3 big takeaways from the record $1.5 billion ByBit hack
GM,
It’s been a month since Web3’s largest ever hack took place: ByBit lost $1.5 billion at the hands of North Korea-affiliated hackers. The audits are in, the real-time stories have been written, but what are the bigger takeaways from this catastrophic event?
Our newsletter this week has answers, but also raises further questions.
Best,
What’s going on?
ByBit was hit by a record hack on February 21 which saw it lose nearly $1.5 billion after North Korean hackers intercepted a scheduled transfer of funds between wallets owned by the crypto exchange, which is the world’s second largest based on trading volumes.
The result was the company lost all of its Ethereum holdings to the hacking group, which it has now been proven is linked to the notorious North Korea-affiliated Lazarus Group.
Despite the magnitude of the attack, ByBit remains solvent, none of its users were affected and the cryptocurrency market hasn’t seen severe price drops.
Those three things seem incredible, and they represent just how far the Web3 industry has come. But still the incident raises some very pertinent questions about how big players handle their security and existentially, and how this industry deals with thieves and larceny on a major scale.
1. The biggest players don’t take security seriously enough
The most striking element of the ByBit hack is the difference that a few weeks made to the narrative. Initially, it looked like a mistake from ByBit had granted the hackers access to its entire stash of Ethereum. It turns out, however, that the attack vector lay elsewhere.
The attackers were able to manipulate the software that ByBit used for multi-sig transfer, a free-use-tool from security protocol company Safe. A perfectly good product for the individual crypto holder, it is not befitting of an organization that moves billions of dollars in assets. As even ByBit CEO Ben Zhou admitted.
“We should have upgraded and moved away from Safe. We’re definitely looking to do that now,” he told The New York Times in an interview.
The Times story claims that months earlier, ByBit had noticed that the Safe product “was not fully compatible” with other security products that it used. Yet it ploughed on and ultimately paid the price.
Using a more robust security layer could have prevented the attack altogether. You’d think this would push every other exchange to act—if they haven’t already.
As for how Safe itself was compromised, it looks like the classic case of targeting an individual within the company. No further details of that have been revealed, but typical attacks from North Korea focus on phishing employees using communication via email or LinkedIn.
In this case, they likely lurked on the network or in the individual’s computer to determine exactly what their access could bring them.
2. Crypto exchanges enjoy ungodly wealth and power
Another interesting nugget from real-time accounts of the hack is how others in the industry rallied around to help ByBit fill the hole that the hackers created with their digital thieving.
From the same New York Times article:
To limit the damage, other crypto companies offered to help. Gracy Chen, the chief executive of a rival exchange, Bitget, lent Bybit 40,000 in Ether, or roughly $100 million, without requesting any interest or even collateral.
The fact that other exchanges were rallying to offer hundreds of millions of dollars without any question it would be repaid (to paraphrase Bitget’s Chen) shows two things.
Firstly, that these are highly-lucrative businesses that can afford to loan significant funds to their peers.
And, secondly, that the industry was so concerned at the potential impact of the hack that it put rivalry to the side to ensure that ByBit would not go bankrupt.
That’s a very real issue. Looking at history, FTX and Terra/Luna are recent examples of prominent cryptocurrency firms that have gone insolvent due to mismanagement or price collapses. As far back as 2014, then-leading exchange Mt. Gox abruptly shut down after losing around 650,000 bitcoins (then worth around $460 million, now $2 billion).
Even without the help of the industry, ByBit CEO Zhou said the company was still solvent and able to cover all user deposits.
That’s despite losing $1.5 billion!
These companies are lucrative at a level that is hard to find in an emerging industry like Web3, which is barely 10 years old.
3. Decentralization was a boon for the hackers
There’s little doubt that decentralization is a core pillar of Web3. It represents a technology with the potential to enhance the internet and all online services, independently of cryptocurrencies.
Decentralization promises to:
- Make online services resistant to tampering and censorship
- Enhance network security and efficiency
- Give users control of their data and identity
- Provide greater transparency and accountability
- Enable permission-less development on protocols
Despite those undoubted positives, decentralization does have its drawbacks. It’s often said that ‘code is law’ and that means that once a hack like ByBit happens, it requires centralization (centralized entities) to step in and take action, such as freezing assets, reversing transactions, etc.
There was talk about ‘rolling back’ the Ethereum chain to reverse the hackers’ actions (in short: that would be wide-ranging and therefore complicated) or forking Ethereum itself, as happened following a major hack in its early days. But, likely given the maturity of the Ethereum ecosystem, no response was made.
In fact, the hackers used a number of services to move their ill-gotten Ethereum stash into other cryptocurrencies or places where it could no longer be tracked.
The transparent nature of blockchains meant that the hackers’ wallets were found and the stolen assets were traced. Despite that, services like THORchain—which enables swaps between assets on different blockchains—profited from the hackers’ activity.
THORchain saw a record $4.6 billion in asset swaps on its platform in just one week, on account of the spike from the hackers. The protocol is said to have made $5.5 million in revenue from fees directly related to the ByBit loot.
THORchain wasn’t alone, and ultimately these services allowed the hackers’ entire haul to be ‘laundered’ clean in just 10 days. It is thought that some of that figure may be traceable by professional blockchain forensics companies but, in general, most of it is gone.
The tension between the benefits and drawbacks of decentralization has never been more clear. But, still it is a tough situation.
Critics can simply point to the ByBit saga, but the same system offers security, too. Persecuted individuals, for example, can hold and transfer assets freely despite any government or private pressure. That could be important in authoritarian regimes—although it is hard to imagine over $1 billion flowing in such a manner.
The ByBit case highlights the need for more nuanced discussions about how decentralization should coexist with security measures.
News bytes
Binance closed a $2 billion investment from UAE-based MGX, in a deal it claims was completed using stablecoins
US VC firm a16z published its annual look at “things we’re excited about in crypto in 2025”
Thailand has approved Tether’s USDT stablecoin as an approved cryptocurrency that can be traded in the country
MicroStrategy announced it would raise a further $21 billion via a stock sale to buy Bitcoin—the firm already owns nearly 500,000 BTC, that’s worth around $40 billion
Ripple has become the first company to receive a license to offer regulated crypto payments and services in the UAE
Exchange OKX is moving closer to offering derivatives products in Europe after it acquired a company that holds a MiFID II license—OKX was reported to have come under the radar of European regulators
That’s all for this week!
Share your feedback, questions or requests via email to: sowhat@terminal3.io
