On the night of Feb. 21, Ben Zhou, the chief executive of the cryptocurrency exchange Bybit, logged on to his computer to approve a routine transaction. His company was moving a large amount of Ether, a popular digital currency, from one account to another.
Thirty minutes later, Mr. Zhou got a call from Bybit’s chief financial officer. In a trembling voice, the executive told Mr. Zhou that their system had been hacked.
“All of the Ethereum is gone,” he said.
When Mr. Zhou approved the transaction, he had inadvertently handed control of an account to hackers backed by the North Korean government, according to the F.B.I. They stole $1.5 billion in cryptocurrencies, the largest heist in the industry’s history.
To pull off the astounding breach, the hackers exploited a simple flaw in Bybit’s security: its reliance on a free software product. They penetrated Bybit by manipulating a publicly available system that the exchange used to safeguard hundreds of millions of dollars in customer deposits. For years, Bybit had relied on the storage software, developed by a technology provider called Safe, even as other security firms sold more specialized tools for businesses.
The hack sent crypto markets into a free fall and undermined confidence in the industry at a crucial time. Under the crypto-friendly Trump administration, industry executives are lobbying for new U.S. laws and regulations that would make it easier for people to pour their savings into digital currencies. On Friday, the White House is scheduled to host a “crypto summit” with President Trump and top industry officials.
Crypto security experts said they were troubled by what the heist revealed about Bybit’s safety protocols. The losses were “completely preventable,” one security firm wrote in an analysis of the breach, arguing that it “should not have happened.”
Safe’s storage tool is widely used in the crypto industry. But it is better suited to crypto hobbyists than exchanges handling billions in customer deposits, said Charles Guillemet, an executive at Ledger, a French crypto security firm that offers a storage system designed for companies.
“The company is not just our creations,” he said. “In the future, we should make sure we have the right tools, so we can prevent something like this happening again.”
At Bybit, the hack set off a frantic 48 hours. The company oversees as much as $20 billion in customer deposits but did not have enough Ether on hand to cover the losses from the $1.5 billion heist. Mr. Zhou, 38, raced to keep the business afloat by borrowing from other firms and drawing on corporate reserves to meet a surge of withdrawal requests. On social media, he seemed surprisingly relaxed, announcing a few hours after the theft that his stress levels were “not too bad.”
As the crisis unfolded, the price of Bitcoin, a bellwether for the industry, plunged 20 percent. It was the steepest drop since the 2022 failure of FTX, the exchange run by the disgraced mogul Sam Bankman-Fried.
Source link
