On the night of February 21, Ben Zhou, CEO of cryptocurrency exchange Bybit, approved what seemed to be a routine transaction. Minutes later, his chief financial officer called in distress—Bybit’s system had been hacked, and $1.5 billion in Ethereum had vanished.
“All of the Ethereum is gone,” the executive said, according to Zhou. The FBI later determined that hackers backed by the North Korean government had orchestrated the theft, marking the largest cryptocurrency heist in history.
A Critical Security Flaw
The breach exposed a vulnerability in Bybit’s reliance on a free software product developed by technology provider Safe. The hackers manipulated Safe’s publicly available system, which the exchange had used to safeguard vast amounts of customer deposits. Despite security firms offering more specialized tools, Bybit had continued to use Safe’s storage software.
Crypto security experts expressed concern over the exchange’s protocols. One firm labeled the losses “completely preventable,” stating that such a breach “should not have happened.”
Charles Guillemet, an executive at Ledger, a French crypto security firm, criticized the industry’s approach to security, arguing that the incident underscored the need for better safeguards. “This really needs to change,” he said. “It’s not an acceptable situation in 2025.”
A Market in Crisis
The hack triggered chaos at Bybit and sent shockwaves through the crypto industry. With $20 billion in customer deposits under its management, Bybit scrambled to cover the losses. Zhou, 38, worked around the clock, securing emergency funding from other firms and tapping into corporate reserves to prevent a financial meltdown.
Despite the crisis, Zhou maintained a remarkably composed demeanor on social media, assuring customers that Bybit remained solvent. “Even if this hack loss is not recovered, all of the client’s assets are 1 to 1 backed,” he posted.
The broader market did not react as calmly. Bitcoin, often seen as a bellwether for the crypto sector, plunged 20%—its steepest decline since the 2022 collapse of FTX.
Warnings Ignored
In hindsight, the attack may have been preventable. Bybit had noticed security inconsistencies with Safe’s software months before the hack. “We should have upgraded and moved away from Safe,” Zhou admitted. “We’re definitely looking to do that now.”
Safe’s chief product officer, Rahul Rumalla, defended the company’s security measures, stating that his team had introduced new protective features and that Safe remained “the treasury backbone for some of the largest organizations in the space.”
An Elaborate Scheme
Investigators found that the hackers infiltrated Safe by compromising a developer’s computer. This allowed them to embed malicious code, ultimately tricking Zhou into approving a fraudulent transaction. When he signed off, the hackers seized control and funneled the stolen funds into an intricate network of online wallets, a laundering tactic frequently used by the North Korea-linked Lazarus Group.
“The Lazarus Group is on another level,” crypto investor Haseeb Qureshi remarked on social media.
Bybit’s audit confirmed that Zhou had used a hardware security tool by Ledger to approve the transfer. However, due to compatibility issues with Safe’s system, he was unable to fully verify the transaction’s details—an oversight that proved costly.
“Safe just does not give you the kinds of controls that you would want if you’re going to be frequently making operational transfers,” said Riad Wahby, a professor of computer engineering at Carnegie Mellon University.
Fallout and Recovery
As panic spread, withdrawals surged. Within hours, nearly $10 billion in digital assets had left Bybit’s platform. To stem the crisis, rival exchange Bitget extended a $100 million loan in Ethereum to Bybit without collateral.
“We never questioned their ability to pay us back,” said Bitget CEO Gracy Chen.
Despite the staggering losses, Bybit remained operational, processing all withdrawal requests within 12 hours. Zhou later reassured users on social media that additional large crypto transfers were part of routine operations. “This is planned manoeuvre, FYI,” he posted. “We are not hacked this time.”
While Bybit survived the crisis, the unprecedented scale of the heist has cast a shadow over the crypto industry, raising urgent questions about security practices and the risks posed by state-backed cybercriminals.
