What's Happening at Bybit?

The largest crypto hack in history brings rain to Coinbase's parade.

Feb 24, 2025

Bybit Hit by Crypto's Worst Hack With Almost $1.5 Billion Stolen - Bloomberg — Source: Bloomberg

I started Brogan Law to provide top quality legal services to individuals and entities with questions related to cryptocurrency. Cryptocurrency law is still new, and our clients recognize the value of a nimble and energetic law firm that shares their startup mentality. To help my clients maintain a strong strategic posture, this newsletter discusses topics in law that are relevant to the cryptocurrency industry. While this letter touches on legal issues, nothing here is legal advice. For any inquiries email aaron@broganlaw.xyz.

Meet Me in Denver

I’m going to be at ETHDenver this week Wednesday-Sunday. I’ve spoken to many of you already about this, but I’d love to meet up with anyone else who is there. If you’re around, pick a time out here and let's get something on the calendar. If you know someone else who might want to meet, feel free to pass this along to them.

What’s Going on at Bybit Right Now?

I was in Philadelphia at the Penn Blockchain Conference and Coinbase was mid-celebration when the news emerged that the cryptocurrency exchange Bybit had been hacked. According to reports from the firm Arkham, the Lazarus Group, a hacker arm of the North Korean government, was responsible. While details remain speculative, it seems that the group manipulated a user interface to trick Bybit employees into signing a transaction to transfer $1.5 billion in ETH from a “cold storage” device and out of the company.1

In the aftermath, asset values declined (although some noted that this stolen ETH would remain illiquid, while Bybit would have to buy ETH to honor withdrawals, so pressure may go the other way), and Bybit signalled publicly that (i) it was solvent and (ii) that it was processing withdrawals as quickly as possible.

It should be obvious that if you are an asset custodian experiencing a hack you cannot say that you are insolvent (because then you will quickly be a dead asset custodian) or say nothing (for the same reason), so we shouldn’t read too much into this statement. Nobody knows what is behind the curtain at Bybit right now. The best case scenario is that the exchange had liquid assets, in-kind, sufficient to cover the loss—I rate this as extremely unlikely. The worst case scenario is that they held only a fraction of deposits as assets on platform, and are moments from bankruptcy. At this point, that seems unlikely too.

In 2022 I was a BigLaw associate and I worked closely on some of the major crypto bankruptcies that spiraled through that year. So while we cannot know exactly what is happening at Bybit, I have seen exchanges respond to giant holes in their balance sheets up close before. I have a good sense of the range of things that might be going on behind the scenes.

This is not legal advice, but in my view, if you still have assets on the Bybit platform, it might be a good idea to withdraw them.

The ‘22 bankruptcies were precipitated by the collapse of Terra Luna. In the course of three days, LUNA and the algorithmic stablecoin UST fell from a combined market cap of nearly $40 billion to near zero. This remarkable vaporization of capital caused many token holders to lose a great deal of money.

Exchanges are essential short term borrowers of assets from their users. Users sign up and deposit some asset, and the exchange owes that asset back in kind. It generally doesn’t owe the dollar value of the asset.2 So when Terra Luna went to zero, the dollar value of the exchange's balance sheet changed, but the in-kind denominated liabilities did not. In fact, if an exchange is not holding one-to-one collateral, this kind of collapse might actually be good for its bottom line because it can purchase assets to repay its customers more cheaply.

In 2022, however, it turned out that the hedge fund Three Arrows Capital (3AC) had a lot of exposure to Terra Luna, and so that firm all of sudden found itself with a large dollar denominated hole in its balance sheet. Unlike exchanges, which have in-kind liabilities, 3AC had liabilities denominated in different assets, like Bitcoin or USDC. This was a problem.

3AC became insolvent, its founders went on the lam, and then it went bankrupt. This, in turn, created problems for the exchanges, because while their liabilities were denominated in-kind, they had lent their assets out to 3AC.

Those assets were gone, and all of the sudden, many firms found they had large holes in their balance sheets too. One by one over that year, they died. This process had a self-reinforcing effect because many of these exchanges held assets or had extended loans to each other, and each bankruptcy froze those assets, deepening the contagion.

There are positive signs that this same fate will not befall Bybit. On Friday, it fought back a bank run that saw $4 billion in assets drawn down in the course of less than a day—apparently covering more than 50% of its total deposits. This suggests that the exchange was highly liquid behind the scenes.

Before I worked with exchanges, I imagined the backend as some automated machine. Users made withdrawals and the system credited their wallets—ta da! That may be how it works on a small scale, but on the large scale it is likely managed manually. Humans at Bybit spent a day running around identifying assets and transferring them into the correct places so that they could be sent out to depositors. Successfully managing this across half of the platform's entire balance sheet is remarkable.

Bybit has said that it plans to use loans to backfill the ETH hole, rather than attempting to make market purchases—the fact that it is able to secure financing strongly suggests that it has unencumbered capital on hand to post. No sane lender would throw assets into the meat-shredder unsecured, and the exchange could not use customer assets as collateral, so the only plausible road to credit goes through some reserve assets. Still, it is unclear who lent them assets or on what terms.

And there remains an open question of how much strain a system like this can take before it fails. Mr. Zhou weathered a storm, but could the exchange have continued to honor deposits down to zero, or would it have failed if the run continued for another hour? From the outside, it is impossible to know.

An exchange is not a bank, but it does banklike things. While the Bybit terms of service is unambiguous that it does not issue deposits, It essentially does—it makes a promise to return some asset in kind whenever a depositor asks.

Banks are made much more dangerous, however, by the practice of lending out depositor assets. While a demand deposit is available immediately, even a callable loan will take a few days or a week to return—this is why the practice of borrowing short and lending long has always been a recipe for death.

From Bybit’s terms of service, it seems not to have done this—at least not explicitly. It does maintain a voluntary lending program, but it seems to be administered on an account-by-account basis, nothing like the massive rewards programs of ‘22. If they really did maintain all customer assets in trust, only earning income through transaction fees, then the exchange may now be relatively safe. Particularly if they also had the reserve that some are claiming.

But I would still move my assets if they were on Bybit.

Here is the other thing I learned working on the crypto bankruptcies in 2022—it is impossible to know from the outside what is happening on the inside. Bybit custodies a vast pile of assets. They had an incredible incentive every day to earn some return on those assets. To maintain not only that, but also a multi-billion dollar pile of on-hand liquid reserves would mean forfeiting tens to hundreds of millions of dollars of profits annually. That is hard to do.

From my view, Mr. Zhou and Bybit have done everything right since the hack, but a hole is a hole. ByBit lost some $1.5 billion in assets. Our prior should be that the most likely outcome is that this kills Bybit, and whatever assets are there when it dies will be stuck in the bankruptcy morass indefinitely. This fact means that there could be another bank run at any moment.

I remain nervous.

Coinbase Wins(?)

So the SEC dropped its case against CoinBase. This has been massively feted across the media. I have to be honest with you all though, this one leaves me cold.

Remember, I told you this was The Big One—that Coinbase’s appeal set the stage for one of the most important issues in crypto to be determined definitively. The issue Judge Katherine Polk Failla certified was whether secondary market transactions in cryptocurrency were “securities.” If Coinbase had won, then nothing but legislation could have undone the victory.

And everything was set up for crypto to win! The 2nd Circuit may have ruled against Coinbase, but the Supreme Court could then have taken up the case. Even if the Supreme Court didn’t grant certiorari this time, the same issue could have come up in the 5th Circuit, and a circuit split would have led all the way to the top.

And I think the most likely outcome at the Supreme Court was a win for crypto. The current court is skeptical of administrative authority. We could have had it all! And instead, now, none of it. A case closed and a question mark left hanging.

I wrote in November that crypto had won an opportunity in the 2024 election. “From now until January 20, 2029 we have to push the pedal to the floor—to ensure that whoever comes next at the SEC can never disempower the industry again.” That is not what this voluntary dismissal does!

Whoever comes next at the SEC can easily reverse course and bring a similar set of lawsuits again. For the industry, nothing has changed. When the memecoin bubble finally bursts catastrophically, will our allies in the Trump administration stick by us? Do you look to Don Jr. for loyalty? I would prefer to never have to answer that question, and that safety takes hard law to win—not voluntary dismissals.

Kvetching aside, Coinbase does deserve massive plaudits for its success in litigation. It is hardly one firm’s responsibility to pay for an entire industry’s litigation and take on all the risk of failure. I don’t have a moral right to free-ride. This is obviously a massive victory from Coinbase’s perspective.

I am constantly amazed by the strength of Paul Grewal’s legal strategy and execution. Coinbase’s legal department has won victory after victory over the last twelve months, and it appears to me to stem from remarkable organizational talent and savvy. Crypto is rarely on the side of the angels in these courtrooms, so to build a broad portfolio of meaningful litigation and win over and over is truly a sight to behold.

The courtrooms were always going to be an uphill battle for our industry. Now, the Trump administration means that we have friendlier regulators to work with, but also no more opportunities to definitively win our industries right to exist. That means the space this created should go whole hog into our regulatory and legislative agenda instead. Speaking of which.

Hester Peirce Keeps Pressin’ On

In another endearingly named statement “There Must be Some Way Out of Here”, Commissioner Peirce continues to solicit comment on a number of different potential paths for SEC action (or inaction).

The list includes 48 wide-ranging open questions to the industry. There is some real wonk in here stuff like:

“The Commission recently adopted rule amendments to shorten the standard settlement cycle for most broker-dealer transactions from “T+2” to “T+1,” subject to certain exceptions. Tokenization is often characterized as an innovation that facilitates instant or simultaneous settlement (“atomic settlement”) if all parts of a transaction are executed and settled on the same blockchain. What are the benefits of atomic settlement, and what are the risks? Should the Commission consider taking any actions that would encourage adoption of atomic settlement?”
“Does execution in offchain order books or on blockchain networks pose complexities for broker-dealers in satisfying any applicable best execution obligations? Does onchain execution pose complexities for broker-dealers in satisfying their best execution obligations, given onchain complexities such as transaction ordering and block construction? Should any rules, guidelines, or disclosures be modified to address broker-dealer execution reasonably available under the circumstances in offchain and onchain trading environments?”

Obviously, we can’t go through this all here. But I encourage you and read them and think about which you and your firms are best suited to answer. This is an incredibly rare example of genuine regulatory engagement which it is totally plausible to never see again.

I’ve worked in federal, state, and municipal government, and most public servants in my experience are honest people who deeply care about doing good with their lives. Still, it is exhausting to be the nexus of an entire population's frustration. Genuine, good faith engagement with industry on hard questions is incredibly taxing.

So I know I applauded Commissioner Peirce last week, but I think that what the Crypto Task Force is doing here is incredibly meritorious. The “crypto-mom” sobriquet has become overpoweringly cheugy, but Commissioner Peirce deserves all the admiration she gets and more.

Until next week.

Brogan Law is a registered law firm in New York. Its address and contact information can be found at https://broganlaw.xyz/

Brogan Law provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.

If only they had been using Pocket Universe.

Unless the exchange goes bankrupt, in which case it might.