In the fast-moving world of cryptocurrency, few events test a company’s resilience like a major security breach. In early 2025, Bybit—a leading global crypto exchange—faced one of the largest hacks in industry history: the loss of approximately 410,000 ETH, valued at $1.5 billion. What followed was a 72-hour crisis response that became a masterclass in leadership, operational agility, and transparent communication.
In a candid interview with Kevin Follonier on the podcast When Shift Happens, Bybit CEO Ben Zhou revealed how the team not only survived but emerged stronger—processing over 350,000 withdrawal requests, maintaining full liquidity, and rebuilding trust in record time.
This article unpacks the full story behind Bybit’s survival, offering actionable insights for entrepreneurs, investors, and crypto users alike.
The First Call: Realizing the Breach
It started with a phone call from Bybit’s CFO.
“I just signed off on a transaction involving 30,000 ETH,” Ben recalled. “Then he told me: ‘We’ve been hacked. It’s not just that one transaction—it’s the entire wallet.’”
The number? 410,000 ETH—$1.5 billion gone in an instant.
But instead of panic, Ben’s mind shifted into crisis mode.
👉 Discover how top crypto leaders make decisions under pressure.
His first questions were strategic:
- Was this isolated to one wallet?
- Were other assets safe?
- Could the company cover the loss without external funding?
After confirming that only one cold wallet was compromised—and that the stablecoin reserves (worth $3 billion) remained untouched—he made a critical decision: use company capital to cover the loss. No layoffs. No emergency fundraising. No customer impact.
That choice set the tone for everything that followed.
Activating the P-1 Crisis Protocol
Bybit has a well-documented emergency framework known internally as the “P-1 Event”—reserved for the most severe operational disruptions.
Any employee can trigger it by pressing a dedicated P-1 button, which automatically:
- Alerts all senior leaders via phone calls (with escalation paths if unanswered)
- Launches a secure virtual war room
- Assigns real-time roles and tasks
While past P-1 events involved system outages or matching engine failures, nothing compared to this. The platform was running smoothly—but trust was evaporating by the second.
Traditional playbooks didn’t apply. This required judgment over procedure, speed over perfection.
“When you’re facing something unprecedented, you can’t follow step one, two, three. You jump straight to step four or five.”
— Ben Zhou, Bybit CEO
Why There Was No Panic—And No Pressure
One of the most striking revelations? Ben didn’t feel stressed.
“People feel pressure when they know something needs to be done but aren’t acting,” he explained. “I act immediately. So pressure doesn’t build.”
His mindset was shaped early in life—leaving home at 12 to live alone in New Zealand. From that point on, every challenge had to be solved solo.
That self-reliance became a leadership superpower during the hack.
He didn’t wait for updates—he led from the front:
- Drafted the first public statement himself
- Went live on video within 40 minutes
- Ensured withdrawals stayed open despite a $4 billion redemption wave
“If I let PR handle this, people wouldn’t believe us. In a crisis, the founder must speak.”
Rebuilding Trust: Transparency as Strategy
Within hours, rumors began spreading: Is Bybit insolvent? Will withdrawals be paused?
To stop speculation, Ben did something rare: a real-time video broadcast, not a pre-recorded message or tweet thread.
👉 See how transparency drives user trust in volatile markets.
The team prepared meticulously:
- On-screen timers showed when breaks would end (“Back at 6:30”)
- Live data dashboards tracked withdrawals and liquidity
- Customer support scaled instantly to handle tens of thousands of inquiries
They processed 350,000 withdrawal requests in 72 hours—all fulfilled. Not one denied.
This proved two things:
- Reserves were 1:1 backed
- Operations remained fully functional
As Ben put it:
“We kept the doors open during a bank run. That’s the ultimate proof of solvency.”
Solving the Ethereum Shortage
Even with sufficient total assets, there was a mismatch: users wanted ETH—but Bybit’s ETH reserves were depleted.
Selling BTC or USDT on the open market would spike prices and signal weakness.
So they used OTC (over-the-counter) deals:
- Borrowed ETH using BTC and stablecoins as collateral
- Avoided market impact
- Repaid loans gradually through strategic buybacks
To date, Bybit has repurchased 300,000 ETH of the 400,000 lost. The remaining 100,000 were replaced via bridge loans secured against personal holdings.
No public token sale. No panic selling. Just quiet execution.
The Hidden Risk: Signing Authority & Mental Load
One of Ben’s biggest regrets? Putting too much psychological weight on key team members.
The CFO was among the first signers on the compromised wallet. After the breach, he faced immense internal and external pressure—even though the attack stemmed from a third-party vulnerability (Genesis Safe).
“I realized: making a core leader a signer adds unbearable mental burden,” Ben said. “Even if they’re not at fault, guilt sets in.”
Moving forward, signing roles will go to trusted individuals outside critical leadership—reducing emotional risk without compromising security.
Investing in What Matters: Systems and Teams
Many exchanges cut corners on internal tools to scale faster. Bybit didn’t.
Their real-time data engine allowed them to:
- Monitor chain-level inventory minute-by-minute
- Predict withdrawal trends
- Generate impact reports within hours (by country, product, user tier)
Equally vital: their team.
From risk management to customer support, every unit operated at peak efficiency.
“You have to invest in your people. It’s hard—it means rejecting 10 candidates to find one great hire. But that rigor builds resilience.”
Why Bybit Never Launched a Token
Unlike Binance or OKX, Bybit has no native token.
Why?
“We’re not building our own ecosystem,” Ben explained. “We integrate with Solana, Ton, and others. If we had a token, it could create conflicts—especially during a crisis.”
Imagine: a hacked exchange with its own token sees massive sell-offs, amplifying panic.
Bybit avoided that layer of complexity—and potential instability.
Lessons for the Industry: Security Beyond Cold Wallets
The attack exploited a browser-based signing process—not a fully air-gapped cold wallet.
For Bitcoin, Bybit uses fully offline storage. But for Ethereum’s smart contract complexity, they relied on third-party solutions.
Now, they’re shifting toward in-house developed security stacks, especially for multi-sig wallets and signing infrastructure.
Key takeaways:
- Diversify storage: Don’t keep billions in one wallet
- Avoid online signing: Even “cold” wallets can be hot if signed via browser
- Build internal expertise: Relying on vendors creates blind spots
Introducing HackBounty.com: A New Weapon Against Cybercrime
To fight back—and help others do the same—Bybit is launching HackBounty.com.
A decentralized platform where:
- Victims post bounties for tracking stolen funds
- “Bounty hunters” trace flows across mixers, bridges, and exchanges
- Non-responsive platforms are publicly ranked
The goal? Use blockchain’s transparency to defeat its abuse.
“We want to shine light on where stolen funds go—and who refuses to help freeze them.”
This isn’t just about recovery. It’s about accountability.
FAQ: Your Questions Answered
Q: How did Bybit afford to cover $1.5B without collapsing?
A: Bybit used corporate reserves and OTC financing. Customer funds were never at risk due to strict segregation and over-collateralization.
Q: Did any withdrawals fail during the crisis?
A: No. All 350,000+ withdrawal requests were processed successfully—even amid a $4B redemption wave.
Q: Is self-custody safer than using an exchange?
A: Not necessarily. While “Not your keys, not your coins” is valid, large targets like exchanges often have better security than individuals. The key is diversification and using reputable platforms with proven crisis response.
Q: What makes HackBounty.com different from Chainalysis?
A: Chainalysis is investigative software. HackBounty.com is an action platform—it pressures endpoints (like exchanges or mixers) to respond by publicly ranking their cooperation levels.
Q: Could this happen again?
A: No system is immune. But Bybit now uses split wallets, reduced third-party dependencies, and enhanced internal tooling to minimize single points of failure.
Q: Was North Korea involved?
A: Evidence points to Lazarus Group (linked to North Korea), though investigations are ongoing.
The Bigger Picture: Centralized Exchanges Still Matter
Despite the rise of DeFi and self-custody, Ben believes centralized exchanges remain essential.
“They’re on-ramps for new users,” he said. “Most people need simple access points before diving into wallets and chains.”
And while decentralization improves security long-term, humans still crave support, clarity, and speed—things centralized platforms deliver best.
Final Thoughts: Leadership in the Fire
Three days after the hack began, assets rebounded from $100B to $140B in user deposits.
Trust wasn’t just restored—it was strengthened.
Ben’s philosophy sums it up:
“Those who cannot break you make you stronger.”
“My goal is for Bybit to exist in 10 years—and 50 years.”
“Transparency isn’t optional. It’s the foundation.”
In an industry too often defined by failures, Bybit’s story shows what responsible leadership looks like when everything is on the line.
👉 Learn how resilient platforms protect your digital assets today.
Core Keywords:
- Crypto exchange security
- Bybit hack 2025
- Crisis management in crypto
- Blockchain transparency
- OTC crypto trading
- Self-custody vs exchange
- HackBounty.com
- Leadership in fintech