Bybit Only Has Itself to Blame

TL;DR

I am shocked, appalled, and frustrated by how easily concepts can be distorted in the 21st century. The Bybit hack is 99% the result of the CEX team’s negligence and only 1% the skill of the hackers.

Yet, the media has flipped the narrative: they emphasize that the attack was allegedly carried out by the Lazarus group, despite there being no concrete proof (apart from unverified claims by zachxbt and Arham).

Below, I present my perspective based on facts to preserve them—since this incident will undoubtedly go down in history.

Fact #1: There Was No Hack

If we clearly distinguish between hack, social engineering, and targeted attack, it becomes evident that no actual hack occurred. Let me quote:

“There was no code exploit. No leaked private keys. Bybit’s own multisig signers approved the transactions. They thought they were signing a routine transfer. Instead, they were handing over their entire cold wallet.”

So what really happened?

• Bybit’s security team was incompetent.
• They ignored the Radiant attack, which had identical attack vectors.
• They attempted to shift the blame onto Safe, other companies, and "evil hackers."

Arkham and Bybit were so focused on the third point that they failed to provide any real evidence.

Fact #2: Visualization Replaces Reality

Almost immediately, Arkham released a visual tracker displaying all transactions related to the "hack": Arkham Explorer.

The problem? This visualization distracts from the real issue:

• Bybit made three unforgivable mistakes, meaning similar “hacks” may have occurred before, just on a smaller scale.
• Without comparing past incidents, we cannot fully understand the scope of the issue.

Fact #3: Lazarus is a Convenient Scapegoat

Think about it:

• The CEO (who is the final signer) failed to verify transactions.
• The security team is either nonexistent or completely ineffective.
• A similar attack had already happened, and they ignored the warning signs.
• And now they conveniently pin it all on Lazarus?

Does it even matter who is on the "Dark Side" in this case? The answer may not be obvious, but no—it does not.

Initial Takeaways

Many praise Bybit for "not blocking withdrawals," but this is not an act of goodwill—it is their obligation. Funds on a CEX belong to users, not the exchange.

Meanwhile, Bybit cleverly shifted blame onto Safe, forcing them to issue a public statement clarifying that no exploits were detected: Safe Statement.

Then, Bybit latched onto the Lazarus narrative, announcing plans to involve law enforcement—while conveniently omitting the fact that the first investigation should focus on their own internal negligence.

My Argument

I find it suspicious how quickly the Lazarus group was introduced into this story. It’s either:

1. A highly sophisticated entity that operates flawlessly without leaving a trace.
2. Or a group that "everyone sees and knows about," yet it somehow continues to function in secrecy.

The second scenario seems highly unlikely.

But most importantly, let’s be honest:

• Bybit is 99% responsible for this "hack" due to its failure to maintain internal and external security and its refusal to learn from past attacks.
• Bybit falsely implicated other Web3 companies in this attack without presenting any evidence.
• Bybit continues to distort facts, portraying this as a hack instead of sheer negligence.

I don’t use Bybit or any other CEX because I believe decentralization is the best form of security. But I also refuse to let the media create a false narrative—one where Bybit is the victim, Web3 services are to blame, and "evil hackers" are the sole culprits.

Bybit is the only proven guilty party in this incident. Everyone else’s role remains to be either proven or debunked.

(And remember, Mt.Gox also talked a lot but never really delivered anything substantial).