The Wolf Of All Streets - 🚨 LIVE w/ BYBIT CEO: The Inside Story You Need to Hear! | Crypto Town Hall
Episode Date: February 22, 2025Crypto Town Hall is a daily Twitter Spaces hosted by Scott Melker, Ran Neuner & Mario Nawfal. Every day we discuss the latest news in the crypto and bring the biggest names in the crypto space to shar...e their opinions. ►►OKX Sign up for an OKX Trading Account then deposit & trade to unlock mystery box rewards of up to $60,000! 👉 https://www.okx.com/join/SCOTTMELKER ►►THE DAILY CLOSE BRAND NEW NEWSLETTER! INSTITUTIONAL GRADE INDICATORS AND DATA DELIVERED DIRECTLY TO YOUR INBOX, EVERY DAY AT THE DAILY CLOSE. TRADE LIKE THE BIG BOYS. 👉 https://www.thedailyclose.io/  ►►NORD VPN GET EXCLUSIVE NORDVPN DEAL - 40% DISCOUNT! IT’S RISK-FREE WITH NORD’S 30-DAY MONEY-BACK GUARANTEE. PROTECT YOUR PRIVACY! 👉 https://nordvpn.com/WolfOfAllStreets   ►►COINROUTES TRADE SPOT & DERIVATIVES ACROSS CEFI AND DEFI USING YOUR OWN ACCOUNTS WITH THIS ADVANCED ALGORITHMIC PLATFORM. SAVE TONS OF MONEY ON TRADING FEES LIKE THE PROS! 👉 http://bit.ly/3ZXeYKd ►► JOIN THE FREE WOLF DEN NEWSLETTER, DELIVERED EVERY WEEK DAY! 👉https://thewolfden.substack.com/   Follow Scott Melker: Twitter: https://twitter.com/scottmelker  Web: https://www.thewolfofallstreets.io  Spotify: https://spoti.fi/30N5FDe  Apple podcast: https://apple.co/3FASB2c  #Bitcoin #Crypto #Trading The views and opinions expressed here are solely my own and should in no way be interpreted as financial advice. This video was created for entertainment. Every investment and trading move involves risk. You should conduct your own research when making a decision. I am not a financial advisor. Nothing contained in this video constitutes or shall be construed as an offering of financial instruments or as investment advice or recommendations of an investment strategy or whether or not to "Buy," "Sell," or "Hold" an investment.
Transcript
Discussion (0)
Can you guys all hear me? Ben, can you hear me?
Yeah, we can hear you.
Ah, fantastic. Scott, nice to have you here, sir.
I'm about to board a flight, but I wanted to join for as much as I could.
Fantastic. Guys, let everybody know that we're live.
Ben, how are you, my friend? How are you feeling?
I'm good. Hey, guys. Good to see everyone.
Managed to get a few hours sleep.
Oh, you did? Yeah.
Oh, that's fantastic. So we're just gonna we're just gonna wait a few
seconds. Just let everybody join. Yeah, guys, share this far and wide. I
think this is a business the first spaces that you've done after the
hack, right?
It's the first space. Correct. Correct. Yeah.
Correct. Amazing. Yeah. Okay, I think I think maybe this is probably a good time to kick off. I think
pretty much by now everyone knows what's going on, but in an unlikely event that some people
don't know what's going on. Yesterday, Bybit was hacked. They were hacked for about $1.4 billion
worth of ETH. That is, I think, the biggest hack. I don't think, I think I know that
it's the biggest hack, the biggest exchange hack, recorded exchange hack in history. I think today
we know or we think we know that the Lazarus Group were actually behind the hack and I think
this is the space with Ben just to catch up with Ben and just to get a first-person account of
exactly what
happened. So Ben, first of all, thank you, my friend. I know it's been a stressful 24
hours, even though your whoop doesn't, doesn't, doesn't attest to that. I guess it has been
quite a stressful 24 hours, no?
Yeah, it was a lot of coordination, a lot of meetings, a lot of actions. I don't have too much time to think about stress,
to be honest.
It was just making sure that all the puzzles,
every piece was running in the order that it should be.
I'm playing my role basically as a CEO of the exchange
when something even happens. Yeah. So walk me through, walk me through that how this all started. my role basically as a CEO of the exchange when this happened.
So walk me through how this all started.
It was a normal day and you guys were trying to move money from the hot wallet into the
cold wallet.
Walk me through how this started and at what point you realized that there was a problem?
Yeah, it was a very typical day and a typical maneuver. It is from the cold wallet to our warm wallet.
So Bybit runs in such a way that we have a hot wallet system,
meaning that basically when you withdraw,
once the system checks everything,
it's approved and it's automated.
That's why clients can get their withdraw
maybe typically in one or two minutes.
And that's all through the hot wallet system.
And when the hot wallet is kind of running low, there is a warm wallet,
which you can kind of imagine is like a fire block sort of infrastructure where a few of our
admins needs to go in and manually approve the transaction. So it moves money from the warm
to the hot wallet. Now, when the warm wallet is running low,
then we need to top up from a cold wallet.
The cold wallet, as the way we design it,
is completely isolated from our own wallet infrastructure.
The warm and the hot are self-developed
internal infrastructure that's completely intertwined with our risk check and basically overall internal systems.
And the cold wallet, which in this case we use, is safe.
The third-party provider, which is a smart contract based multi SIG Ethereum wallet,
which I think a lot of the exchanges use.
So it was a typical day.
Just before, just before, just one thing that I'm struggling here is why do you have a three
wallet system versus what is usually a two wallet system?
So usually I understand that exchanges operate with a hot wallet
and a cold wallet. They keep the cold wallet completely disconnected and they keep topping up
the hot wallet to meet daily liquidity requirements. What is the purpose of the warm wallet?
No, the warm wallet provides an extra layer of isolation, right. So the hot wallet is essentially the seed,
if it's not the seed, if it's a whatever, it depends on the way you design it. It's in the
system and it could be compromised by physical design because it is part of the system,
by physical design because it is part of the system, because it requires automated withdrawal.
So that warm design is to kind of making sure
that it involves admin personal kind of approval
and making sure that checks,
so that provides that extra day of isolation.
Okay, so you were trying to move money from the cold wallet into the warm wallet.
And what kind of amounts were you trying to move across?
I mean, you weren't trying to move 1.4 billion, right?
No, we were moving 30,000 Ethereum.
Okay.
And so, and yeah, so 30,000 Ethereum was to be transferred from the code, the multisig, into our basically
a warm wallet system.
And then it was a typical day where when I get it, I'm the last signer of the whole
sequence.
Then the previous signer have already all signed and it was around, I think, 9.30
at night for me.
I saw the message.
So I did the usual sequence of actions.
We do have security protocols of which laptop we need to use, what things we need to check,
which URL we need to check.
I did basically the whole thing.
And after the whole transaction was completed,
about 30 minutes I get a call from our...
Ben, before we go there, just,
I mean, you guys are doing this regularly.
How vigilant are you about following the security
protocol? Because the reason why I ask is, we also have security protocols, but some of the times,
because I do something rinse, repeat, rinse, repeat, rinse, repeat, sometimes I'm kind of like,
you know, I don't check every single detail. In this case, do you think that you checked,
do you have a protocol? Did you follow every single detail? Or was this just,
I've done this, I do this every week,
it looks the same, it feels the same,
I'm just gonna press the button.
Yeah, yeah, no, I understand.
So we do this almost every week,
but the protocol, it's not so difficult to follow, right?
And also our laptops are always being checked
on a monthly basis, make sure that it's bug free.
What's interesting is the safe design,
it requires internet, meaning that it is actually,
I am using my work laptop to do this,
which my work laptop is in a way set up that I cannot
install anything or anyone can cannot install anything on my work laptop.
Other than the pre-installed apps that you can imagine is the communication software
we use.
And where were you when you signed this?
Were you at home? Were you at the office?
Were you at a restaurant? Where were you? Yeah, I'm at home and what's interesting is all the
previous sign-ins were all in different locations of the world. So I'm actually at home.
Okay, so you're at home, you get a message on, I take it on some kind of group saying,
hey guys, we need to move 30,000 ETH.
Everyone signed, you're the last signatory.
You signed the transaction,
everything looks and feels 100% normal.
What happens then?
Yeah, so to go through some detail, it's a link.
We always use a communication software
where we share the secure link from SAFE. So the first protocol is basically,
I need to check, make sure the link is from SAFE official site.
So click on that, making sure that it's all good.
And then the signing process is we're using a ledger.
So I have my ledger ready, plug it in, we open it, I open it,
I check the address, I check the destination, I check the contract. So that's all usual. So
everything was conducted, everything, then I signed it as the last signing and then I moved on.
After that, well, after I sign, informing the group that it was completed but then 30 minutes later
my finance called me I mean I can I can feel something's wrong because the guy was just
shaky he was his voice is my kind of my CFO you can imagine he's almost cannot speak his
his bank there's a there's there's an issue and I know it, what happened? And then he told me, yeah, we might be hacked.
And okay, I said, the 30,000 is gone?
He says, no, all of the Ethereum was gone.
I'm like, what do you mean all of the Ethereum?
So at that point, I don't know how much is in that wallet.
And he told me it's around 1.5 billion dollars worth of Ethereum. Okay, so take me to that moment when he tells you it's...
I can imagine that you felt, okay 30,000 ETH,
deep breath in, deep breath out, I can stomach a loss like that.
Tell me about how you felt when you heard it was 1.5 billion or 1.4 billion.
Yeah, no, initially I thought it was 30,000.
So I said, okay.
And then he says, no, it's not.
It's all of the Ethereum that we have in that specific wallet, which is about 400,000.
And I was like, okay, how much is that?
At that point, I couldn't do the math.
And he said it's about 1.5 billion. And then it just kind of, this overwhelming
kind of breathless, I cannot breathe, maybe for about five seconds I didn't say
anything and I said okay. And then I think about ten seconds later I told
myself I need to snap out of it. We need immediate security protocols.
By the way, that by bit we practice kind of what we call P minus one
security protocols every, every month. That means with one button, I can wake up everyone in the company.
But also I have a button to wake up top management. So I said, okay,
let's go into P minus one security protocol. So we,
we call all the top management
and then we start to basically, I start to put my CEO hat on rather than so at that point,
I told myself to stop thinking about the money, but to think about what do we do now?
Yeah. At any point then did you worry that there was more to be hacked or like
Was there a point where you thought shit?
What if they could get access to more or did you know that it was contained? No at that point
I didn't know so
So yeah after basically that kind of told me and in 10 seconds, I was like, okay
the next question I asked is how
about the other wallet? Because at that point, I don't know how much we have with safe and
I don't know where we are on other wallet. And then my finance team told me that we do
have other wallet, but it seems to be all fine. It's only the Ethereum that has been moved.
And I said, okay, we probably need to call safe immediately to make sure that...
So at what point do you realize the cause of the hack?
Because I mean, did you put one and one together immediately to say, shit, something's wrong
with the transaction that I just signed?
At what point did you realize what caused the hack?
I think it's exactly around that time I asked, what about the other hot wallet?
My team says it's contaminated. So during that call, when my finance caught me, my security team is already in the call.
So I asked them, okay, what about the other hot wallet?
They said, it seems to be fine.
They're not moving.
We are currently, if we have monitors, we have dashboard looking at all the hot wallet,
only this Ethereum hot, a cold wallet is contaminated, it's been breached.
And I said, okay, this is the multi-sec
and they're saying is correct.
And I asked them, do you see any issues
with our own wallet system,
which means our heart and our womb?
And they said, no, it's not issue with Bybit.
It's the multi-sec that you designed,
which is a safe wallet.
So at that point, I pretty much know that it's not a kind
of an internal breach of our internal system, but it's more of the multisig we signed just now.
And it's that specific multisig. And I asked the security team what caused this, and they said
either is one of the UI was spooked
or it could be a server issue, but nobody knows.
But they're pretty sure it's the only the multi-sig
that we just signed.
And it seems like the trigger is that we have to sign again
in order to for any other trigger.
So I said, okay, stop all that.
We're not gonna sign anything.
But at that point, I pretty much know that it's not really an internal thing. And that's how I know.
Okay, so now the money is gone. What's the next step for you? So you've spoken to your team,
the money, you effectively realize that the money is out of your account
and you've been hacked.
You've woken up the whole management team.
What went through your mind?
What are the priorities at that point?
So yeah, actually, before I called management, I asked my finance.
I said, can we cover this?
My CPU said yes, my CFO said yes,
we have enough treasure to cover this.
Then I think the whole direction changed
to making sure that this message is out.
By then I know that I need to tell everyone
that this happened and it's not the end of the world. message is out and basically by then I know that I need to tell everyone that
this happened and worst case scenario that we will take the loss because in my head is if we cannot cover then my job as a CEO is probably to look for money to make sure that clients not suffered. But if we can cover it luckily in this time,
then I call the management. My priority is to make sure that everyone knows what happened.
And after I called, I immediately said probably people already can see on chain that this has
happened. We need to prepare a public statement,
all hands on deck, wake up all the support,
clients are gonna come and ask.
We need to start answer questions.
But then I assured my management that
we can cover all the loss, all hands on deck,
we don't plan to suspend withdrawals.
So be prepared for the big
background that's going to come. Yeah. Was there a period in the entire process,
was there a period where you doubted that you guys could cover this? Like was there a period
in your mind where you thought, I'm not sure we can cover this, I don't know how much money is
in the treasury? Like was there any time where you time where you didn't know if you guys could cover it internally?
No, when I heard the 1.5 billion, I know it's a huge amount, but my head is, can I cover it?
I know we can cover it, it's just that I don't know if we have enough Ethereum to cover it.
Maybe at that point, we need a Bridgelong or
some other. I'm not sure how much of our liquidity is in what token. But yeah, pretty much when I
heard the 1.5 billion number, I'm aware because we have our finance team, we have all the monthly
report and everything. So big numbers numbers I'm aware. Yeah.
So it's a very big hit, but you breathe a sigh of relief.
You know you can cover it.
I'm interested to know who you're speaking to during this crisis.
I know I texted you, I think, immediately.
I didn't hear back from you for a while, but I want to understand right now, you've just
heard that the heck you've spoken to your finance team.
You've been to protocol P plus one and P minus one.
The whole management team is up.
Who are you talking to?
Who is the command center that's working around you now?
So I'm the command.
I'm running the whole command and then immediately I call my CEO Helen.
I told her that what happened and I said, expect massive hit on our support team on Twitter,
because people will know very soon.
Then I think she wake up immediately,
there's a button she calls to call her direct reports.
That's the PR team, social media team.
That's the custom support,
basically all the front-line teams.
I believe then she goes to in that meeting and
brief those teams on the next steps.
Then, so basically I told Helen,
COO to prepare and prepare a public statement about what happened.
And the next I did was called my CTO tech and product head.
At this point, I know that clients are going to do bank run.
And the next worst thing is you experience a system shutdown.
and the next worst thing is you experience a system shutdown. I told them that we can experience a massive hit on the withdraw,
but we need to make sure that all withdraw system are alive,
and all products are live so that at least clients
don't see a page 404 or something like that.
So that they wake up
the emergency tech support team to make
sure that all system dashboard are green.
It was true about 30 minutes later,
we start to see massive withdrawers.
Then the whole product and tech team,
their priority was to making sure that it's not about the withdraw, making sure that all these massive flow clicking the
withdraw buttons, everyone, there's no stock, everyone can experience the Bible product live
with no problem. So that was my second thing after that. Yeah.
Okay, so now you've instructed everybody, everybody is now expecting the worst.
I assume that somewhere around that point is when you went and you did a live
on the Bybit streaming platform and you did that very, very good live.
And you, you transparently told everyone that you had been hacked and you
explained the mechanics of the hack. At that time,
I think you said there were 120 withdrawals
that were stackable.
If I'm correct, I'm not sure if my numbers are correct,
but I think you said there was a very small number.
Walk me through what happened after that.
You know, so kind of what happened is
after I did that two came out,
I immediately, I start to craft a tweet
because I think at this point,
I need to make a tweet as the think at this point I need to make a tweet
as the CEO of the company to come to market.
My PR team already started to tell me, Ben, we are getting hits on Twitter asking, have
you been hit?
And I think, okay, we need a public statement immediately.
So I crafted that first tweet I did saying that we believe that we'd be hacked and all that.
And then after I tweeted about five minutes later, I called my live stream team to all go to office.
And then I'm cleaning up my, I take a shower. I'm heading to the office as well to prepare for the kind of the live stream.
So that's how we arrived at the live stream part.
When you arrived at the office, how many people were at the office? Walk me through the mood.
I mean, I guess you showered pretty quickly and you rushed to the office.
When you got to the office, how many people were there? What's the mood?
So basically, we have a building in Singapore.
I mean, I'm happy to be in the Singapore office.
And when I arrived, we always, our support is always there
because we have live support 24 seven.
I can see that the support is full.
Everyone is extremely focused, busy typing away.
The mood was quite tense.
By the time I get to the live stream room, which is actually on the fourth floor next
to all the corporate function, that's the legal, the HR, the admin.
I see pretty much all of my legal teams already there.
So I assume this, I did not inform legal.
I think it's probably my COO informed legal to already come to office to get ready for the police report and everything.
So that's the first one I saw.
But everyone was just busy.
And I came in to the office and then was sitting there kind of looking at Twitter and making
those.
I was focused on making more tweet, answering some questions there.
And then while I wait for the live stream,
equipments and everything to be ready.
About 10, 15 minutes after I arrived,
the live stream team arrived.
It was a four, three people, three girls.
I can see they've been dragged out.
I think they were about to go to sleep
but they were very tense.
They were very serious.
Everyone was just running, getting equipment, getting light, the videos, checking the mic.
Yeah, I think, but everyone was busy. Everyone was already focusing on their tasks.
Okay. And then you did the live stream. What happened after? I mean, I think a lot of us watched the live stream. You were quite transparent in your approach. What happened after that? Yeah, so even during the live stream, I did
about... So before the live stream, we kind of sit down with the live stream team on what is the plan,
what is the goal. I said, well, it's quite important for us to be there.
It's more important for, it's important what we say and tell the clients, but it's more
important that we are there.
And so that I wanted to be with the live stream.
I told the team it probably is going to last about two or three hours so that during this
critical time, they can see my face and they can see the team and the clients can see us knowing that we're here handling it.
But I said, every about 20 minutes,
I need to go to get the top update on what is the latest development.
So who can be on the livestream with me? I need someone.
Then I think we find Srinjit,
who's our head of derivatives, he's available.
So he was doing that.
And then I was talking to the live stream team on,
during those period when I'm away,
when he's also finished answering, what do we do?
And then we said, okay, let's do a countdown.
And then, but we don't have that.
So we immediately prepared a slide
telling the audience,
we'll be back at UTA time, what time.
So everyone knows it's not a thing says,
we'll be back.
If you don't tell the audience that you'll be back
at exactly what time,
people think you are kind of dragging your feet, right?
So we make sure that we always have a time.
And the audience who are watching the live stream knows
that, okay, we are only away 20 minutes.
We're not, you know, so that was a critical thing
we decided during the period that,
and then I think when I'm away,
I'm just getting the top level update.
Number one is from security.
This is to answer your question,
like what happened during, after. So security to answer your question, what happened during and after.
So security, I want to know what happened.
Do we know that this problem is already contained?
My top level is my other hot wall is secure, 100 percent.
So that's one of my first thing I need to find out,
and the security team told me that yes,
it's 100 percent secured. However, we might experience a liquidity crunch because
the Ethereum is gone. And so that we, you know, obviously we only, that was about 70 percent of
the client's Ethereum. That means we need to borrow Ethereum to fulfill clients' withdraw and assume
all these clients want to withdraw Ethereum because this was the one that hacked. So I said,
okay, and then I called a few key persons to be in charge of going out talking to partners to get
the loan. So I need to make sure that the progress of the loans is in place.
We're not worried at this point about a Ethereum short squeeze because effectively you were short
$1.4 billion worth of ETH. So we're not looking at ETH and going, please God, I don't let this not let them not start squeezing me out of the market now.
Yeah, I think what we're lucky is that Bybit is always really
one to one. So I never had that fear. And number two is all of
our system we have lifetime dashboard update on where we
are, all the wallet system, clients asset, withdraw,
even the loan ratio and the risk ratio,
I can see it on a dashboard
and it's only about 10 second delay
pretty much of all systems.
So I can precisely know the next five minutes, 10 minutes,
where the withdrawal limit,
where is the queue of the withdraw is gonna happen? So all of that, we have everything
in control because we can see it. My finance team, my risk team, we all can see it. So that made
made everything much easier if we were talking about compared to let's say FTX, maybe they don't
have anything to look at. And that's why. But were you not worried? Were you not worried?
Like if I'm just putting myself in your shoes, I know that $1.4 billion worth of ETH is stolen. I know that I've got $1.4
billion, but that $1.4 billion is not in ETH and people are going to start drawing ETH.
We're not worried that you're going to need to buy ETH on the open market, whether it's to repay
loans, bridging loans. Ultimately, you need to buy ETH to replenish the ETH at some point,
right? Yeah, I am worried. So that's why we need to borrow ETH from partners for this withdraw.
And at the same time, with our withdraw, we can put a priority on the Ethereum
withdraw, meaning that there are a lot of versions of Ethereum
on different chains and clients can withdraw. So we have a measurement of our stockpile and then
the withdraw that's coming in. What's interesting is that the Ethereum was never the biggest
requested token of withdraw and everyone is withdrawing actually stablecoins, which is USDT
and USDC, USDT being the majority. So then when we see the flow, we start to think, okay, even with
the reserve we still have, we can cover at least for two, three hours. That gives me about two to
three hours to get a loan for Ethereum. Okay, and what do you do? Who do you phone?
How do you get a loan?
Well, that's not even during this point, another issue comes up is that what two more issues
comes up is that my my team is telling me, Ben, our USDT code wallet is also with Safe.
And because of this whole incident, Safe has shut down their services.
So I have about 3 billion worth of stablecoin that's locked.
And while my clients are always drawing from the amount, we got like 100,000, I think 200,000 within two hours with store requests.
We can predict our stockpile on USDT is not going to last for too long, maybe five to
six hours.
So within five to six hours, we're going to have a liquidity crunch on stablecoin.
And then this is a bigger issue because that's about three billion shortage that I need to fill unless I can magically
somehow move my money from safe again. Now even if safe tells me at this point that Ben is safe to
move those money I'm scared to move because I just lost 1.5 billion and using the same system
and now I'm looking at 3 billion,
I'm like, well, what are we gonna do?
So yeah, so at that point,
this is starting to become a even bigger issue.
And then I told my security team
to really crack down and talk to SAFE,
we need a better way to get this money out.
And so basically for the next four hours,
my security team focus was trying to crack down
safe with a software we develop that we can trust.
We know that we can move.
If you guys noticed about the last bid withdrawal,
if you look at my tweet, I said we're moving about
$3 billion back to our warm wallet.
That's basically my security team, I said we're moving about $3 billion back to our warm wallet.
That's basically my security team, I would say 50 people, they just kind of wrote a code
based on ether scam that to move to kind of verify the multi-sig on a very manual level
to basically move that stablecoin back to our wallet system.
In that two seconds where they moved the three billion from the one wallet to the other wallet,
I mean, were you watching the transaction? Were you holding your breath?
I would have been like, okay, this is it.
That's a life and death.
That's a life and death.
Yeah, no, but they did multiple tests before, even with me.
We did maybe four different tests with other wallet.
We were pretty sure this is secure.
And then lastly, let's do it in one go.
That's why you think you didn't see a test.
It was one go, three billion BAM back to
buy it. I was like, shit. Yeah. And how many hours after the hack is this? And what time is
this in Singapore now? So now they've moved the three billion. What time is this? Yeah, that's
about almost 10 hours by the time we crack. Yeah. So this is like near, this is middle of the night. This is 5am, 6am, something.
No, this is about six.
No, actually, seven, maybe 7am, 7 to 8am.
Um, basically the whole team was up.
Yeah.
All night long.
And, and how much of Bybit's reserve, how much of Bybit's reserves or total
assets under management are being withdrawn at this point in time?
By which time?
I'm saying, when you move to $3 billion, how much of the total assets under management
have you guys withdrawn?
How bad is the bank run?
Currently as we see, it's about 50%.
So 50% of all the funds un Bybit were removed? Correct. Correct. Yeah.
Okay. And I mean, how bad was the backlog? So in other words, what was the time that people had to wait?
The backlog was bad because the initial rush was too much. The system handles so much withdrawal.
handle so much withdrawal. Not only the system was kind of backlogged, obviously with each withdraw there's multiple checks. That's the typical process, right?
If let's say you are withdrawing from Bybit, unless it's a familiar address, if
it's an unidentified address with a big amount that involves a risk team to check,
making sure the client is not hacked,
and also verifying the AML compliance,
travel rule, all these things.
There's actually a lot behind a withdraw.
That's going through whenever a withdraw is happening.
The system is conjected, a team is overloaded, although all the teams are there to process them,
but just too many. And then also our network is congested because there's so many people trying
to withdraw from the wallet. And then there was multiple areas needs to bump fees. And also there's multiple chains.
We have different stock reserves.
Let's say, you know, we have USDT on Trong
and we also have USDT on Solana
and people are trying to,
more people trying to go through Solana or here.
So, and then there's always a team
that's kind of backing up all the liquidities.
So there's multiple levers, making sure that
smooth everyone gets withdraw. Basically, everyone has to double up on whatever they
do. So that's why there's a backlog. And you see that, okay, some people took three, four
hours. It's actually simply because there's too many withdrawers and we're just following
regular procedures to process them. And where are we now? So where are we now?
Is everybody processed? I mean I was watching earlier and I saw actually more
money was flowing into Bybit than flowing out of Bybit at one point today.
So what's the situation as we stand? So as of now it's business as usual. So at the 12 hour mark, which is about 10, no, 9 a.m. Singapore time,
all backlog has been cleared.
Every single system is green.
Basically all the withdrawal process
from the rush time has been cleared.
That means from that point on,
at 12 hour mark is only new withdraw being processed. And that point on, at 12-hour mark, it's only new withdrawals being processed.
And that was relatively, we kind of go back to our normal phase.
So we kind of handled everything in about 12 hours.
Yeah.
I guess I want to go back to that and say, at what point did you lose hope of recovering
the money, if you've lost hope of recovering the money? And look, I'm sure there was a period where you thought I may get this money back.
And then I guess at some point you realized that it could be Lazarus that has the money,
in which case, I mean, the probability of getting it back seemed pretty low.
Just walk me through your thought process about thinking about the money that is stolen.
It was never a priority actually.
Even until, I mean, at least for the first 15 hours. If I know that the money loss can be
covered by us, then I don't need to go out look for money, making sure that we withstand the bank run,
we handle the crisis in,
because to me, getting the money back,
it's not as important as handling this crisis,
making sure that the buyback brand is there.
Even we wanna show the world that
even when a crisis like this happens,
we are a reliable team, you know, to handle all these things.
So these reputation things are more important to me.
And at which point, I think even immediately after,
I know this is sophisticated to things.
And judging from how the money is flowing immediately into all these things,
it's out of our control.
And then I will let the security team
and legal team handle the chasing.
But me as kind of the commanding officer there,
my job is to handle the client requests at the time,
making sure that those things are handled.
And how would you rate your team's performance
in this period of crisis?
Like how would you rate out of 10, how would you rate your team's performance through the night?
Oh, I would say 12.
12 out of 10. I must say, it feels that way.
And I was also talking to members of your team through the night. Everyone, so if you go back in time, after I arrived in office before the live stream,
that's when I had a bit of time to sit down. I crafted a message to the company.
And actually I can read it. If I see it somewhere, we have a company group.
Yeah.
So it's a CEO message.
And I said, dear, bye-bye buddies.
We call each other bye-bye buddies.
Understand that it's a difficult time now.
Appreciate that all of you standing line.
It's going to be a difficult 24 to 48 hours
that we will face.
However, then I'm confident that we will make it through.
Please ensure that we remain professional and calm
to all clients and external partners.
We will try our best to maintain withdraw.
At the same time, I want to say that
even with this amount all lost,
all clients' assets are covered.
It is the time to answer clients' questions
in a timely manner and be there with
our clients. We will use transparency and communication to remove doubts from our clients.
Tech and product, please make sure that all systems are normal. We cannot have another
fuck up now to cause another FUD. All hands on deck. So that's what I said. And I think...
Wow. Wow. That means it's a real, a very strong leadership message,
keeping the crew, motivating everyone, keeping everyone in check and just making sure everyone's aligned.
Yeah, so everyone, I think is aligned.
And then with the reason I think everyone is there, everyone is almost by a bit,
you know, we work in the office, we use centralized office, so everyone is in the office.
And I think
everyone is focused. Not a single blame. No one's asking, you know, what happened. Everyone is busy
on solving the issue and even until now. Yeah. And now in hindsight, what do you think actually
happened? How did they manage to compromise for cosigners or four multi-stigs?
I mean this is sophisticated. This is a step change in hacks because they're accessing cold
wallets. This is like a complete step change. How do you think it happened? How do you think
they managed to infiltrate four people's UI? Yeah, so even until now we don't have a confirmed answer, which we will come up with a
security incident report. At the same time, we've hired external helps to investigate and do
forensics with us so that we will have independent report as well. From what we have now, immediately after then the security team imaged
all of us laptops so that we can make sure we restore to where we were and how it happened.
Upon current checks, none of the laptops are compromised. There's no trojan or any kind of
Trojan or any kind of virus had been found on the laptops. At least to our security knowledge,
maybe this super advanced model we couldn't find.
But we didn't find any of that.
Also, what they did is interviewing every single signer,
exactly back timeline,
what happened and all of that is recorded
every single step what did you click what did you see at least after all that it seems like a
normal process because in our security we check the url we click on that so we still haven't
found the answer but i guess answer will be found very soon.
But again, we'll keep everyone posted.
Doesn't it worry you that you haven't found the answer because your exchange is running
as normal, which means that you're going to be making transfers from hot wallets to cold
wallets, cold wallets back to hot wallets.
Doesn't it concern you that you still don't know what the cause is?
We know the cause is definitely around safe cold wallet, whether it's our laptop or the
safe side, we don't know.
But we know that's the problem.
So we now have our own way to extract the fund.
So basically the stable coins is out of safe and also our other majority, big amount of reserves are out of safe.
So basically that is isolated.
So we are not worried about that anymore because we already have our own way to extract the fund back to our system. And so now the next thing that's left is what's next?
What multi-sig or code do we use to replace SAFE at this point?
And this is what the team is looking to now.
And I mean, are you guys insured for situations like this?
Is there insurance for these type of situations? What's the process here?
Yeah, I don't think there's any one insurance that can guarantee an exchange for hacking purposes.
So, in that sense, I guess the answer is no, we don't have insurance for the hacking of this.
But we do have other insurance pools and things like that for other things.
Okay, and how, I mean, not to almost 24 hours later, maybe it's a little bit more than 24
hours later, how are you feeling now?
How are you feeling?
I mean, you must be exhausted.
Are you angry? Are you upset? I mean, how are you feeling?
Yeah, I had about two hours sleep. I was quite wide awake again, even until about in the afternoon.
I think it's the adrenaline is the, you know, and it kind of hit me later in the afternoon.
So I took a nap.
And now I think I'm again in that mode
that I need to be more focused.
So we've put a task group, a task force,
making sure each key person is chasing on their side.
So security is making sure that they're looking into what happened and also how to prevent this,
and also uncovering other fund.
There's one team on it.
There's many things to be done.
We've managed to stop the first wave,
but what's next is to build trust,
is to keep growing and operating as exchange.
So that's the difficult part.
And the first thing we did is to put a task force
and get our BI team,
again, Bybit is a very number driven company.
We use a lot of dashboard.
So we were building a new dashboard
for the disaster impact.
So impact report, how many clients we lost,
how many VIPs, how many institutions,
how many liquidity, how many AUM.
Once we identify all these problem,
okay, liquidity, how do we get it back?
VIPs, how do we get it back?
Retails, how do we get it back?
Then you divide into tasks.
In fact, one of my tasks is to be more vocal,
making sure that I'm out there talking about this, doing this now, so that everyone is aware that
Bybit is here to continue to operate. And yeah, so I think that's the next part.
Ben, as a company, did you guys train for something like this? Did you guys prepare for something like this?
Have you guys done drills for things like this, or was this working out as you go along?
We have a what we call tech ops team that does a monthly drill on, again, what we call
P minus one.
Like P minus one meaning extremely urgent incidents.
It could be a hack, it could be a system shutdown, it could be that the withdrawal system is done or
derivative system is done, you know that the crypto is 24 seven so we are 24 seven.
So we are 24 seven. So we are very much trained in emergency response.
And the teams are very fast in responding
to any type of emergencies.
So, but in terms of the hack,
we are not trained to respond to hack
because we've never been hacked.
But it's not so different than responding, let's say, to,
let's say your spot market is down or your whole website is down. I think it's a similar response
because then it's the customer support team, the PR team, everyone gets up, they all know what to do,
but it's just the content is a bit different. Yeah, I must say, I've known you for many years
and I've known you socially
and I've known you in the realms of running an exchange.
And I've always thought that you've been a very good leader,
but I think you truly understand
who the real leaders are in times of crisis.
And even I was surprised,
and I said it in the most humble positive way,
even I was surprised, and I said it in the most humble, positive way, even I was surprised
at just how effectively you executed in the last 24 hours.
You were transparent, you were efficient, you were available.
It was a masterclass.
Someone actually wrote a tweet about it was a masterclass in crisis management.
You were dealing with a $1.5 billion hack.
I think it's a case study in how
crisis situations should be hacked. I really believe that the way you handle this on a
global level was absolutely, absolutely incredible.
Yeah.
Thank you.
I saw there were a lot of partners that came to the rescue. I see Gracie's here from BitGit.
In fact, we'll actually just get up here as well.
I know BitGit came to the rescue.
I know Binance came to the rescue.
Just walk me through partners, friends.
Just walk me through.
This is probably a good time to acknowledge some of the people that really tried their
best to assist.
Walk me through how that happened and how you felt about all the help. good time to acknowledge some of the people that really tried their best to assist. Walk
me through how that happened and how you felt about all the help.
Well, I'm overwhelmed by all the support that we've received. It is a tragic time for us,
especially for Bybit. But with you know, with all the support,
we really felt that the whole industry was behind us.
I think at this time, we all recognize
it's something that none of us want to see happen.
And there was no competitor.
There was no, it was all partners supporting us
from all over the place.
Basically, immediately after news,
my phone was getting swamped by partners offering help.
Say, bye, Ben, you know, Ben, if you need help,
we can help.
My emails are getting swamped.
And then obviously immediately,
there was a few things we needed immediately.
As we see, number one was that bridging loan to cover the missing Ethereum.
So a few key players really helped us on that.
I would like to say special thanks.
One is AnAlpha.
They helped us to give us a good loan on Ethereum.
BigGit for sure. They gave us a loan without any
collateral. They just say here, wallet address, we'll send it to you. Pionex, another exchange,
and also MEXC. I was so busy writing here and there and I'm asking my team to kind of reach out to the
partners. I might be missing a lot of the guys but I'm getting all sorts of partners connections.
And also I think there was Social Value, Solana, Tong, even the UAE blockchain center,
the blockchain center, golf capital, like Bitvavo and Tether.
Tether was helping us, freezing funds really active.
Galaxy Digital offered offered help to give us a loan.
And basically, you know, we have all these other friends who are doing forensics,
white hacking that was connected to us. Yeah, so really, really deeply grateful for your help. Yeah.
I think Ran, you are muted.
So I'm saying, I'm sorry, I'm sorry about that.
You said this was a tragic time for Bybit.
What does this actually mean for Bybit?
You had enough money to cover the loss.
I guess, cover the loss. What do you think, what does this mean for Bybit, you had enough money to cover the loss. What does this mean for Bybit? Does
this mean slower growth? Does it mean cutting down on certain initiatives? Have you done
the maths of what this actually means for Bybit?
Well, I've given the homework to our finance team to do projections based on this loss on our own treasury. What does it mean?
What does it allow us? What does it restrain us from the initial plan? The team is still
number crunching and trying to give me an overall look. But again, this is not all the Treasuries that we still have some reserves left. So I don't
think it's going to impact us in a way that you would notice. But for sure, it will impact us
maybe on some of the long-term plans we've had. If we were thinking about M&As or if we were
thinking about big investment in somewhere, maybe that
will be affected whether it's delayed or canceled. But in terms of the daily operation, in terms
of the maintaining the operation level, maintaining the current team, Bybit is always run on our
extremely lean model. We have about 1800,800 staff globally, which is actually
quite lean compared to the other players. So I don't think these things are affected.
Okay, so I guess for bad business as as usual. What is the probability in your head right now
that you believe of getting any of the money back? Have you thought about it? Have you written off
the money in your head? Do you believe that there's a chance of getting it back? Do you believe that
there's even a point in the police getting involved? Walk me through how you see the legal process.
No, we will try our best.
We would definitely have a whole task team on it, how to get the money back.
Whether it's to chase it and try to block it if it's trying to go through a bridge
to go across to other chains.
This morning, the team informed me, informed me,
they were trying to move some of the money into Bitcoin through a bridge.
So we informed them and they were kind enough to help us to block the fund
immediately. So what can you do that?
And I assume for the hacker, it would take them a long,
long time to eventually, you know,
wash this money out.
time to eventually wash this money out. We are hoping by putting enough trouble to them,
maybe they would consider returning it at some point.
Also, we just issued a bounty to ask the community to help us,
whether you can lead to the direct retrieves of the fund or some trade evidence that helps to retrieve will give you a bounty.
And yeah, and the police is involved. We actually, the Singapore police took it very seriously and I
believe already escalated to an interval level. So they will mark this fund into a very high level kind of watched crime fund so that it
will trigger down to chain analysis level that kind of sanctioned address these type
of things.
So, with efforts like that, I think as long as Bybit is there, we will continue to track
and hope we can get this fund back.
When you spoke to the police, I mean, blockchain is a relatively new thing.
Blockchain crimes are a relatively new thing in the racing.
In most countries, I'd imagine that the police wouldn't have any idea what to do in a case
like this.
When you spoke to the police, and I'm assuming you reported to Singapore police, how clued up were they and how smart are they when it comes to blockchain crime?
Singapore is very developed in terms of blockchain crime. There actually have been a few
prosecutions based on that.
What's interesting is even before we approached them, they already know what happened.
So again, this is the biggest apparently, in the history of any type of hacking.
So when we approached the police, they know this happened. So they were offering help very quickly.
And at any point, did the thought cross your mind to reach out to the Ethereum Foundation to roll
back the chain? Was that ever a consideration of yours? We will try everything again. So I had my
team talking to Vitalika and the Ethereum Foundation,
see if there's any recommendations they can offer to help. And I do really thank all these guys on
Twitter asking if there's a possibility to roll back the chain. And I think, I'm not sure what
was the response from their side, but anything that would help,
we would try.
Yeah.
What do you think?
Do you think that they should roll back the chain?
Because I mean, it is a bit of a dilemma, right?
On the one hand, it's blockchain and every transaction is irreversible and immutable,
etc.
On the other hand, this is a hack, but probably a terrorist organization or a sanctioned organization.
What do you think?
Do you think that the right decision is to roll back the chain or not to roll back the
chain?
Yeah, I really don't think that.
I don't know.
I'm not sure if it's a one man's decision.
If based on the spirit of blockchain, maybe it should be a voting process, right?
That see what the communities want. But I'm sure I'm not,
I hope this is the last time this type of case would happen to anyone. But again, we know hacking
does happen and how do we prevent this efficiently? There should be a better way to track and kind of
confiscate this fund. Yeah, I mean, I guess also sharing as many learnings as possible,
which I think you've done very well by by by being transparent
and sharing every step along the way.
I think that's one of the things that, you know, if it was safe systems
that were broken, then we need to know about it.
If it was barbit systems that were broken, I think everything
that you guys can share would just make the industry a lot stronger.
Yeah, no, I think we believe in communication and transparency and I think it's the best way to
solve a crisis like this and that's what we did. Yeah. Yeah. So I think Ben, if you've got five
more minutes, I think we'll bring up some other speakers. I see that the guy from Arkema on,
I see Gracie's on. We'll bring up some other speakers and maybe just take five minutes of Q&A if that's
okay with you?
Yeah, all good.
Amazing. Amazing. So guys, if you want to come up, just let us know. Otherwise, the
guys from Arkham, I see we've got Miguel on. Miguel, anything that you want to add?
Well, Miguel, do you want to go ahead? Okay. So I actually don't have that much question, maybe one
followed by sharing a little bit story behind what we were thinking we were when we were trying to
support by the as Ben mentioned, we were among the one of the first exchanges to send them. We send them actually 40,000 Ethereum, about four or five hours after
the hack as a bridge loan without any collateral, without any interest rate, and we're not rushing
them to pay back. It doesn't matter because we do believe that Bybit will survive this.
So what I really want to emphasize here is that, especially after FTX clubs, our industry has been through a very difficult time.
Lots of, you know, retail users, projects also experiencing a hard time, you know, central exchanges ourselves.
We all went through the very bear market in end of 2022 and 2023.
So we as a competitor or so or peer, what we truly believe is that we need to work together
to face this, especially given that the Bybee case is very different from FTX case.
And in our opinion, you know, competitors actually make each other better. If you look at Coca-Cola versus Pepsi,
Madonna versus KFC, and we want the industry to have to be in a fully competitive environment
so that it's the best for our users and program.
And that's why, without any hesitation, our founder Ben was a very good friend.
I've seen Ben multiple times
in various occasions and we just want to support each other in this case. I believe you were
by a bigot getting hacked, but we will do the same for us. So that's basically the spirit
that we want to build here. Ben, all the best. I hope you feel good now.
Thank you. Congratulations. Thanks, you guys.
Congratulations. Gareth, I see your hands up. So Gareth Jenkinson. Hey, Ran. How's it
everyone? Hey, Ben. Gareth here, managing Elita Cointelegraph. Firstly, hats off to you.
I think that tweet that was doing the rounds yesterday saying this was a master class in
crisis management couldn't be more true.
I think a lot of other exchanges might have just buried their head in the sand and not
said much and left it to everyone to wait and hear what was going on.
So for you to get on a live stream and talk less than an hour after the hack did a lot
for the industry.
I mean, it allowed us to report with a lot of accuracy because we got some early information
and we sat on it for a little bit before we ran the story.
Because you don't want to just go out there and write a story,
no buy-bit has been hacked.
So well done.
My first question is, CZ, to which
you should stop withdrawals or stop your systems altogether,
I think that you made a great call by not doing that, but I just wanted to ask you why
you decided not to do that.
And 24 hours later, if you think that was the right decision, I think it was a big litmus
test for Bybit and hats off to you to be able to manage all the withdrawals.
But yeah, was it a consideration for you?
Yeah, no, I actually commented on that tweet. I think from an outsider
perspective, whenever you hear a hack, it typically means that the internal system of the exchange was
hacked, meaning that whether it's the hacker infantry or system or one of your key
person is compromised, resulting that you don't
know where's the root cause. When that happens, I think you must hold the withdraw. But in our case
is quite different because we were quite early on know that our system was completely intact and it
was in fact the external cold wallet that was breached.
And so that was a relatively easy decision for me because I have full confidence in my system. I know my withdraw is not compromised.
So then why stopping the withdraw? But then you also, you might have,
so yeah, there's another incident where other exchange
might stop withdraw because they don't know how much money they have. But again, Bybit is running on a lot of dashboards. We have
a very strong control on our system, on our margin and everything. So I know exactly where we are.
So it was a no-brainer decision. Yeah. If I can just follow that one up. I mean, obviously,
Zach EXPT put the breadcrumbs together and figured out that Lazarus Group had carried out this hack.
That's very big news and obviously there's now been conversations about Ethereum rolling back that transaction.
I know you probably can't say too much at this stage,
but are you in conversations with Chainalysis because they've done
very deep investigations into Lazarus groups and a number of
the other hacks in the past few years that have been perpetrated by them?
How closely are you working with some bigger law enforcement agencies
into poll all of those?
Can you give us any more detail on that?
Yeah, so we're actually, Channels is one of our biggest partner even before this hack. So we are
in deep conversation for SureWisdom and I think their CEO emailed me immediately after they
heard the news saying that they already created a task force for Bybit to track this fund and to help us. So really appreciate their help.
Yeah, in terms of police, we've already escalated to the Singapore Police Force. As far as where
whether it's we are is it on Interpol level, I'm not sure the details, but again, we will try our best to exhaust all the
channels we could to, whether it's from law enforcement perspective or from the on-chain
perspective. Yeah, and I think, Carla, let's just give you the mic and then I think we should let
Ben go outside. I think it's one o'clock in the morning in Singapore, if I'm not mistaken.
I'm sure Ben wants a little bit of sleep. I'm sure you want a little bit of sleep. And I think Ben deserves some sleep today. Carla, over to you, sir.
Thank you, Rand. First off, that was actually my tweet about this being a masterclass in corporate
transparency, in crisis management, and in wallet OPSSEC. So I have to commend you, Ben, on how
you've handled this. And I want to make an observation from a broader perspective, having studied virtually every major incident of blockchain crime in
this sector as a criminal defense lawyer, I am amazed to see how far the space has come since FTX.
When you look at what was uncovered during the investigation of SBF and FTX with respect to
what was listed in the Binance,
I should say in the bankruptcy filings as to the abysmal wallet security and the protocols that
were in place and the dynamic between CZ and SPF at the time of the collapse of FTX's FTT token
to see how far we've come to see the industry coming together to support a
competitor as Gracie had said to support a competitor in this way and to help in protecting
customers because at the end of the day, if we want to be decentralized in this space
and if we want to avoid over regulation, then it's incumbent upon this sector to do just
this to come together
and to protect the consumer and to be transparent.
So again, I commend you, Ben.
Ran, you did an amazing job breaking this thing down.
I would encourage anyone to go back and listen to this
who wants to learn how to effectively handle
crisis management when it comes to managing
blockchain crisis like this, because this was
a tremendous hack, which could have had incredible ripple effects across the entire sector.
Thank you for bringing me up and I hope you get some sleep, Ben.
Yeah, Ben again, thank you. First of all, thank you, Carla. Thank you, Ben. Thank you for your
time and I think thank you on behalf of the entire industry for the way
that you handle this. And I can tell you that we've been Bybit partners for a long time. And we will
certainly do everything that we can do to bring all the customers that may be left for a while back
and to get to make Bybit, to bring Bybit back to what it is. Because I think that, if anything,
testament to how you handled this is the main reason
why people should come back to buy a bit.
And again, I think exchange hacks,
that happened a lot, I mean, Binance has been hacked
and Bitfinex has been hacked
and it's just how you handle the hacks.
And I think to be honest, I think this is probably,
it's the biggest hack,
but it's also the most well-handled hack
that this industry has seen.
So, whereas of course, I'm sorry for your loss and hopefully you'll get some of the money back,
I do want to commend you on how you handled it, my friend.
Thank you. Thank you, guys. Yeah, thank you.
Thank you. Thank you to everyone for listening. And if you want, just please follow all the
speakers, follow Crypto Time Hall. Saturday afternoon, I'm glad we could do this. One
o'clock in Singapore, I'm glad we could just bring everyone together and do something amazing here.
Yeah, we'll carry on with our broadcasting on Monday.
Thank you.
Thank you, everyone.