Bybit’s hack last weekend resulted in the astounding theft of USD $1.5B from Bybit, windfall gain to Lazarus Group, and unquantified reputational loss to the industry. The Dubai-based exchange and its CEO and founder Ben Zhou responded swiftly to shore up the haemorrhage of trust that inevitably follows such events and in a manner that can only be described as artful. Founders preparing for, or responding to crisis events should be taking notes. This article considers Bybit’s hack response with some useful countermeasures for Founders to consider when preparing for the inevitable. 

Bybit Hack - What Happened 

Bybit was hacked on Friday 21 February 2025 at 10pm GST.  Zhou recalls the event unfolding in this video; he signed a transaction for 30K ETH and 30 minutes later, learned on a call from Bybit’s CFO and Security Team he had just lost USD 1.5 billion in ETH. It took Zhou “ten seconds to snap out of it” and move into action to determine if Genesis Safe (the cold wallet) or Bybits own systems were attacked and whether Bybit had funds to cover the loss, which it did. Later analysis confirmed that the attack was instigated via phishing schemes, once that was complete, the smart logic, overlooking contract terms and permissions, was overridden by malware, changing contract parameters to authorize the non-consensual transaction. Elliptic and Arkham Intelligence leveraged analytics resources tracking previous wallet activity, ultimately tracing the attack to North Korean state sponsored hackers, Lazarus Group. 

Market Contagion 

Bybit received 200,000 withdrawal requests within the first hour of announcing the hack and a total of 350,000 withdrawal requests totalling 4B in the 12-hour long bank run that followed. The exchange had a window of approximately 6 hours after which it would exhaust funds to satisfy the inevitable bankrun and would need to draw upon its 3B warchest. In the immediate aftermath, the cryptocurrency market experienced notable volatility, BTC fell over 5%, reaching a three-and-a-half-month low below $80,000, ETH, the primary asset stolen in the hack dropped 4%, dipping below $2,700 and the downturn extended across the broader cryptocurrency market. The exchange felt the theft acutely, but in the days following the hack and bank run as consumer sentiment stabilised, its client asset pool stabilised at 14B. Notably too, the broader crypto market demonstrated resilience we have not seen to date following such record breaking calamities. Bybit's swift response helped stabilize investor confidence and prevent further contagion. Here’s a look at its countermeasures. 

Countermeasures 

Bybit confirmed the hack on X on 21 February 2025 at 7:51 PM (GST) with this tweet. 

https://x.com/bybit_official/status/1892965292931702929?s=46&t=T8m8Nv5WxRq6gK77yXIXug 

Within the hour, Zhou started a livestream on X to communicate the event, Bybit’s response and to assure consumers that their funds were secure. 

https://x.com/bybit_official/status/1892980467508326617?s=46&t=T8m8Nv5WxRq6gK77yXIXug 

Bybit’s countermeasures included: 

• Providing frequent and consistent communication about the hack, on X and social media including initiating a livestream to communicate directly with consumers as the bank run took place. Bybit measured how long to sustain the livestream (it ran 1 hour and 40 minutes) by the viewership of the livestream which peaked at 40,000 viewers. Bybit knew that consumer sentiment was stabilising once the livestream dropped to 4K viewers and gauged content and duration of the stream based on sentiment and engagement;    

• Maintaining business as usual operations particularly in relation to withdrawals, which were never stopped and remained open and available for the entirety of the bank run. 

• Securing bridge loans for ETH rapidly from various sources to ensure no material interruptions to trades and clients’ anticipated bank run (i.e. establish client trust that Bybit is backed 1-to-1 in particular in relation to ETH); 

• Informing Genesis Safe immediately, who then immediately shut down their service (incidentally this had downstream adverse impacts, including stopping partners who Bybit sought bridge loans from from being able to transfer funds to them); 

• Announcing an open call to analytics teams and professionals to support Bybit in identifying wallets and actors involved in the hack; 

• Establishing a bounty program to recover funds from Lazarus and identify industry actors supporting or failing to lend support to tracing activities; 

• Leveraging press in long format interview form to communicate Bybit’s countermeasures and to assure customers; 

Bybit’s response is notable for its speed, transparency and tone. This is not accidental, it is the result of careful planning and preparation for crisis events. In this interview, Zhou explains what Bybit’s incident response planning and preparation looks like. Within minutes of learning of the hack, Bybit’s COO was advised to implement the procedure for a P-1 event (any function impacting more than 10,000 clients or causing damage in excess of 1M USD) e.g. the matching engine or website down or withdrawal system not responding.  Zhou goes on to explain his team’s monthly preparation drills for such events, the notification system used to methodically alert team members and the delegation of roles as a critical event response unfolds.  It is notable that the scale of the hack and quantum of funds stolen, while significant in value, was able to be met by Bybit’s reserve of 3B and that due to this considerable war chest, the company was able to weather a significant event without customer funds becoming imperilled. 

Capital Reserves

A minimum capital requirement is the regulatory floor on the amount of financial capital that a company—such as a cryptocurrency exchange, bank, or other financial institution—must hold at all times to operate legally. Most VASPs intending to operate in regulated environments are required to maintain a specific capital reserve as part of their licensing application and ongoing obligations. Capital requirements are crucial for absorbing unexpected losses, protecting customer assets, and ensuring solvency during unforeseen events such as cyberattacks or market downturns.​ For Bybit, having substantial capital reserves was vital. These reserves enabled it to absorb the significant loss without compromising its operational integrity or the security of customer funds.​ Bybit’s war chest of USD 3B is approximately 7333 times greater than that which it is required to maintain for its VARA-issued Exchange license. The excess demonstrates Bybit's commitment to financial prudence and user protection, ensuring that even in the face of substantial unforeseen events, the platform remains solvent and operational.​

Lessons For Founders 

Bybit’s hack is the most recent “largest crypto heist of all time”, in an industry that has experienced USD2B in theft in 2024 alone. As an industry we must face facts: expect the number of attacks to steadily rise over time and for new record breaking  hacks to be made and broken with increased frequency.  There are lessons from Bybit (2024) and from Ronin (2022) and FTX (2023) for Founders, Regulators and consumers. 

Vigilance Culture: For Founders, top of mind is the importance of understanding the prevalence of malicious actors and of developing protocols and systems for addressing, and practicing responses to an array of critical events. Yes, Regulators require rigorous reporting of events, often in real time, and other measures designed to ensure exchanges and other licensed operators are alive to the fidelity and safety of their systems. However, vigilance isn’t just a regulatory mandate, it is a culture. One that is developed from within your organisation and touches every facet of operations. It starts with leadership setting the tone—embedding security awareness into daily operations, fostering a mindset where every team member, from engineers to compliance officers, understands their role in safeguarding user assets. Regular threat modeling, red-teaming exercises, and internal incident response drills should become second nature, not just checkbox exercises. Continuous monitoring and real-time risk assessments must be standard practice, ensuring potential vulnerabilities are identified before they become breaches. More importantly, vigilance is not a reactive measure—it’s a proactive strategy. It means building a culture where questioning anomalies, reporting suspicious activity, and staying ahead of emerging threats is not just encouraged, but expected. In an industry where trust is currency, the most secure projects aren’t just compliant—they are paranoid by design, relentless in execution, and always prepared for the unknown.

Communications: In the aftermath of a hack, an exchange’s response can make or break user trust. The key is swift, transparent, and confidence-driven communication, preferably from the top. Zhou understood implicitly that he would need to head a public response and lead PR activities as trust would be decimated if he were to delegate; “Whatever we do from now on will decide the fate of ByBit in the next 5-10 years…we need to handle this with professionalism, with transparency, and show the world we can handle a crisis like this”. He also understood the importance of appearing on camera on a live stream to inform customers of the hack, eschewing Twitter Spaces, so customers could see his face, a measure he considered essential to shore up trust:

 “The beauty of our industry is transparency and the direct communication between the entrepreneur and your client base….transparency is the key and making sure that you keep communicating, you are there and then the market will reward you for the transparency that you have.” - Ben Zhou, CEO Bybit

Communications templates should be developed according to the critical event, immediately acknowledge the event, and provide clear, factual details without speculation. Users need to know whether their assets are at risk—if funds are secure or backed, state it unequivocally. A calm, reassuring tone is critical; panic spreads in uncertainty, and clarity quells fear. Updates should be consistent and action-oriented, detailing security enhancements, investigative efforts, and collaboration with authorities. Avoid vague or defensive statements—credibility comes from accountability. Finally, ensure affected users have direct support channels and, if applicable, outline any compensation plans. The goal isn’t just damage control—it’s reinforcing confidence in the exchange’s resilience and long-term commitment to security. 

Financial Preparedness: One of the standout takeaways from Bybit’s hack response is the critical role of financial preparedness in crisis management. The exchange’s ability to absorb a USD 1.5B loss without impacting user withdrawals underscores the importance of maintaining robust capital reserves beyond regulatory minimums. For founders, this means treating capital adequacy not as a compliance hurdle but as a strategic safeguard. This includes holding sufficient liquid reserves, diversifying treasury management, and implementing robust insurance mechanisms—whether through self-insurance, custodial coverage, or risk-sharing arrangements like crypto-native insurance protocols. A well-capitalized exchange doesn’t just survive crises; it emerges stronger, reinforcing user confidence and market credibility. Financial resilience should be a pillar of risk strategy, ensuring an exchange can weather extreme events without resorting to emergency measures that disrupt operations or erode trust.

Wallet Security: Bybit’s principal lesson from the hack is the importance and irreplaceability of in-house asset security. Retaining critical systems and points of failure in-house, rather than deferring to third party solutions is now a non-negotiable for HNWs and projects that, due to their size and significance, are valuable targets for hacks. But what happens when the industry standard is now no longer, well, safe? Safe (formerly Gnosis Safe) is the most widely adopted smart contract wallet for multi-signature security used on Ethereum and other EVM-compatible blockchains and is used by DAOs, funds, crypto-native companies, and high-net-worth individuals. Over USD 100B in assets are secured using Safe, making it the largest custodian of on-chain assets in the DeFi space. Bybit’s other funds are stored and secured further to custom developed in-house solutions, however due to expense and complexity at the time, Zhou notes that storage of ETH had been externalised to Safe. Safe’s present vulnerability is that it necessitates browser use and online sign-in to access an otherwise cold wallet. In essence, online sign-in “warms” an otherwise cold wallet, making it susceptible to attack. 

Asset Security Practices and Processes: While we look forward to Safe’s updates in the coming months to address this vulnerability and hope this event spearheads fresh thinking on security, this does not mean that security measures and practices can or should be out of sight and out of mind. For anyone. While it is impossible to guarantee the security of any wallet, including cold wallets, we expect to see greater scrutiny of security and asset allocation practices across a larger sector of the industry. Localising risk to a single wallet with a large quantity of assets is simply no longer tenable. Exchanges and custodial institutions adopt a number of practices to mitigate risk which can and should be considered by projects with over USD 1M in assets. Dispersed, independent wallets with asset value thresholds, tiered security and number of signers on multisignature wallets, Hardware Security Modules and tamper proof hardware that generates, stores and manages private keys, and Multi-Party Computation sharding private keys into multiple shares held by different parties - these are all implementable solutions for smaller projects. These solutions can be complemented by jurisdiction/geographic risk segmentation practices and time-locked and policy based withdrawals, and even tamper proof operating environments for critical infrastructure. 

Take Aways: 

Cryptocurrency market collapses tend to follow major exchange failures, including Mt. Gox (2014), BTC-E (2017), Quadringa, Cryptopia etc (2019) and FTX (2022), regulatory actions, and macroeconomic downturns. The long term success of the industry depends on exceptional security practices adopted not merely by institutions, custodians and exchanges, but by projects with more assets than they can afford to lose, i.e. everyone. If you are interested in developing crisis response and management plans, or discussing how to improve the security of your operations get in touch now.