per transaction, and then transfer them through a mixer, bridge, or exchange. By the time you reach out to the exchange's legal department, the funds have already been moved, and after a few attempts, you may give up. This situation is very common in the industry. Currently, we lack a dedicated information platform to consolidate relevant data for tracking funds. While tools like Chainalysis exist, when you trace to a certain endpoint (such as a mixer, bridge, or exchange), the funds may become untraceable or frozen. Hackers usually avoid using easily frozen assets like USDC. They leverage exchanges, mixers, and bridges to delay your time and effort.

Eventually, you may find that only two or three individuals are constantly switching exchanges, and even though these exchanges respond quickly, replying to you within half a day, the funds have already been transferred. Hackers are using this delaying tactic to win. To address this issue, we need to build an industry-level information platform. This platform can show where funds eventually become untraceable, such as a mixer, while also ranking the response times of these platforms. For example, there are 200 transactions totaling approximately $50 million flowing into a mixer, and that mixer cannot be traced. With such data, we can seek help from legal or regulatory agencies. If these funds are related to Lazarus or other sanctioned organizations, we can take further action.

Lazarus Bounty Program: Helping the Industry Respond to Hacks

Ben: We are launching a new website called HackBounty.com. This is a platform focused on tracking stolen funds, as I mentioned earlier. What's interesting about this platform is that anyone can become a "bounty hunter." You can submit any clues you wish to track regarding funds. Once you submit the target funds and trace them to their final destination, we will register you as a bounty hunter for that lead.

Subsequently, our team will contact the destination of the funds and initiate a countdown. The destination institution needs to take action: either freeze the funds or provide information on the next destination of the funds. If they fail to respond promptly, this delay will be documented and publicly displayed on the platform. This way, everyone in the industry can see which institutions have failed to respond to victims' requests. As an exchange, I am very aware of how this mechanism operates. I do not want my users to see my exchange listed on a "non-cooperative list" because that would give the impression that we are assisting sanctioned entities, such as North Korea.

Therefore, I will definitely establish a dedicated team to swiftly respond to these requests. If it is tools like a Mixer, they may eventually be gradually blacklisted in the industry due to non-cooperation. Ultimately, I believe we need to leverage the core advantage of blockchain—transparency—to address issues in the blockchain industry. HackBounty.com will aggregate all relevant information, allowing anyone to post bounty tasks on the platform and become a bounty hunter. Through this platform, we hope to assist all victims in tracking stolen funds while enhancing the industry's sense of responsibility and transparency.

Original Article Link

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia