How the Biggest Crypto Hack Ever Nearly Destroyed the World's No. 2 Exchange — WSJ

By Vicky Ge Huang and Robert McMillanThe crypto industry came face to face with its biggest adversary last month, and it wasn't onerous regulation, hyped coin launches or even Sam Bankman-Fried.On Feb. 21, a ring of North Korean hackers pulled off the largest crypto heist ever, imperiling Bybit, the world's second-largest crypto exchange. By late evening Singapore time, a group called Lazarus had absconded with $1.5 billion. Bybit is based in Dubai and operates out of Singapore. U.S. customers aren't permitted to trade on the platform.At a time when the Trump administration is promoting cryptocurrency as a critical U.S. industry, North Korea's hacking army has emerged as enemy No. 1. Since 2016, North Korea has stolen more than $6 billion in cryptocurrency, according to Chainalysis, a blockchain-analytics company. The White House is preparing to host the first-ever crypto summit with industry executives on Friday.Crypto players rushed in to bail out Bybit in the critical hours after the hack, averting an even bigger selloff. Bitcoin tumbled below $80,000 the week after the hack, down from nearly $95,000. But the episode might prove just as damaging to crypto's reputation as the collapse of Bankman-Fried's FTX in 2022 or the 2014 hack of another offshore exchange, Mt. Gox."When it comes to centralized exchanges, we've seen time and again that there's this single point of failure whether it's a bad actor, bad technology or bad security," said David Wells, chief executive of crypto trading platform Enclave Markets. "It just shows there's still a lot of vulnerabilities in the system."Ben Zhou, Bybit's chief executive, knew something was wrong when his finance chief called him just before 11 p.m., he said later during a podcast. When Zhou answered, CFO Yong Hui Tan was joined by the exchange's security team.Zhou had signed off on a routine transfer, moving about $80 million in the digital currency ether, from a "cold wallet" — a digital vault that the exchange only entered every few weeks — and into a wallet used for day-to-day activity. The cold wallet had been hacked.Zhou was confused. So the hackers stole $80 million?"No no no, Ben," Tan explained. The entire wallet had been emptied."How much is that?" Zhou asked."One point five billion dollars."Unlike stock exchanges, which match trades but don't hold securities, many crypto exchanges store digital currencies for their customers. Bybit's missing $1.5 billion amounted to 7.5% of the exchange's assets before the hack — and roughly the same amount it makes in a year.Bybit had enough assets in reserve to cover the loss, but it needed help in meeting the rush of customer withdrawals.Zhou froze and started to sweat. He felt "a little bit shaky," he said. He knew what would come next.Financial institutions of all stripes — Wall Street firms like Lehman Brothers, plucky regional lenders such as Silicon Valley Bank and even seven-year-old crypto platforms — are built on a foundation of confidence. And once customers begin to lose faith, these firms can crumble with stunning speed.Within an hour of Zhou's call with his CFO, Bybit was flooded with 200,000 withdrawal requests from customers. At that rate, Zhou estimated, the exchange would be out of money within six hours. Bybit had $3 billion of tether in another crypto wallet that it couldn't immediately access at the time.Zhou called Helen Liu, his chief operating officer, and told her to activate the company's crisis plan. He posted a message on the social-media platform X to reassure those users that Bybit remained solvent. Just after 1 a.m. — just three hours after the hack — he appeared in a black T-shirt on a livestream to tell 40,000 viewers what had happened.In exchange for loans in ether, Bybit offered other crypto firms as collateral both bitcoin, the biggest cryptocurrency, and tether, a currency pegged to the U.S. dollar.Gracy Chen, chief executive of a rival exchange, Bitget, was about to speak at a Boston conference when she learned about the hack. "This is a disaster to the industry," she thought. Bitget agreed to lend Bybit 40,000 ether, worth about $100 million. The loan was interest-free and didn't require Bybit to post collateral.Antalpha, another crypto investment firm, also stepped in by lending bitcoin the exchange could convert into ether to help meet customer withdrawals, according to people familiar with the matter.Together, Antalpha and Bitget helped plug most of Bybit's funding gap, the people said."I did worry about the industry because the FTX collapse put the whole industry in a bear market for a long time," Chen said.Galaxy Digital, Mike Novogratz's crypto firm, helped execute Bybit's over-the-counter purchases of ether, according to people familiar with the matter.The North Koreans had hacked into Safe{Wallet}, the company entrusted to secure Bybit's ether transactions, but the breach might have been prevented had Bybit simply verified this transaction on a second device, said Dan Guido, chief executive with Trail of Bits, a cybersecurity company. "Bybit's reliance on blind-signing transactions without verifying them is what did them in," Guido said."Most of these firms have hyper focus on smart contract security and blockchain security, but they have forgotten the basics of operational security," Guido said.In total, Bybit borrowed about $280 million in ether, which helped meet the 350,000 withdrawal requests that flooded in over the next 10 hours. To fill the gap of lost funds, it also used other cryptocurrencies like bitcoin and tether from its reserve to buy ether. Bybit covered the hole of lost ether within three days, according to Zhou, who said he slept for nine hours during the period.At one point, Bybit's client assets dropped to $10 billion, Zhou said. But since then some customers have returned to the exchange, whose assets had risen to $14 billion three days after the attack, Zhou said.Still, some customers appear to have lost confidence in Bybit.Among centralized exchanges, Bybit's market share has dropped to around 8% from more than 12% before the hack, according to crypto data provider Kaiko.Write to Vicky Ge Huang at [email protected] and Robert McMillan at [email protected]