Crypto Exchange Hack Communications: The First 6 Hours Playbook (Post-Bybit)

On February 21, 2025, the clock started ticking at 14:13 UTC. That's when hackers exploited a UI vulnerability in Bybit's Safe multisig cold wallet, redirected a routine transfer, and began moving funds across 39 addresses. By the time most people heard about it, the largest crypto theft in history was already unfolding in real time: on-chain, in public, and completely irreversible.

What happened next became the new benchmark for exchange hack communications. Ben Zhou's response stood out for its speed and transparency. Less than 30 minutes after the attack, he published an initial communication on X. An hour later, he launched a two-hour livestream to explain the situation in real-time.

Most incident response guides for crypto focus on the forensics layer: wallet isolation, blockchain tracing, attacker attribution. That coverage is abundant. What is consistently missing is the communications layer, sequenced and operationalized for the people who have to speak while engineers are still figuring out what happened. This playbook is for them.

Why the First Six Hours Are Different in Crypto

Unlike traditional financial systems, the crypto ecosystem's decentralized structure and irreversible transactions leave no room for error. Once assets are moved, they are gone, often within minutes.

That physics shapes everything about your comms posture. In a conventional corporate breach, you have hours or days before the public knows. In crypto, a protocol might only find out it was hacked after funds are gone or from third-party reports on social media. ZachXBT attributed the Bybit attack to Lazarus Group before Bybit's own forensic partners had completed their analysis.

This means your communications plan cannot wait for certainty. It has to run in parallel with the technical response, and it has to be built before anything goes wrong.

A delayed statement can be just as damaging as the breach itself. That is the operating principle for everything that follows.

Before the Breach: What Has to Be Pre-Built

The Bybit response did not succeed because Zhou improvised well under pressure. It succeeded because the infrastructure for transparency was already in place. Bybit's response was built on months of preparation. The proof-of-reserves audits with Hacken were not a last-minute reaction but a long-term commitment to transparency and financial resilience. This foresight acted as a critical backstop, preventing panic-driven withdrawals and reinforcing trust when it mattered most.

Before you ever face a breach, your comms infrastructure should include:

A single designated spokesperson. Engineers discuss facts and hypotheses in the war room; only one designated person talks to the public. Decide this now, not at 2am during an active incident.

Pre-approved holding statements. Draft three versions: one for a suspected breach before confirmation, one for a confirmed breach with scope unknown, and one for a confirmed breach with scope quantified. Legal review them in advance. You need to be able to publish in under 30 minutes.

An analytics partner on retainer. The chances of recovery increase the earlier you engage incident response. In situations where the victim had already engaged analytics partners prior to the incident, the main reason funds can be recovered fast is that onboarding was already complete. Onboarding new customers takes time and it is best to tackle that process before a crisis strikes.

Verified regulatory notification contacts. Know exactly who you call at your NCA, at FinCEN, and at the SEC before an incident occurs. Have those contacts in a secure, offline document your comms lead can access instantly.

A proof-of-reserves relationship. Bybit's long-term commitment to PoR audits, well before the security breach, demonstrates that transparency is not just a reaction to crises; it is a core principle. An exchange that commissions its first PoR audit after a hack looks defensive. An exchange with months of published audits can point to a track record.

The Six-Hour Sequence

Minutes 0-30: Internal War Room, External Silence

The breach is detected. Everything in the first 30 minutes is internal.

Establish encrypted, out-of-band communication channels for the security team to coordinate without alerting attackers. This matters: public channels can tip attackers that they have been detected, accelerating the pace of fund movement.

Simultaneously, your comms lead should be in that war room, not waiting for a briefing later. Their job in this window is to gather three things: (1) what is confirmed vs. suspected, (2) whether customer funds are at risk, and (3) a rough scope estimate, even if it is a wide range.

Effective response includes on-chain evidence capture, coordinated communication, and fast engagement with exchanges, stablecoin issuers, and bridge operators. Your analytics partner notification goes out in this window, not after.

Minutes 30-60: First Public Statement

At the 30-minute mark, Bybit published. That pace is now the standard your community will expect.

Your first public statement does not need to be complete. It needs to be accurate and it needs to address the three questions every customer is asking: Are my funds safe? Can I withdraw? What are you doing about it?

Zhou assured clients in an X post that all client assets were 1:1 backed. On February 21 and 22, he made a series of X posts keeping stakeholders informed about how the exchange was responding. Consistent communication on his part made investors feel reassured.

The tone matters as much as the content. Zhou stressed that the exchange was functional despite the hack and that the whole team was working to handle the crisis. His communication was natural and reflected sincerity. Institutional language under these circumstances reads as evasion. Plain language reads as leadership.

Post simultaneously across X, your official blog, and any exchange status page. Your Discord or Telegram community will be watching all three.

Hours 1-2: Analytics Partner Notifications and Freeze Requests

While the CEO is communicating publicly, your ops team should be executing the freeze network in parallel.

Time-sensitive communication with cryptocurrency exchanges and service providers can mean the difference between asset recovery and permanent loss. Major exchanges maintain specialized teams for freeze requests, but they require specific information and proper channels. Prepare a standardized breach notification package including the list of compromised addresses with blockchain transaction evidence.

Coordinated exchange freezes initiated within two hours of a breach successfully froze assets in approximately 31% of cases where stolen funds reached centralized platforms. That window closes fast.

Do not limit notifications to exchanges. Stablecoin issuers like Circle (USDC) and Tether (USDT) have blacklisting capabilities that can freeze compromised stablecoins even after they have moved through multiple addresses. Tether froze $181,000 USDT linked to the Bybit hack within roughly 24 hours of the incident.

Your Chainalysis or TRM Labs contact should be receiving your attacker wallet addresses in this window and beginning the attribution process. Once an incident report comes in, Chainalysis immediately begins tracing the stolen cryptocurrency funds and labels any addresses holding them as associated with crypto theft, so that all users see the funds are illicit and bad actors have a more difficult time cashing out.

TRM Labs' Beacon Network is particularly valuable here. If stolen funds arrive at a member exchange or payment provider, the network triggers an instant notification, allowing the platform to freeze or review the deposit before withdrawal.

Hours 2-4: Regulator Notifications

This is the window most teams miss. Technical response is consuming everyone's attention. Regulatory obligations are quietly expiring.

MiCA (EU): CASPs must actively maintain ongoing compliance with MiCA requirements, including prompt reporting of security incidents and maintaining comprehensive documentation of all compliance activities. If you are operating in the EU or serving EU customers, your National Competent Authority notification cannot wait until the post-mortem. MiCA requires a clear incident reporting procedure for security breaches, compliance violations, and complaints.

SEC (US-listed entities): Under the SEC's rules, Item 1.05 of Form 8-K generally requires public companies in the United States to disclose material cybersecurity incidents within four business days of determining that the incident is material. Note that the four-day clock starts from the materiality determination, not from detection. Your general counsel needs to make that determination on a documented timeline, because companies must make the materiality determination without unreasonable delay, and amend if key details are not yet available at the initial filing.

FinCEN (US): FinCEN expects prompt filing of Suspicious Activity Reports (SARs) for cryptocurrency thefts exceeding $5,000.

VASP jurisdictions: If you are operating under a Dubai VASP license, Singapore MAS regulation, or similar framework, check your specific incident reporting obligations now, not during an active incident.

Assign a dedicated person to track regulatory notification deadlines in real time. This person's only job during the incident is the compliance calendar.

Hours 4-5: Updated Customer Communication and PoR Narrative

Two to four hours after your initial statement, you need an update. Community sentiment will have been moving the whole time. The narrative vacuum you leave will be filled by blockchain analysts, Twitter threads, and speculation.

This is also when the proof-of-reserves narrative becomes operational. A proof-of-reserves audit confirmed that Bybit had successfully restored its reserves, verifying that all major assets, including bitcoin, ether, solana, tether and USDC, exceeded a 100% collateralization ratio. Bybit was able to point to pre-existing PoR infrastructure immediately, which gave the solvency claim verifiable weight rather than sounding like a defensive assertion.

Your updated statement should address: current scope (even if preliminary), the status of withdrawals, what analytics partners are engaged, whether you have identified the attack vector (even partially), and when your next update will be.

Uninterrupted withdrawals, Bybit's products and services, and constant access to support allayed the depositors' fears. Within 12 hours after the hack was discovered, the exchange had processed over 350,000 withdrawal requests. If your platform can maintain withdrawal operations, say so explicitly and repeatedly. Nothing stops a bank run faster than evidence that the door is actually open.

Hours 5-6: Media and Ecosystem Coordination

By hour five, tier-1 crypto media will be running the story whether you have briefed them or not. Your comms team's job now shifts to shaping that coverage rather than being subject to it.

Do not issue a press release. Offer embargoed briefings to two or three key reporters: CoinDesk, The Block, and Cointelegraph are the obvious targets given their exchange coverage depth. Give them access to your analytics partner's preliminary findings, your PoR status, and your spokesperson for on-record quotes. In exchange, you get a few hours of coordinated coverage rather than chaotic speculation.

The analytics disclosure is important here. Elliptic labelled the attacker's addresses in their software to help prevent the stolen funds from being cashed out through any other exchanges. Coordinating with analytics firms on what gets disclosed and when gives you narrative control over the attribution story. If Lazarus Group is the attacker, you want that attribution coming through a credible third-party source simultaneously with your own statement, not hours later as a contradicting headline.

This also matters for regulatory purposes. An exchange that is transparently cooperating with analytics firms and proactively sharing intelligence reads very differently to regulators than one that only discloses under pressure.

The Proof-of-Reserves Narrative: Its Own Layer

This deserves special treatment because it is the fulcrum of the entire trust dynamic.

Many exchanges have collapsed due to financial mismanagement. PoR audits ensure an exchange holds enough assets to cover liabilities, providing verifiable proof of solvency.

In a hack scenario, the community's first fear is not just "were funds stolen" but "can this exchange cover what was stolen." The answer to that question, delivered credibly and quickly, is what determines whether you face a bank run or a controlled outflow.

Bybit announced it had conducted a fresh audit and restored its reserve to a 1:1 ratio within 72 hours. "Bybit fully backs all customer assets entrusted to our platform, maintaining a dynamic ratio of over 1:1," said Ben Zhou.

The key word in that sequence is "conducted a fresh audit." Not "we believe we are solvent." Not "management estimates." A fresh, independent, third-party audit. That distinction is the difference between a statement and a proof.

If you do not have an existing PoR relationship, your immediate post-hack audit will look reactive. It will still help, but it will not carry the same weight as a series of audits published before anything went wrong. Unlike exchanges that implement PoR after facing issues, Bybit integrated it proactively, strengthening user trust and market stability.

The communication sequence around PoR should follow this structure: first, assert solvency with specifics. Second, name the auditor and timeline. Third, link to the verifiable on-chain data. Fourth, repeat at every subsequent update until the audit is published.

What Bybit Did Right (and What Most Exchanges Would Get Wrong)

The Bybit response was not perfect. The technical breach itself was severe. But on the communications layer, several things went well that most exchanges would not replicate.

Bybit's immediate and public sharing of investigation details and establishment of advisory councils provided clear reassurances for users. Bybit's openness about the breach helped prevent panic and speculation among participants.

The CEO went on a live AMA with Crypto Town Hall within hours, answering questions in real time. That is a level of accessibility most comms teams would advise against, and it was exactly right for the moment. In Web3, founders who go quiet during a crisis are assumed to be hiding something. Founders who show up, even with incomplete information, demonstrate accountability.

Most exchanges would fail on at least one of these points: they would wait too long for the first statement, issue corporate-speak instead of plain language, not have analytics partners engaged within the first hour, and have no PoR infrastructure to point to.

The ones that get it right will not just survive the hack. Like Bybit, they may come out with their reputation strengthened. Far from destroying trust, this crisis demonstrated Bybit's maturity and Ben Zhou's leadership in a sector still often perceived as risky.

The Comms Checklist: First Six Hours

Minutes 0-30: - Internal war room active; comms lead present - Analytics partner (Chainalysis/TRM/Elliptic) notified with attacker addresses - Holding statement drafted and in legal review

Minutes 30-60: - First public statement live on X, blog, and status page - Solvency and withdrawal status addressed explicitly - CEO or designated spokesperson named as single voice

Hours 1-2: - Freeze request packages sent to major exchanges - Stablecoin issuer notifications (Tether, Circle) sent - TRM Beacon or Chainalysis CIR formally engaged

Hours 2-4: - MiCA NCA notification initiated (EU operations) - SEC materiality determination documented (US-listed entities) - FinCEN SAR timeline confirmed with legal - PoR auditor contacted for emergency audit engagement

Hours 4-5: - Updated customer communication published with preliminary scope - Withdrawal status and support channels explicitly stated - Next update time committed publicly

Hours 5-6: - Embargoed media briefings to tier-1 crypto journalists - Analytics attribution coordinated for simultaneous disclosure - Regulatory notification documentation confirmed and filed

The six-hour window does not determine whether you recover the funds. It determines whether you recover the trust. And in a sector where trust is the only durable product, that is the more important outcome to optimize for.

The exchanges that will define the next chapter of this industry are not the ones that never get hacked. They are the ones that respond like they prepared for it.