Bybit CEO Ben Zhou Calls for "All Hands on Deck" to Process Withdrawals After Hackers Wipe Exchange's ETH Cold Wallet

DeFiLlama, a site which aggregates digital assets on various exchanges, reports that total assets observed in wallets associated with Bybit dropped from $16.9 billion to $11.2 billion on Feb. 23 morning.

DeFiLlama, a site that aggregates digital assets on various exchanges, reports that total assets observed in wallets associated with Bybit dropped from $16.9 billion to $11.2 billion on Feb. 23 morning. This follows an attack by hackers, group presumed to be Lazarus, which wiped the exchange’s Ethereum (ETH) cold wallet.

In response to the hack, in an X Spaces live stream on Feb. 22, Bybit CEO Ben Zhou said he called for "all hands on deck" to process withdrawals for clients and answer questions about the situation, according to Coindesk.

Zhou revealed that hackers stole around 70 percent of clients’ ETH, forcing Bybit to secure a loan quickly to handle withdrawals. However, it was found that most withdrawals occurred in stablecoins rather than ETH.

The head of Bybit said that the company has enough reserves to cover these withdrawals, but the crisis was exacerbated when Safe, a decentralized custody protocol that supplies smart contract wallets to manage digital assets, temporarily suspended smart wallet functions on Bybit to "ensure absolute confidence in our platform’s security."

Total assets on Bybit dropped precipitously in just one day. Photo by Coindesk

Some Safe-integrated exchanges like Bybit allow users to maintain custody of their funds and support "multisig" (multiple signatures) functionality to enhance security for cold wallets, which are disconnected from the internet to avoid network-based attacks.

According to Zhou, $3 billion in USDT reserved by the company to cover users’ withdrawals was held in the closed Safe wallet.

A Safe spokesperson said it has "not found evidence that the official Safe frontend was compromised," but the protocol still decided to suspend "certain functionalities" out of caution.

Responding to the withdrawals, Zhou asked his team to work with Safe to "find a better way to get this money out." Ultimately the team developed new software with code "based on Etherscan," a platform which translates and arranges data from the Ethereum blockchain in an easily understandable format.

This way, the Bybit team was able to verify signatures "on a very manual level" to transfer stablecoins back to the company and handle this spike in withdrawals. The Bybit team worked overnight to process withdrawals of "around 50%" of the exchange’s deposits, Zhou added.

Bybit CEO Ben Zhou speaks in a live stream on Feb. 21, 2025. Screenshot

After the incident, Bybit has moved a large amount of assets out of Safe cold wallets and is considering alternatives.

Zhou said authorities have taken up the hack for investigation, and that the Singapore government is taking the issue "very seriously." He also believes the case has been escalated to Interpol.

"As long as Bybit is there and continues to track [the stolen ether], I hope we can get these funds back."

Stakeholders have not figured out how the hack was done. Zhou said Bybit employees’ laptops were not breached. Transactions have also been examined, but they appear likely to be normal operations, he said. "We know the cause is definitely around the Safe cold wallet. Whether it’s a problem with our laptops or on Safe’s side, we don’t know."

On Feb. 21 hackers stole $1.46 billion in ETH in the largest crypto attack in history in U.S. dollar terms. Previous large heists include the Mt Gox hack worth $470 million, the CoinCheck-related incident in 2018 worth $530 million, and the 2022 incident with Sky Mavis’s Ronin Bridge worth $650 million. Quoting blockchain analyst firm Elliptic, U.S. business news channel CNBC said the hack could be associated with infamous hacker group Lazarus.

Last week Zhou had attracted controversy by refusing to list the Pi Network cryptocurrency, claiming on X on Feb. 12 that it was a scam. Early on the day of the hack, he posted another such warning.