The cryptocurrency exchange Bybit lost US$1.5 billion to North Korean hackers last month. Illustration / Carl Godfrey, The New York Times
The cryptocurrency exchange Bybit lost $2.6 billion to North Korean hackers last month - and it all traced back to an account on a free digital storage service.
On the night of February 21, Ben Zhou, the CEO of cryptocurrency exchange Bybit, logged on to his computer to approve what appeared to be a routine transaction. His company was moving a large amount of ether, a popular digital currency, from one account to another.
Thirty minutes later, Zhou got a call from Bybit’s chief financial officer. In a trembling voice, the executive told Zhou that their system had been hacked.
“All of the ethereum is gone,” he said.
When Zhou approved the transaction, he had inadvertently handed control of an account to hackers backed by the North Korean Government, according to the FBI. They stole US$1.5 billion ($2.6b) in cryptocurrencies, the largest heist in the industry’s history.
To pull off the astonishing breach, the hackers exploited a simple flaw in Bybit’s security: its reliance on a free software product. They penetrated Bybit by manipulating a publicly available system that the exchange used to safeguard hundreds of millions of dollars in customer deposits. For years, Bybit had relied on the storage software, developed by a technology provider called Safe, even as other security firms sold more specialised tools for businesses.
The hack sent crypto markets into a freefall and undermined confidence in the industry at a crucial time. Under the crypto-friendly Trump administration, industry executives are lobbying for new US laws and regulations that would make it easier for people to pour their savings into digital currencies. On Friday, the White House is scheduled to host a “crypto summit” with President Donald Trump and top industry officials.
Crypto security experts said they were troubled by what the heist revealed about Bybit’s safety protocols. The losses were “completely preventable,” one security firm wrote in an analysis of the breach, arguing that it “should not have happened”.
Safe’s storage tool is widely used in the crypto industry. But it is better suited to crypto hobbyists than exchanges handling billions in customer deposits, said Charles Guillemet, an executive at Ledger, a French crypto security firm that offers a storage system designed for companies.
“This really needs to change,” he said. “It’s not an acceptable situation in 2025.”
At Bybit, the hack set off a frantic 48 hours. The company oversees as much as US$20b ($34.8b) in customer deposits but did not have enough ether on hand to cover the losses from the US$1.5b heist. Zhou, 38, raced to keep the business afloat by borrowing from other firms and drawing on corporate reserves to meet a surge of withdrawal requests. On social media, he seemed surprisingly relaxed, announcing a few hours after the theft that his stress levels were “not too bad”.
As the crisis unfolded, the price of Bitcoin, a bellwether for the industry, plunged 20%. It was the steepest drop since the 2022 failure of FTX, the exchange run by disgraced mogul Sam Bankman-Fried.
In an interview this week, Zhou acknowledged that Bybit had advance warning about possible problems with Safe. Three or four months before the hack, he said, the company noticed the software was not fully compatible with one of its other security services.
“We should have upgraded and moved away from Safe,” Zhou said. “We’re definitely looking to do that now.”
Rahul Rumalla, Safe’s chief product officer, said in a statement that his team had created new security features to protect users and that Safe’s products were “the treasury backbone for some of the largest organisations in the space”.
“Our job is not just to fix what happened,” Rumalla said, “but to ensure the entire space learns from it, so this doesn’t happen again”.
Founded in 2018, Bybit operates as a crypto marketplace, where day traders and professional investors can convert their dollars or euros into bitcoin and ether. Many investors treat exchanges like Bybit as informal banks, where they deposit crypto holdings for safekeeping.
By some estimates, Bybit is the world’s second-largest crypto exchange, processing tens of billions of dollars every day. Based in Dubai, United Arab Emirates, it does not offer services to customers in the United States.
On February 21, Zhou was at home in Singapore, finishing up some work, he said in the interview.
But first, he and two other executives needed to sign off on a transfer of cryptocurrencies from one account to another. These routine transfers are supposed to be secure: no single person at Bybit can execute them, creating multiple layers of protection from thieves.
Behind the scenes, however, a group of hackers had already broken into Safe’s system, according to Bybit’s audit of the hack. They had compromised a computer belonging to a Safe developer, a person with knowledge of the matter said, enabling them to plant malicious code to manipulate transactions.
A link sent via Safe invited Zhou to approve the transfer. It was a ruse. When he signed off, the hackers seized control of the account and stole US$1.5b in crypto.
The sudden outflows showed up on the blockchain, a public ledger of crypto transactions. Crypto analysts quickly identified the culprit as the Lazarus Group, a hacking syndicate backed by the North Korean Government.
That night, Zhou went to Bybit’s Singapore office to manage the crisis. He announced the hack on social media and started a crisis protocol known at the company as P-1, pressing a button to wake up every member of the leadership team.
Around 1am, Zhou appeared on a livestream on the social platform X, swigging a Red Bull. He promised customers that Bybit was still solvent.
“Even if this hack loss is not recovered, all of clients assets are 1 to 1 backed,” he said in a post. “We can cover the loss.”
Those assurances were not enough. Within hours, Zhou said, about half the digital currencies deposited on the platform, or close to $10 billion, had been withdrawn. The crypto market plunged.
To limit the damage, other crypto companies offered to help. Gracy Chen, the CEO of a rival exchange, Bitget, lent Bybit 40,000 in ether, or roughly US$100m ($174m), without requesting any interest or even collateral.
“We never questioned their ability to pay us back,” Chen said.
Between crisis meetings, Zhou provided a running commentary on X. He shared screenshots from a health app, showing his stress levels were surprisingly normal.
“Too focused commanding all the meetings. Forgot to stress,” he wrote. “I think it will come soon when I start to really grasp the concept of losing $1.5B.”
After looting Bybit, the North Korean hackers spread the stolen funds across a vast web of online crypto wallets, a money-laundering strategy they had also employed after other heists.
“Lazarus Group is on another level,” Haseeb Qureshi, a venture investor, wrote on X after the theft.
Security experts blamed Bybit for putting itself at risk. To authorise the routine transfer that led to the hack, Zhou said, he used a hardware tool designed by Ledger, the crypto security firm. The device was not in sync with Safe, he said. So he could not use the tool to check the full details of the transaction he was approving, always a risky practice in the crypto world.
“Safe just does not give you the kinds of controls that you would want if you’re going to be frequently making operational transfers,” said Riad Wahby, a computer engineering professor at Carnegie Mellon University and a co-founder of the digital security firm Cubist.
Zhou said he wished he had taken action sooner to bolster Bybit’s defences. “There’s a lot of regrets now,” he said. “I should have paid more attention on this area.”
Still, Bybit continued operating after the hack, processing all the withdrawals within 12 hours, Zhou said. Not long after the breach, he announced on X that the company was moving around another $3 billion in crypto.
“This is planned manoeuvre, FYI,” he wrote. “We are not hacked this time.”
This article originally appeared in The New York Times.
Written by: David Yaffe-Bellany
Photographs by: Carl Godfrey and Tamir Kalifa
©2025 THE NEW YORK TIMES
Values fell from a peak of a median $1.42m in December 2021 to $985,000 in February.