On February 21, 2025, the crypto world was rocked by a disturbing event: the Bybit hack. It wasn’t just another security breach; it was a wake-up call.
Crypto traders and investors woke up to staggering losses, while cybersecurity experts raced against the clock to piece together how it all unfolded. The incident didn’t just shake Bybit; it sent shockwaves through the global cryptocurrency community, leaving everyone questioning the safety of their digital assets.
If you’re here, you’ve probably already heard the headlines. But let’s dig deeper.
How did the Bybit hack actually happen? What vulnerabilities did the attackers exploit, and more importantly, how can we prevent something like this from happening again? What does this mean for the future of crypto security?
In this article, I’ll walk you through the full timeline of the attack, uncover the technical weaknesses that made it possible, and explore the aftermath. By the end, you’ll have a clear understanding of what went wrong and what needs to change to keep your crypto safe in the future.
TL;DR: Key takeaways from this article
- Hackers infiltrated Bybit’s cold wallet system on February 21, 2025, stealing nearly $1.5 billion in Ethereum. This cybertheft marked the largest exchange breach in history.
- Investigators traced the attack to North Korea’s Lazarus Group, which leveraged sophisticated transaction manipulation and laundering tactics to move the stolen funds.
- The attack exposed major flaws in crypto exchange security, reigniting debates over whether decentralized platforms offer a safer alternative to centralized exchanges like Bybit.
- Bybit moved quickly to contain the damage, securing emergency liquidity, reinforcing security protocols, and maintaining full solvency to prevent a mass user exodus.
- The hack sent shockwaves through the market, causing Ethereum to plunge 24%, Bitcoin to dip below $90,000, and regulators to ramp up scrutiny on crypto exchange security.
Background: Bybit and its role in the crypto ecosystem
Bybit, founded in 2018 by Singorean-based businessman Ben Zhou, has long been a heavyweight in the cryptocurrency space. It’s known for its sleek, user-friendly platform and cutting-edge trading tools.
From seasoned traders to users who’re just dipping their toes into crypto, Bybit’s intuitive design and robust features made it a go-to choice for millions. Beyond its ease of use, the exchange built a reputation for prioritizing security, or so everyone thought.
Before the 2025 hack, Bybit had implemented what many considered industry-standard safeguards: two-factor authentication (2FA) to protect user accounts and cold wallet storage to keep the majority of funds offline and out of reach from hackers. These measures, combined with its rapid growth and global user base, positioned Bybit as a trusted player in the crypto space.
But the 2025 breach shattered that illusion. It revealed that even the most established exchanges, with seemingly solid security protocols, are vulnerable to sophisticated attacks. Bybit’s role as a major liquidity provider and trading hub meant that the fallout from the hack didn’t just affect its users; it sent ripples across the entire crypto ecosystem.
Join 30,000 other smart people like you
Get our fun 5-minute roundup of happenings in African and global tech, directly in your inbox every weekday, hours before everyone else.
This incident serves as a stark reminder: no platform, no matter how reputable, is invincible. It also raises critical questions about whether “standard” security measures are enough in an era where cybercriminals are becoming increasingly advanced.
What exactly happened?
It began like just another routine day at Bybit until it turned into a nightmare.
A routine transfer from the exchange’s Ethereum cold wallet triggered an unexpected alert. At first, it seemed like a minor glitch, but within minutes, the situation spiraled out of control. Millions of dollars in cryptocurrency began disappearing before the team’s eyes.
By the time they could react, about $1.5 billion worth of Ether had been drained in one of the largest crypto heists ever recorded. This wasn’t some random act of cybercrime. It was a meticulously planned operation that laid bare critical vulnerabilities in even the most secure trading platforms.
The attackers exploited flaws in Bybit’s transaction approval processes, manipulated smart contract logic, and targeted weaknesses in its off-chain infrastructure. These weren’t amateur moves; this was a highly sophisticated attack perpetrated by professionals.
The fallout was immediate and chaotic. Bitcoin (BTC) and Ethereum (ETH) prices nosedived, with ETH dropping by 24% and BTC falling below $90,000. Panic spread like wildfire among investors, and regulators worldwide turned their attention to the glaring security gaps in the crypto industry.
As investigators dug deeper, they traced the attack back to North Korea’s infamous Lazarus Group, a state-backed cybercrime syndicate known for its brazen attacks on financial institutions. This wasn’t their first rodeo, and it certainly won’t be their last.
So, how did the hackers pull it off?
Let’s break it down in simple terms.
Five days after the attack, investigators confirmed that the hackers had compromised a developer working on SAFE Wallet. This gave them access to alter the wallet’s user interface (UI) source code (the part of the software customers interact with).
Importantly, SAFE clarified that the wallet’s smart contract (the core program running the wallet) was never breached. The attack was focused solely on the UI.
To get to the bottom of things, SAFE brought in Mandiant, a top-tier cybersecurity firm owned by Google Cloud. Together, they pieced together how the hackers pulled off the heist and outlined steps to tighten security.
Here’s how it happened:
Step 1: They hacked the developer’s machine
The first step was gaining access to a developer’s computer. While the exact details are a bit fuzzy (the malware was removed, leaving some gaps in the investigation), Mandiant believes the hackers used a clever trick.
They likely lured the developer into downloading a malicious Docker container (a type of software package) disguised as something harmless, like a project related to stocks. This wasn’t a random act. The Lazarus Group, the hackers behind the attack, are known for using social engineering, manipulating people into giving up access.
In a similar recent hack, they convinced a developer to download a Docker container by pretending to need technical help. Once the container was installed, it gave the hackers a backdoor into the developer’s workstation, allowing them to sneak in undetected.
In short, the hackers didn’t need to break through firewalls or crack complex codes. They simply tricked a human into opening the door for them. It’s a reminder that even the most advanced security systems can be undone by a single moment of human error.
Step 2: They got into the AWS code repository
After compromising the developer’s machine on February 4, the hackers first accessed Bybit’s Amazon Web Services (AWS) code repository on February 5.
AWS typically requires multiple layers of authentication to make unauthorized access difficult, so the attackers tried to add their own Multi-Factor Authentication (MFA) device to maintain access. Fortunately, this attempt failed.
Undeterred, the hackers adapted. They spent the next 12 days quietly monitoring the AWS environment, analyzing how authentication and access tokens were used. AWS generates temporary session tokens that developers use to access web servers and commit code, but they expire after 12 hours.
The attackers hijacked these temporary tokens, using a virtual private network (VPN) to mask their activity. This allowed them to bypass standard security controls.
Step 3: They injected the malicious code
On February 17, the hackers injected malicious code into the AWS repository for the SAFE user interface (UI). For four days, users unknowingly interacted with the compromised UI. However, the code was specifically designed to target Bybit’s wallet address, meaning other users were unaffected.
The attackers likely gained access to the SAFE UI through a supply chain attack or further social engineering. They inserted a malicious JavaScript payload capable of detecting and altering outgoing transactions in real time.
Step 4. They compromised the SAFE UI
Once inside the UI, the hackers modified transaction details before they were displayed and the UI displayed what appeared to be legitimate transactions to Bybit’s security team. The hackers had secretly embedded a delegatecall instruction (a command that allows one contract to execute code from another), manipulating transaction approvals without raising alarms.
When authorized personnel signed off on the transaction, they unknowingly handed control of the cold wallet to the hackers. Instead of sending funds to Bybit’s hot wallet as intended, the transactions were redirected to wallets controlled by the attackers.
Step 5. They executed the unauthorized transfer
With control of the cold wallet, the attackers initiated multiple rapid withdrawals to various unidentified addresses. Despite Bybit’s stringent on-chain security measures, the off-chain vulnerabilities proved to be their downfall.
In the aftermath of the hack, the stolen funds were quickly converted into Bitcoin and other cryptocurrencies, then dispersed across numerous blockchain addresses—a tactic known as chain hopping. This made it incredibly difficult to trace and recover the stolen assets.
Tools and methods used by the hackers
1. Phishing attacks
The hackers used social engineering tactics, specifically phishing attacks, to trick Bybit employees into revealing their login credentials. By posing as trusted entities or creating fake scenarios, they lured unsuspecting staff into handing over sensitive information. This gave them the initial foothold they needed to infiltrate Bybit’s systems.
2. API key exploits
Once inside, the attackers exploited stolen API keys to bypass two-factor authentication (2FA). API keys are like digital passports that allow systems to communicate with each other. By compromising these keys, the hackers gained unauthorized access to critical parts of Bybit’s infrastructure, effectively sidestepping one of the most common security measures.
3. Withdrawal batching
To avoid triggering alarms, the hackers siphoned off funds in multiple small transactions — a technique known as withdrawal batching. Instead of making one large, noticeable transfer, they broke the stolen amount into smaller chunks, making it harder for automated monitoring systems to detect suspicious activity.
Who was responsible for the Bybit Hack?
In the aftermath of the February 2025 Bybit hack, investigators quickly zeroed in on North Korea’s state-sponsored hacking collective, the Lazarus Group. The U.S. Federal Bureau of Investigation (FBI) publicly confirmed their involvement, marking this as the largest cryptocurrency heist attributed to the group to date.
The FBI’s analysis revealed that the stolen assets were converted into Bitcoin and other cryptocurrencies, then dispersed across numerous blockchain addresses. This tactic, known as chain hopping, is a hallmark of the Lazarus Group’s operations. By spreading the funds across multiple wallets and blockchains, they obscure the origins of the stolen assets, making it easier to launder and eventually convert them into fiat currency.
Lazarus group’s history of crypto cyberattacks
The Lazarus Group, also referred to as TraderTraitor, has a long and notorious history of cybercrimes, particularly targeting financial institutions and cryptocurrency platforms. Their operations are widely believed to fund North Korea’s nuclear and missile programs.
Here are some of their most notable attacks:
1. Ronin Network Hack (2022):
The group breached the Ronin Network, the blockchain platform behind the popular NFT-based game Axie Infinity, stealing approximately $615 million in cryptocurrency. This remains one of the largest crypto heists in history.
2. Horizon Bridge Attack (2022):
Lazarus was implicated in the theft of $100 million from the Horizon blockchain bridge, showcasing their focus on exploiting vulnerabilities in cross-chain platforms.
3. Atomic Wallet Breach (2023):
The group was linked to the theft of over $100 million from users of the Atomic Wallet service. They employed sophisticated techniques to compromise user assets, further cementing their reputation as a formidable cyber threat.
Why does the Lazarus Group target crypto?
Cryptocurrency platforms are a prime target for the Lazarus Group due to the relative anonymity and global reach of digital assets. By stealing and laundering crypto, they can bypass traditional financial systems and sanctions, funneling funds directly into their coffers.
The Bybit hack is just the latest in a string of high-profile attacks by the group, underscoring the need for heightened security measures and international cooperation to combat state-sponsored cybercrime. As long as crypto remains a lucrative target, groups like Lazarus will continue to exploit vulnerabilities, making vigilance and innovation in cybersecurity more critical than ever.
Impact on users and the crypto market
Here’s how it affected users and the broader market:
Immediate consequences
- User losses: Millions of dollars in crypto assets were drained from user accounts, leaving many investors devastated. For some, it was a life-altering financial hit. Although Bybit promised to refund.
- Account security risks: Beyond the stolen funds, many users discovered their accounts had been compromised, raising fears about personal data and future vulnerabilities.
- Withdrawal suspensions: To contain the fallout, Bybit temporarily froze withdrawals, leaving users unable to access their remaining funds. This move, while necessary, added to the frustration and mistrust.
Broader market reactions
- Bitcoin and Ethereum price drops: The hack triggered panic selling, causing Bitcoin to drop over 5% to a three-and-a-half-month low, trading below $90,000 for the first time since November. Ethereum also saw a sharp decline, losing 24% of its value in the days following the breach.
- Investor confidence shaken: The sheer scale of the breach eroded trust in cryptocurrency exchanges. Many investors began questioning the safety of their assets, leading to a noticeable decline in trading volumes.
- Shift toward regulated platforms: In the wake of the hack, there was a growing trend of users migrating to more secure or heavily regulated platforms, seeking better protection for their investments.
Regulatory fallout
The hack didn’t just rattle users and traders, it also caught the attention of regulators worldwide. Governments and financial watchdogs intensified their scrutiny of cryptocurrency exchanges, calling for stricter security measures and stronger oversight.
Forbes noted that the hack could reduce consumer confidence in crypto and raise further questions by policymakers who are anti-digital assets. Other news outlets have reported that the incident sparked renewed discussions about tightening regulations and enforcing industry-wide protections.
Bybit response and recovery efforts
In the wake of the February 2025 hack, Bybit moved swiftly to address the crisis and reassure its users.
First, the exchange issued a public statement acknowledging the breach and vowed to fully compensate affected users, a critical step in rebuilding trust. But Bybit didn’t stop there.
Here are the other things they did:
1. Security
The moment the breach was detected, Bybit’s security team sprang into action. They isolated the compromised cold wallet and halted unauthorized transactions within minutes. To understand the full scope of the attack, they launched a forensic investigation, collaborating with blockchain analytics firms and law enforcement agencies.
Then, Bybit partnered with SAFE, its wallet provider, to overhaul its multisignature (multisig) security protocols and prevent future exploits. They also introduced stricter manual verification measures for high-value transactions, ensuring an additional layer of oversight.
2. Refund and reserve
Despite the staggering $1.5 billion loss, Bybit moved quickly to reassure users that their assets were safe. The exchange emphasized that all customer funds were 1:1 backed and kept withdrawals open to maintain trust.
Within 72 hours, Bybit secured emergency liquidity, raising 447,000 ETH through loans and contributions from industry partners like Binance, Bitget, and Galaxy Digital. Notably, Bybit avoided buying ETH on the open market to prevent price manipulation, opting instead for strategic fund injections to fully restore reserves.
3. Open communication
Transparency was key to Bybit’s recovery strategy. CEO Ben Zhou addressed users within 30 minutes of the breach, hosting a live-streamed Q&A session to answer questions and provide updates.
Daily communications kept users informed about fund recovery progress and ongoing security upgrades. By February 24, barely three days later, Bybit completed a full proof-of-reserves (PoR) audit, publicly confirming its solvency and reassuring users that the exchange remained financially stable.
4. Fund recovery efforts
Bybit didn’t just sit back and accept the loss. They collaborated with other exchanges, stablecoin issuers, and forensic teams to track and freeze stolen funds. To incentivize tips, they launched a bounty program offering 10% of recovered assets, a staggering $140 million reward for information leading to the return of stolen funds.
The outcome
Bybit’s rapid response, financial stability, and transparent communication helped prevent mass withdrawals and restore user trust. While the hack was a significant setback, the exchange’s handling of the crisis positioned it for long-term recovery and set a new standard for how crypto platforms should respond to security breaches.
Lessons learned and preventative measures
While the Bybit hack was a devastating event, it also revealed some silver linings and critical lessons for the crypto industry.
Here’s what we can take away from the incident:
Strengths highlighted by the hack
1. Rapid response and damage control: Bybit’s ability to manage one of the largest cyberattacks in crypto history without compromising customer assets demonstrated its financial resilience and operational preparedness. This set a benchmark for how exchanges should handle crises.
2. Increased focus on security: The hack underscored the importance of robust security measures. In its aftermath, many exchanges began reviewing and upgrading their systems to prevent similar attacks, signaling a collective push toward stronger safeguards.
3. Regulation and investor protection: The incident is likely to accelerate the adoption of stricter regulations and security requirements for crypto exchanges. While regulation can be a double-edged sword, it has the potential to create a safer environment for investors and foster greater market stability.
Notes for other crypto exchanges
To avoid falling victim to similar attacks, exchanges should take the following steps:
1. Implement stricter API security protocols: Ensure that API keys are encrypted, regularly rotated, and access is restricted to authorized personnel only.
2. Require multi-layer authentication for withdrawals: Add additional layers of verification, such as hardware-based authentication or manual approval for high-value transactions.
3. Conduct regular third-party security audits: Partner with reputable cybersecurity firms to perform routine audits and stress tests, identifying vulnerabilities before attackers can exploit them.
Best practices for users
As a crypto investor, your security is just as important as the exchange’s.
Here’s how you can protect yourself:
1. Enable Multi-Factor Authentication (MFA). Always use MFA to add an extra layer of security to your accounts.
2. Avoid storing large sums on Exchanges; use cold wallets. Keep the majority of your funds in cold wallets (offline storage) to minimize exposure to potential hacks.
3. Stay vigilant against phishing scams: Be cautious of suspicious emails, links, or messages that ask for personal information or credentials. Always verify the source before taking any action.
Other major crypto-related cyberattacks since 2008
The Bybit hack is just one chapter in a long history of cryptocurrency thefts. Since Bitcoin’s inception in 2008, the industry has faced numerous high-profile cyberattacks.
Here are some of the most significant:
1. Poly Network (August 2021)
Hackers stole around $610 million from Poly Network, a platform enabling peer-to-peer token transactions. Surprisingly, the attackers returned nearly all the stolen funds shortly after the heist.
This attack highlighted vulnerabilities in the decentralized finance (DeFi) sector, where users lend, borrow, and save digital tokens without traditional intermediaries like banks. It served as a stark reminder that DeFi platforms, while innovative, are not immune to exploitation.
2. Coincheck (January 2018)
Tokyo-based exchange Coincheck lost $530 million in cryptocurrency after hackers targeted one of its “hot wallets” (a digital storage connected to the internet). The theft drew global attention to the security practices of crypto exchanges. South Korea’s intelligence agency suggested that North Korean hackers, likely the Lazarus Group, were behind the attack.
3. Mt. Gox (2011–2014)
One of the earliest and most infamous crypto hacks, Mt. Gox, a Tokyo-based exchange that once handled 80% of the world’s Bitcoin trade, lost nearly $500 million worth of Bitcoin over several years. The hack led to Mt. Gox’s bankruptcy in 2014, leaving 24,000 customers unable to access their funds.
5. Wormhole (February 2022)
DeFi platform Wormhole was hit by a $320 million heist, with attackers stealing 120,000 digital tokens tied to Ethereum. The crypto arm of Jump Trading, which had acquired Wormhole’s developer, stepped in to replace the stolen funds and restore user confidence. This attack highlighted the risks associated with cross-chain bridges, which allow users to transfer assets between blockchains.
Conclusion
The 2025 Bybit hack was a watershed moment for the cryptocurrency industry. It exposed critical vulnerabilities in even the most secure platforms, underscored the sophistication of state-sponsored hacking groups like the Lazarus Group, and highlighted the urgent need for stronger security measures and regulatory oversight.
While Bybit’s swift response and transparency helped mitigate the damage, the incident serves as a stark reminder that the crypto ecosystem remains a prime target for cybercriminals.
For exchanges, the hack is a call to action for them to prioritize security innovation, conduct regular audits, and collaborate with industry peers to share threat intelligence. For users, it’s a reminder to take personal responsibility for safeguarding assets by using multi-factor authentication, cold wallets, and staying vigilant against phishing scams.
As the industry evolves, the lessons learned from the Bybit hack will shape the future of crypto security. By embracing transparency, adopting best practices, and fostering global cooperation, the crypto community can build a safer, more resilient ecosystem for everyone.
FAQs about the 2025 Bybit hack
What exactly happened during the Bybit hack?
On February 21, 2025, hackers exploited vulnerabilities in Bybit’s cold wallet infrastructure, stealing around $1.5 billion in Ethereum. The attack was attributed to North Korea’s Lazarus Group.
How did the hackers gain access?
The attackers compromised a developer’s machine, altered the user interface (UI) code, and manipulated transaction approvals to redirect funds to their wallets.
Were user funds affected during the Bybit hack?
Bybit assured users that all customer assets were 1:1 backed and fully compensated. No user funds were lost due to the exchange’s emergency liquidity measures.
What steps did Bybit take after the hack?
Bybit isolated the compromised wallet, launched a forensic investigation, secured emergency liquidity, and implemented stricter security measures, including mandatory hardware authentication and AI-powered fraud detection.
How did the Bybit hack impact the crypto market?
The hack caused Ethereum’s price to drop by 24% and Bitcoin to fall below $90,000. It also led to increased regulatory scrutiny and a decline in investor confidence.
Who was behind the Bybit attack?
The U.S. Federal Bureau of Investigation (FBI) attributed the hack to North Korea’s Lazarus Group, a state-sponsored hacking collective known for targeting financial institutions.
What does the Bybit hack mean for the future of crypto security?
The hack highlights the need for stronger security protocols, proactive threat detection, and global cooperation to prevent similar breaches. It also underscores the importance of regulatory oversight to protect investors and ensure market stability.
Disclaimer!
This publication, review, or article (“Content”) is based on our independent evaluation and is subjective, reflecting our opinions, which may differ from others’ perspectives or experiences. We do not guarantee the accuracy or completeness of the Content and disclaim responsibility for any errors or omissions it may contain.
The information provided is not investment advice and should not be treated as such, as products or services may change after publication. By engaging with our Content, you acknowledge its subjective nature and agree not to hold us liable for any losses or damages arising from your reliance on the information provided.
Always conduct your research and consult professionals where necessary.
