On February 21, 2025, ByBit lost $1.5 billion in ETH to North Korea's Lazarus Group — the largest crypto theft ever recorded. What happened next rewrote the playbook on crisis response.
Every major milestone from the moment the breach was detected through ByBit's ongoing recovery programme.
Attackers compromise ByBit's Safe{Wallet} cold wallet interface, manipulating a routine ETH transfer. Approximately 401,000 ETH (~$1.5B) is drained to attacker-controlled addresses in a sophisticated supply-chain attack targeting the signing UI. Read the full timeline →
ByBit CEO Ben Zhou addresses the community on X within hours of the breach, confirming what happened, explaining the attack vector, and pledging that all client funds are safe and will be honored. Radical transparency from the start.
Despite a surge in withdrawal requests, ByBit processes every single one. No withdrawal freezes, no gates, no delays. ByBit uses its own reserves and emergency bridge loans from industry partners to cover the shortfall immediately.
The FBI formally attributes the hack to TraderTraitor, a sub-unit of North Korea's Lazarus Group. On-chain investigator ZachXBT had already traced the funds within hours of the attack. ByBit launches a $140M bounty program for recovery assistance.
ByBit announces a comprehensive security overhaul: new cold wallet architecture, enhanced multi-signature protocols, third-party security audits, and a new dedicated internal security team. Safe{Wallet} integration suspended pending independent review.
ByBit publishes real-time Proof of Reserves showing 1:1 asset backing across all major assets. Third-party auditors verify the reserves. Trading volumes begin recovering strongly as user confidence returns to the platform.
ByBit's trading volumes recover to approximately 92% of pre-hack levels. New user registrations exceed pre-hack rates in several markets. The exchange is widely cited as a model for post-breach crisis management in the crypto industry.
On-chain investigators continue tracking the stolen ETH as Lazarus Group attempts to launder through mixers and cross-chain bridges. International law enforcement coordination is ongoing. Several exchanges have frozen flagged addresses.
When the largest crypto hack in history hit, ByBit's response set a new standard for the industry. Here's what they did right. Full analysis →
Despite losing $1.5B, ByBit processed every single withdrawal request without freezing funds or imposing limits. They used their own reserves and emergency bridge financing to cover the gap immediately — no user lost a cent.
CEO Ben Zhou went live within hours of the breach, explaining exactly what happened, what was being done, and what users could expect. Regular updates followed. No spin, no delay, no corporate silence — just facts.
ByBit launched one of the largest bounty programs in crypto history — offering up to $140M for information leading to recovery of stolen funds. Coordinated with on-chain investigators and law enforcement globally.
New cold wallet architecture, enhanced multi-signature protocols, third-party security audits, and a dedicated internal security team. The Safe{Wallet} integration was suspended and independently reviewed before any reinstatement.
ByBit published real-time, third-party verified Proof of Reserves demonstrating 1:1 asset backing across all major assets. Ongoing transparency commitment with regular independent audits and public reporting.
ByBit coordinated with other exchanges, on-chain investigators including ZachXBT, and international law enforcement to track and freeze stolen funds. Shared intelligence with the broader crypto security community.
Compare ByBit's response to Mt. Gox (collapsed, users lost everything), FTX (fraud, executives arrested), or Celsius (froze withdrawals, filed bankruptcy). ByBit did the opposite at every step: immediate transparency, full user protection, and a credible path to recovery. The crypto industry now has a new benchmark for how exchanges should handle a breach.
ByBit's post-hack security infrastructure is materially stronger than before the breach. Here's what's been implemented and independently verified.
Completely rebuilt cold storage with air-gapped signing, hardware security modules (HSMs), and isolated signing environments that prevent the interface manipulation used in the Feb 2025 attack.
Upgraded multi-sig with independent key holders, mandatory transaction verification across multiple secure channels, and time-locked large transfers with additional confirmation layers.
Ongoing independent security audits by leading blockchain security firms. All smart contract integrations and wallet interfaces now require external security review before deployment.
The Feb 2025 attack exploited a third-party wallet interface. ByBit now maintains strict supply chain security protocols, including cryptographic code verification for all third-party integrations.
ByBit maintains real-time, third-party verified Proof of Reserves. All major assets are backed 1:1 or above. Updated continuously and independently audited.
View Live Proof of Reserves ↗The latest on ByBit's recovery, Lazarus Group tracking, and platform developments. Updated regularly.
Four months after the $1.5B hack, ByBit's derivatives and spot trading volumes have recovered to approximately 92% of pre-February levels, with new user registrations exceeding pre-hack rates in key markets.
ZachXBT and other on-chain investigators continue tracking the stolen ETH as North Korea's Lazarus Group attempts to launder funds through mixers, cross-chain bridges, and OTC desks. Several exchanges have frozen flagged addresses.
ByBit publishes the results of its comprehensive third-party security audit, confirming the new cold wallet architecture and multi-sig protocols meet or exceed industry standards. Proof of Reserves goes live with real-time verification.
ByBit's unprecedented $140M bounty program for recovery of stolen funds has attracted submissions from blockchain analytics firms worldwide. We break down the program structure, eligibility, and progress to date.
The FBI issues a formal attribution linking the ByBit hack to TraderTraitor, a sub-unit of North Korea's Lazarus Group. The attribution confirms earlier on-chain analysis and triggers international law enforcement coordination.
Within hours of the breach, ByBit CEO Ben Zhou went live to address the community directly. We analyze his statement, the transparency it demonstrated, and why it set ByBit apart from every previous exchange hack response.
Direct answers to the most common questions about the February 2025 breach and ByBit's recovery.
History shows most hacked exchanges collapse. ByBit is the exception — and the data proves it.
Exchange Hack Comparison
| Exchange | Amount | User Outcome | Status |
|---|---|---|---|
| Mt. Gox | 850K BTC | Partial BTC repaid (decade later) | Collapsed / Rehab |
| FTX | ~$8B | Funds frozen | Bankrupt/Fraud |
| Celsius | ~$1.2B | Withdrawals frozen | Bankrupt |
| Bitfinex | $72M | Partial recovery | Survived |
| ByBit ✓ | $1.5B ETH | 100% honored | Recovering |
ByBit survived the largest hack in crypto history, honored every withdrawal, and came back stronger. That's a track record no other exchange can match.
⚠️ Crypto trading involves significant risk. Only trade what you can afford to lose. Affiliate links may earn this site a commission.
ByBitHacked.com is an independent news hub with a single, narrow remit: track the February 2025 ByBit breach, its aftermath, and the exchange's recovery — accurately, transparently, and without corporate spin.
ByBitHacked.com is an independent news hub covering the February 21, 2025 ByBit hack, the ongoing Lazarus Group attribution and recovery effort, and ByBit's post-breach security posture. We publish a living timeline, a crisis-response analysis, a security-architecture breakdown, and weekly-updated news cards, with every factual claim traceable to a named public source.
This site is curated by Dan Navarro, an independent editor and domain investor. Dan also curates related crypto-security and markets coverage at blog.domainerdan.com. Editorial direction, source selection, and factual review are handled by a single human — no ghost "team" voice, no AI-generated opinion pieces.
Every non-trivial claim on this site is sourced from: (1) the FBI's public attribution statement (February 26, 2025); (2) ByBit's official post-incident disclosures and CEO Ben Zhou's live updates on X; (3) ZachXBT's on-chain forensic threads and wallet labelling; (4) Hacken and other third-party audit reports; and (5) mainstream crypto-press reporting from CoinDesk, The Block, Decrypt, and Cointelegraph. We do not republish private DMs, unverified insider claims, or anonymous tips.
ByBitHacked.com uses a ByBit affiliate link for the "Trade on ByBit" CTAs. If you click through and open an account, this site may earn a commission at no cost to you. We disclose this openly in the footer and on the CTA itself. The presence or absence of an affiliate arrangement does not influence editorial content — the site would still cover the hack and recovery the same way if the affiliate programme did not exist.
This site is not affiliated with ByBit Ltd, its executives, or any of its entities. We are not a ByBit PR channel, a customer-support surface, or an official communication of the exchange. For ByBit account issues, use ByBit's official help centre. This site does not provide financial, investment, legal, or tax advice — crypto trading involves substantial risk of loss and you should only trade what you can afford to lose.