On the night of February 21st, Ben Zhou, CEO of Cryptocurrency Exchange Bybit, logged on to his computer to approve what appears to be a daily transaction. His company was driving a large amount of ether, popular digital currency from one account to another.
Half an hour later, Zhou received a call from Bybit's Chief Financial Officer. In a trembling voice, the executive told Zhou that their system had been hacked.
“It's all gone,” he said.
When Zhou approved the deal, he inadvertently handed over account management to a North Korean government-backed hacker, according to the FBI, which stole $1.5 billion in cryptocurrencies at Cryptocurrencies, the biggest robber in industry history.
To separate the astounding violations, hackers exploited Bybit's security, a simple flaw in relying on free software products. They penetrated Bibit by operating publicly available systems that exchanges used to protect hundreds of millions of dollars of customer deposits. Even if other security companies sold more specialized tools for businesses, BYBIT has relied on storage software developed by a technology provider called SAFE for years.
The hack sent the crypto market to free falls and undermined trust in the industry at critical times. Under the crypto-friendly Trump administration, industry executives are calling for new US laws and regulations that make it easier for people to save on digital currencies. On Friday, the White House is scheduled to hold a “cryptosummit” with President Trump and top industry officials.
Crypto Security experts said they are troubled by the robbers' reveal about Bybit's safety protocols. The losses were “completely preventable,” one security company wrote in an analysis of the violation, claiming it “should not happen.”
Safe's storage tools are widely used in the crypto industry. But Charles Guillemet, executive at Ledger, a French crypto security company that provides storage systems designed for businesses, says it's more suitable for crypto enthusiasts than exchanges that handle billions of customer deposits.
“This really needs to change,” he said. “It's not an acceptable situation in 2025.”
In Bybit, Hack followed for 48 hours. The company oversees customer deposits of up to $20 billion, but it didn't have enough ether on hand to cover the losses from the $1.5 billion robbery. Zhou, 38, competed to lift his business by borrowing from other companies and pulling out corporate reserves to meet the surge in demand for withdrawal. On social media he appears to be surprisingly relaxed, and announced that his stress level was “not too bad” hours after the theft.
As the crisis unfolded, the industry's pioneer Bitcoin price fell 20%. It was the sharpest decline since the FTX 2022 failure.
In an interview this week, Zhou acknowledged that Bybit has warned us in advance about possible SAFE issues. Three to four months before the hack, the company said it had noticed that the software was not fully compatible with one of its other security services.
“We should have upgraded and left the safety,” Zhou said. “We're definitely trying to do that now.”
Safe's Chief Product Officer, Rahul Rumalla, said in a statement that his team has created new security features to protect users, and that Safe's products are “the backbone of the Treasury Department of the largest organization in this space.”
“Our job isn't just to fix what happened,” Rumala said.
Founded in 2018, Bybit operates as a crypto market, allowing day traders and professional investors to convert the dollar or euro into bitcoin and ether. Many investors treat interactions like Bibit as informal banks, where they deposit crypto-holdings to keep them safe.
By some estimates, BYBIT is the second largest crypto exchange in the world, processing tens of thousands of dollars each day. Based in Dubai, it does not serve US customers.
On February 21, Zhou was at his Singapore home and finished some of his jobs, he said in an interview.
But first, he and two other executives had to register for transferring cryptocurrency from one account to another. These routine transfers are assumed to be safe. One person in the Bibit can't do them, creating multiple layers of protection from burglars.
But behind the scenes, a group of hackers were already split into Safe's system, according to Bybit's hack audit. They were compromising computers belonging to a secure developer, and those with knowledge of the problem allowed them to plant malicious code to manipulate transactions.
Any links submitted via Safe have been invited to Mr Zhou to approve the transfer. That was a trick. When he signed off, the hacker seized control of his account and stole a $1.5 billion code.
The sudden leak appeared on the blockchain, the public ledger of crypto transactions. Crypto analysts quickly identified the perpetrator as Lazarus Group, a North Korean government-backed hacking syndicate.
That night, Zhou went to Bybit's Singapore office to manage the crisis. He announces a social media hack, launches crisis protocols known in the company as P-1, and presses a button to awaken all members of the leadership team
Around 1am, Zhou appeared on X's livestream and painted Red Bull. He promised customers that Bybit is still a solvent.
“Even if the losses from this hack have not been recovered, all client assets are supported one-on-one,” he said in the post. “You can cover the loss.”
These guarantees were not sufficient. Within hours, Zhou said about half of the digital currencies deposited on the platform, or nearly $10 billion, had been withdrawn. The crypto market has plummeted.
Other crypto companies have offered assistance to limit the damages. Gracy Chen, the Chief Executive Officer of Rival Exchange, is Bitget, lending a Bitbit of 40,000, or about $100 million, of Bitbits without demanding interest or collateral.
“We have never questioned their ability to pay back,” Chen said.
During the crisis meeting, Zhou provided an ongoing commentary on X. He shared a screenshot of the Health app, showing his stress levels were surprisingly normal.
“It focuses on every meeting. I forgot about the stress,” he wrote. “I think it's coming soon as I start to really grasp the concept of losing $1.5 billion.”
After looting Bibit, North Korean hackers spread the stolen funds across the vast web of online crypto wallets, a money laundering strategy that they also employed after other robbers.
“The Lazarus Group is on a different level,” venture investor Hashevi Kleshi wrote to X after the theft.
Security experts accused Bibit of being in danger. To approve the regular transfers that led to the hack, Zhou said he used hardware tools designed by Crypto security company Ledger. The device was not synced with SAFE, he said. So he was unable to use the tool to see details of the transaction he had approved.
“We're a great place to start,” said Riad Wahby, a professor of computer engineering at Carnegie Mellon University and co-founder of digital security company Cubist.
Zhou said he hoped he would take action sooner to strengthen Bibit's defense. “I have a lot of regrets right now,” he said. “We should have paid more attention to this area.”
Still, Bibit continued to work after the hack, processing all the drawers within 12 hours, Zhou said. Shortly after the violation, he announced at X that the company was moving around another $3 billion in cipher.
“This is a planned operation, FYI,” he wrote. “It's not hacked this time.”
