On the night of Feb. 21, Ben Zhou, the chief executive of the cryptocurrency exchange Bybit, logged on to his computer to approve what appeared to be a routine transaction. His company was moving a large amount of Ether, a popular digital currency, from one account to another.
Thirty minutes later, Mr. Zhou got a call from Bybit’s chief financial officer. In a trembling voice, the executive told Mr. Zhou that their system had been hacked.
“All of the Ethereum is gone,” he said.
When Mr. Zhou approved the transaction, he had inadvertently handed control of an account to hackers backed by the North Korean government, according to the F.B.I. They stole $1.5 billion in cryptocurrencies, the largest heist in the industry’s history.
To pull off the astonishing breach, the hackers exploited a simple flaw in Bybit’s security: its reliance on a free software product. They penetrated Bybit by manipulating a publicly available system that the exchange used to safeguard hundreds of millions of dollars in customer deposits. For years, Bybit had relied on the storage software, developed by a technology provider called Safe, even as other security firms sold more specialized tools for businesses.
The hack sent crypto markets into a free fall and undermined confidence in the industry at a crucial time. Under the crypto-friendly Trump administration, industry executives are lobbying for new U.S. laws and regulations that would make it easier for people to pour their savings into digital currencies. On Friday, the White House is scheduled to host a “crypto summit” with President Trump and top industry officials.
Crypto security experts said they were troubled by what the heist revealed about Bybit’s safety protocols. The losses were “completely preventable,” one security firm wrote in an analysis of the breach, arguing that it “should not have happened.”
Safe’s storage tool is widely used in the crypto industry. But it is better suited to crypto hobbyists than exchanges handling billions in customer deposits, said Charles Guillemet, an executive at Ledger, a French crypto security firm that offers a storage system designed for companies.
“This really needs to change,” he said. “It’s not an acceptable situation in 2025.”
At Bybit, the hack set off a frantic 48 hours. The company oversees as much as $20 billion in customer deposits but did not have enough Ether on hand to cover the losses from the $1.5 billion heist. Mr. Zhou, 38, raced to keep the business afloat by borrowing from other firms and drawing on corporate reserves to meet a surge of withdrawal requests. On social media, he seemed surprisingly relaxed, announcing a few hours after the theft that his stress levels were “not too bad.”
As the crisis unfolded, the price of Bitcoin, a bellwether for the industry, plunged 20 percent. It was the steepest drop since the 2022 failure of FTX, the exchange run by the disgraced mogul Sam Bankman-Fried.
In an interview this week, Mr. Zhou acknowledged that Bybit had advance warning about possible problems with Safe. Three or four months before the hack, he said, the company noticed the software was not fully compatible with one of its other security services.
“We should have upgraded and moved away from Safe,” Mr. Zhou said. “We’re definitely looking to do that now.”
Rahul Rumalla, Safe’s chief product officer, said in a statement that his team had created new security features to protect users and that Safe’s products were “the treasury backbone for some of the largest organizations in the space.”
“Our job is not just to fix what happened,” Mr. Rumalla said, “but to ensure the entire space learns from it, so this doesn’t happen again.”
Founded in 2018, Bybit operates as a crypto marketplace, where day traders and professional investors can convert their dollars or euros into Bitcoin and Ether. Many investors treat exchanges like Bybit as informal banks, where they deposit crypto holdings for safekeeping.
By some estimates, Bybit is the world’s second-largest crypto exchange, processing tens of billions of dollars every day. Based in Dubai, it does not offer services to customers in the United States.
On Feb. 21, Mr. Zhou was at home in Singapore, finishing up some work, he said in the interview.
But first, he and two other executives needed to sign off on a transfer of cryptocurrencies from one account to another. These routine transfers are supposed to be secure: No single person at Bybit can execute them, creating multiple layers of protection from thieves.
Behind the scenes, however, a group of hackers had already broken into Safe’s system, according to Bybit’s audit of the hack. They had compromised a computer belonging to a Safe developer, a person with knowledge of the matter said, enabling them to plant malicious code to manipulate transactions.
A link sent via Safe invited Mr. Zhou to approve the transfer. It was a ruse. When he signed off, the hackers seized control of the account and stole $1.5 billion in crypto.
The sudden outflows showed up on the blockchain, a public ledger of crypto transactions. Crypto analysts quickly identified the culprit as the Lazarus Group, a hacking syndicate backed by the North Korean government.
That night, Mr. Zhou went to Bybit’s Singapore office to manage the crisis. He announced the hack on social media and started a crisis protocol known at the company as P-1, pressing a button to wake up every member of the leadership team
Around 1 a.m., Mr. Zhou appeared on a livestream on X, swigging a Red Bull. He promised customers that Bybit was still solvent.
“Even if this hack loss is not recovered, all of clients assets are 1 to 1 backed,” he said in a post. “We can cover the loss.”
Those assurances were not enough. Within hours, Mr. Zhou said, about half the digital currencies deposited on the platform, or close to $10 billion, had been withdrawn. The crypto market plunged.
To limit the damage, other crypto companies offered to help. Gracy Chen, the chief executive of a rival exchange, Bitget, lent Bybit 40,000 in Ether, or roughly $100 million, without requesting any interest or even collateral.
“We never questioned their ability to pay us back,” Ms. Chen said.
Between crisis meetings, Mr. Zhou provided a running commentary on X. He shared screenshots from a health app, showing his stress levels were surprisingly normal.
“Too focused commanding all the meetings. Forgot to stress,” he wrote. “I think it will come soon when i start to really grasp the concept of losing $1.5B.”
After looting Bybit, the North Korean hackers spread the stolen funds across a vast web of online crypto wallets, a money-laundering strategy that they had also employed after other heists.
“Lazarus Group is on another level,” Haseeb Qureshi, a venture investor, wrote on X after the theft.
Security experts blamed Bybit for putting itself at risk. To authorize the routine transfer that led to the hack, Mr. Zhou said, he used a hardware tool designed by Ledger, the crypto security firm. The device was not in sync with Safe, he said. So he could not use the tool to check the full details of the transaction he was approving, always a risky practice in the crypto world.
“Safe just does not give you the kinds of controls that you would want if you’re going to be frequently making operational transfers,” said Riad Wahby, a computer engineering professor at Carnegie Mellon University and a co-founder of the digital security firm Cubist.
Mr. Zhou said he wished he had taken action sooner to bolster Bybit’s defenses. “There’s a lot of regrets now,” he said. “I should have paid more attention on this area.”
Still, Bybit continued operating after the hack, processing all the withdrawals within 12 hours, Mr. Zhou said. Not long after the breach, he announced on X that the company was moving around another $3 billion in crypto.
“This is planned manoeuvre, FYI,” he wrote. “We are not hacked this time.”
The post A $1.5 Billion Hack: How the Biggest Crypto Heist in History Went Down appeared first on New York Times.
