Online Trading Starts Here
EN /brokers/crypto/view/bybit/bybit-hack-2025/
AR Arabic
AZ Azerbaijan
CS Czech
DA Danish
DE Deutsche
EL Greek
EN English
ES Spanish
ET Estonian
FI Finnish
FR French
HE Hebrew
HI Hindi
HU Hungarian
HY Armenian
IND Indonesian
IT Italian
JA Japan
KK Kazakh
KM Khmer
KO Korean
MS Melayu
NB Norwegian
NL Dutch
PL Polish
PT Portuguese
RO Romanian
... Русский
SQ Albanian
SV Swedish
TG Tajik
TH Thai
TL Tagalog
TR Turkish
UA Ukrainian
UR Urdu
UZ Uzbek
VI Vietnamese
ZH Chinese
Menu
Advertiser Disclosure

The Bybit Hack Of 2025: Timeline, Analysis, And Lessons Learned

Aleksandra Chaikina
Written by:
Aleksandra Chaikina
Dan Blystone
Reviewed by:
Dan Blystone
Chinmay Soni
Fact-checked by:
Chinmay Soni
Updated:
December 23, 2025
flag
Bybit isn't available in US
Bybit REVIEW

Editorial Note: While we adhere to strict Editorial Integrity, this post may contain references to products from our partners. Here's an explanation for How We Make Money. None of the data and information on this webpage constitutes investment advice according to our Disclaimer.

The Bybit hack in February 2025 led to the theft of more than 401,000 ETH, worth about $1.5 billion, after attackers exploited a flaw in a third-party wallet. Investigators linked the attack to the Lazarus Group tied to North Korea, making it the largest crypto hack to date. Bybit has since rebuilt its security and restored platform stability.

In February 2025, a major breach at Bybit became one of the defining moments in crypto history. The scale of the breach and the speed of the attackers turned the crypto hack into a global discussion about custody, risk, and exchange infrastructure. This article explains how the Bybit hack unfolded from the first warning signs to the current recovery stage, reviews confirmed technical details, and highlights practical lessons for traders.

Timeline of the incident

Bybit Review
Go to broker
Your capital is at risk.

February 21, 2025: the breach

On February 21, the Bybit hack resulted in more than 401,000 ETH being taken from a cold-wallet system that relied on a third-party multisig tool. The stolen amount was valued at about $1.5 billion, making it the largest ETH hack on Bybit and one of the most severe losses ever recorded for a centralized exchange.

Bybit hack timelineBybit hack timeline

Reviews of the breach showed that the amount of this Bybit hack exceeded all previous single-exchange losses. The attackers used weaknesses in the transaction-signing flow of the Safe wallet system to change transfer destinations while keeping the approvals interface unchanged for internal signers.

Investigators later confirmed that injected code allowed the attackers to reroute approvals inside the multisignature sequence, letting them take control of the wallet during what appeared to be a routine transfer.

The hack highlighted the risks of relying on complex third-party custody tools and forced the industry to reassess cold-wallet infrastructure.

Bybit total assetsBybit total assets

Mid-February to March: laundering and attribution

After the breach, the laundering phase of the hack began quickly. Stolen ETH moved through dozens of wallets and anonymity services, with more than $75 million processed within the first hours.

Chainalysis chart showing the difficulty of money laundering during the Bybit hackChainalysis chart showing the difficulty of money laundering during the Bybit hack

Cross-chain bridges and mixers were used to split the flows and obscure the trail. The movement pattern mirrored past DPRK-linked operations, showing that the attack was planned rather than opportunistic.

As investigators mapped the movement, the pattern started to resemble tactics used in earlier operations linked to North Korea. This similarity raised the possibility that the Bybit hack in 2025 was not the work of independent criminals. Over the following weeks, analysts connected the activity to infrastructure long associated with the Lazarus Group, which strengthened the case that the Bybit crypto hack had a state-sponsored component.

Notable incidents attributed to the Lazarus GroupNotable incidents attributed to the Lazarus Group

The finding led to deeper reviews by U.S. and EU financial intelligence teams. For them, the Bybit hack became less about a single exchange breach and more about a geopolitical threat involving hostile cyber units.

April to present: aftermath and market response

In the weeks after the breach, the market reacted sharply. Traders pulled liquidity from several platforms, and volatility increased across major assets as the community tried to assess how the Bybit hack would influence broader confidence in centralized exchanges. Some analysts estimated that sector-wide valuations dropped noticeably during this period.

As more details emerged, security firms and regulators reviewed how the incident unfolded. Their reports focused on infrastructure weaknesses, third-party custody risks, and the scale of the amount stolen during the attack. These findings pushed regulators in the United States, Singapore, and parts of the EU to speed up discussions on new standards for exchange security and wallet oversight.

Inside the company, Bybit began a full evaluation of its storage systems and hired outside forensic teams to support the investigation. Bybit also expanded the recovery initiative by introducing a hack bounty program, offering rewards for information or technical support that could help trace or recover assets.

Bybit’s leadership later explained that the recovery process involved more than 30 external audits and a complete shift to reinforced wallet infrastructure. These steps were taken to restore confidence after the Bybit hack and to demonstrate that the platform had regained full operational stability.

Anatomy of the attack

  • Entry point. The attackers gained access by targeting a weakness in a third-party multisignature tool that supported Bybit’s cold-wallet setup. This flaw let them influence how transactions were generated and approved.

  • Execution. The group manipulated the signing interface so internal signers saw legitimate transaction details, while the actual destination was silently replaced. This technique explains how the Bybit hack progressed without immediate detection.

  • Fund obfuscation. After gaining control of the wallet, the attackers moved the assets through rapid chain swaps and multiple anonymity services. This method aligned with patterns seen in earlier incidents now linked to North Korea, reinforcing the attribution in later stages of the Bybit hack investigation.

Impact on investors and market trends

When news of the Bybit exchange hack spread, investor sentiment changed almost immediately. Retail users increased withdrawals, and institutions paused exposure while reassessing custodial risk.

The event pushed the market to reconsider how centralized platforms store assets and how vulnerable third-party tools can affect even well-known exchanges. Analysts noted that the wider reaction to the Bybit hack reflected deeper concerns about trust and operational resilience across the industry.

Bybit’s response: containment and transformation

  • Immediate containment. Bybit froze the compromised wallet as soon as the breach was detected and stopped all related transfers. External forensic teams were brought in to confirm how the Bybit hack unfolded and to trace early fund movements.

  • Forensic partners and tracing. Bybit worked with blockchain analysts and law-enforcement groups to track the stolen ETH. These efforts helped identify laundering routes and supported early freezing actions at cooperating exchanges.

  • Bounty and recovery program. To speed up tracking, Bybit launched a Bybit hack bounty offering up to 10% of recovered funds. This encouraged independent researchers to assist with wallet monitoring, attribution, and technical reporting.

  • Security overhaul. Over the following months, Bybit rebuilt key parts of its wallet infrastructure. This included moving signing processes into isolated environments, adding stricter code-review controls, auditing all third-party tools, and implementing real-time anomaly detection across transactions.

  • Operational upgrades. The exchange expanded its internal security team, introduced incident-simulation drills, and increased oversight across cold-wallet workflows. Multisig procedures were redesigned to eliminate the weaknesses exploited in the attack.

  • User protection. Bybit stated that users would not bear financial losses from the incident and coordinated reimbursement plans backed by reserves and recovery efforts.

  • Current posture. The platform now operates with hardened wallet architecture, independent audits, reinforced monitoring systems, and stronger transparency measures designed to maintain stability after the 2025 breach.

Regulatory and industry implications

The Bybit hack prompted regulators to reassess how centralized platforms manage custody and third-party dependencies. Agencies in the United States, Singapore, and the EU began reviewing tighter requirements for wallet audits, risk disclosures, and operational monitoring. The scale of the incident pushed policy groups to consider new rules for cold-wallet verification, software-supply-chain controls, and incident-response transparency.

Major exchanges also re-evaluated their own controls. Many initiated extra audits, strengthened multisig procedures, and published updated security statements to address concerns raised after the Bybit hack and similar high-impact breaches.

Lessons for traders

  • Understand custody models. Traders should check whether an exchange uses internal or third-party wallet tools and whether those systems are audited.

  • Review platform transparency. Exchanges that publish regular proof-of-reserves reports, security updates, and audit findings tend to offer clearer insight into actual risk.

  • Evaluate dependencies. The scale of the Bybit hack showed how vulnerabilities in external tools can affect even established platforms. Look for services that disclose their third-party integrations.

  • Adopt diversified practices. Keeping all assets on one platform increases exposure. Splitting assets across secure wallets and reputable exchanges reduces single-point failure.

If you're concerned about the security risks highlighted by the Bybit hack, it's a good idea to explore the best regulated crypto exchanges. These platforms offer enhanced protection and transparency, ensuring a safer environment for your trading activities. It's crucial to choose exchanges that prioritize strong security measures and provide clear, reliable information about their custodial practices.

Best regulated crypto exchanges
Kraken Coinbase Nebeus Crypto.com Nexo

Min. Deposit, $

10 10 5 1 No

Coins Supported

278 249 30 250 100

Spot Taker fee, %

0.4 0.5 Not available 0.5 0.04

Spot Maker Fee, %

0.25 0.5 Not available 0.25 0.07

Tier-1 regulation

Yes Yes Yes Yes Yes

TU overall score

8.7 8.46 7.84 7.24 7.13

Open an account

Go to broker
Your capital is at risk.
 Go to broker
Your capital is at risk.
 Go to broker
Your capital is at risk.
Go to broker
Your capital is at risk.
 Go to broker
Your capital is at risk.

Trust exchanges that prove resilience after a breach

Anastasiia Chabaniuk
Anastasiia Chabaniuk Educational Content Editor

Over the years, I have seen many exchanges fall into the same trap: they invest heavily in features and growth, but they underestimate how fragile their security foundation can be. The Bybit hack was a clear reminder that even a well-known platform can be exposed by a single weakness in a third-party tool. What matters most to me is not that a breach happened, but how an exchange responds when everything goes wrong.

Bybit reacted with urgency, brought in independent investigators, rebuilt its signing systems, and opened its infrastructure to deeper audits. That level of transparency is what separates mature platforms from those still playing catch-up. For traders, this is the lesson to hold onto: choose exchanges that do not hide their vulnerabilities, that disclose their dependencies, and that can demonstrate exactly how they improved after an incident. A company that has already been tested under maximum pressure often ends up far more secure than one that has never faced a real threat.

Conclusion

The events surrounding the Bybit hack offered one of the clearest examples of how a modern exchange breach unfolds from the first unnoticed weakness to the final stages of recovery. The incident exposed how a flaw in a third-party wallet system can escalate into a large-scale loss, but it also showed how quickly an exchange can rebuild when it commits to full transparency and structural reform.

Bybit’s audits, infrastructure changes, and public updates helped stabilize the platform, but the wider industry also learned from the failure. For traders, the 2025 breach remains a defining moment that pushed the entire market toward stronger custody standards, clearer disclosures, and more careful evaluation of how exchanges manage their most sensitive systems.

FAQs

How can traders confirm whether an exchange relies on third-party wallet tools?

Most exchanges list their custody partners in security disclosures or audit reports. If this information is missing, ask the support team directly. A transparent platform should clearly state which wallet providers or multisig systems it uses.

Did the Bybit breach affect trading engine performance or order execution?

The trading engine stayed operational. The incident affected a specific cold-wallet environment, not the live trading infrastructure. However, some temporary restrictions were applied to withdrawals and internal transfers during the investigation.

What long-term changes did the industry make after the 2025 breach?

Several exchanges adopted isolated signing environments, stricter code-review pipelines, and external incident-simulation drills. Some also introduced continuous monitoring for wallet-level anomalies, which became more common after the Bybit hack.

How can individual traders reduce dependence on exchange security alone?

Use hardware wallets for long-term holdings, enable strong multi-factor authentication, diversify storage across services, and avoid keeping unnecessary balances on exchanges. Personal security habits can significantly reduce exposure even during large-scale breaches.

Related Articles

Team that worked on the article

Aleksandra Chaikina
Aleksandra Chaikina
Author and financial analyst at Traders Union

Aleksandra Chaikina has been a contributor to Traders Union since 2021. With over 15 years of experience in copywriting and more than 5 years focused on financial content, she specializes in producing detailed guides, analytics, and comparative reviews across various sectors, including cryptocurrencies, Forex, investment strategies, and financial technologies.

Learn about our editorial policies
Dan Blystone
Dan Blystone
Senior English Editor

Dan Blystone began his trading career in 1998 as an arbitrage clerk on the floor of the Chicago Mercantile Exchange (CME). He later traded bond and Eurex futures at proprietary firms such as Altea Trading, gaining valuable experience in high-frequency trading and risk management.

Chinmay Soni
Chinmay Soni
Head of Fact-Checking Department

Chinmay Soni is a financial analyst with more than 5 years of experience in working with stocks, Forex, derivatives, and other assets. As a founder of a boutique research firm and an active researcher, he covers various industries and fields, providing insights backed by statistical data.

Table of Contents
Table of Contents
Who We Are
Business Solutions
For Users
TU News
Popular Sections
Disclosures
CONTACT US
Legal
We are in Social Media
© IAFT Ltd., 2010-2026 All rights to the website are owned by IAFT Ltd.,
Registration number - HE 336186
  • Risk disclosure:

    Information on the TradersUnion.com website is for informational purposes only and does not constitute any motive or suggestion to visitors to invest money. Moreover, we hereby warn you that trading on the Forex and CFD markets is always a high risk. According to the statistics, 75-89% of customers lose the funds invested and only 11-25% of traders earn a profit. Trading in futures and options carries substantial risk of loss and is not suitable for every investor.

    That is why you should only invest money that you are prepared — or can afford — to lose at such high risks. Tradersunion.com does not provide any financial services, including investment or financial advisory services. Also, the Traders Union is not a broker and does not get money for trading in the Forex or CFD markets. Our website only provides information on brokers and the markets and helps its users to select the best brokerage company based on detailed information and objective analysis of brokers.

  • Disclaimer:

    Traders Union (TradersUnion.com) shall not be liable for the consequences of trading decisions made by the Client and for the possible loss of his capital resulting from the use of this website and information published on it.

    Forex market, CFD and cryptocurrency trading involves high risks and is not suitable for everyone. Before investing money, you need to adequately assess the level of your expertise and be aware of the risks, particularly in the context of trading with leverage. The information on this website is not intended for distribution or use by any person in any country or jurisdiction, where such distribution or use would be in violation of the local law or regulation. Any payments by Traders Union (TradersUnion.com) to the users of our website shall be legally interpreted solely as an incentive on our part for the activity on the website in the form of a deduction of a part of the advertising income; they shall not be a subject of any claims of our users or our obligations, a subject of disputes, as well as cannot be considered in relation to the services provided to users by brokers, both in fact and in their completeness and volume. The administration of the website shall not be liable for the content of user comments and reviews about the companies and shall not verify whether the authors of the reviews are indeed real clients of a specific company. All reviews, both negative and positive are published on the website without verification of their reliability; only offensive reviews that call for violence or any kind of discrimination and also reviews published from one group of IP addresses are moderated and removed. The authors of the materials shall be fully liable for the accuracy, completeness and impartiality of any information in the articles and reviews, including in the context of their use or mention of any brand names or trademarks. All mentions of the names of companies and their brands in any materials on the website shall be made in the context of communication of socially important information to the people about their activities by independent journalists, who are the authors. All evaluations and indicators on the website express the subjective opinion of the authors of the reviews (articles) and shall not be viewed as accurate statements and be a subject of disputes and claims against Traders Union.

  • Disclosure of advertisers and revenues:

    All the services on the Tradersunion.com website are free for you to use. Our team spends thousands of hours per annum researching brokers and gathering information about them to help investors all over the world to choose reliable companies and to avoid fraudsters.

    Indeed, the curating, sourcing, and organization of this process requires substantial financial investment by Tradersunion.com, which the website earns in the form of advertising payments. There are two types of advertising services on the website — direct advertising or partner (broker) participation programs. However, no services purchased by our partners shall affect the recommendations on our website, or our opinions, or ratings. Our ratings are based on our objective rating criteria and methodology; and the results are always equally and fairly applied to each broker. The work of our content authors and research groups does not involve any interaction with our advertisers and they do not have access to data concerning the amount of advertising purchased. For over 10 years we consider our independence, absolute openness, and objectivity as our main priority. Please follow the links to each of our affiliated broker’s websites. This will help Tradersunion.com to continue to provide our services to you for free.

onepercentfortheplanet.org World Association of News Publishers https://gdpr.eu/ GDPR