ByBit Hack FAQ

On February 21, 2025, ByBit suffered a $1.5 billion cryptocurrency theft — the largest single hack in crypto history. Attackers compromised the signing interface of a third-party wallet (Safe{Wallet}) used for a routine cold wallet transfer, causing ByBit's multi-signature signers to approve a transaction that drained approximately 401,000 ETH to attacker-controlled addresses.

Approximately 401,000 ETH was stolen, valued at roughly $1.5 billion at the time of the February 21, 2025 breach. This figure makes it the largest single cryptocurrency theft ever recorded, surpassing the 2022 Ronin Bridge hack ($625 million) and the 2021 Poly Network incident ($611 million).

The FBI formally attributed the ByBit hack to TraderTraitor, a sub-unit of North Korea's Lazarus Group. On-chain investigator ZachXBT had already traced the funds to Lazarus-linked wallets within hours of the attack, based on transaction patterns consistent with previous North Korean state-sponsored crypto thefts.

The ByBit hack occurred on February 21, 2025, at approximately 14:30 UTC. ByBit CEO Ben Zhou went live on X within hours to confirm the breach and pledge that all withdrawals would be honored. The FBI's formal attribution to Lazarus Group followed on February 26, 2025.

The attack was a supply-chain compromise of Safe{Wallet}, a third-party multi-signature wallet interface ByBit used for cold storage operations. The attackers manipulated the signing UI so that when ByBit's signers approved what appeared to be a routine internal transfer, they actually authorized a transaction that sent 401,000 ETH to attacker wallets. The underlying multi-sig cryptography was not broken — the interface presenting transactions to the signers was.

No ByBit user lost funds as a result of the hack. ByBit honored 100% of withdrawal requests in the days following the breach, using a combination of its own reserves and emergency bridge loans from industry partners to cover the $1.5 billion shortfall. No withdrawal freezes, gates, or delays were imposed on customer accounts.

ByBit completed a comprehensive security overhaul following the February 2025 hack, including a new cold wallet architecture with air-gapped signing, enhanced multi-signature protocols with independent key holders and time-locked large transfers, third-party security audits by firms including Hacken, and real-time Proof of Reserves showing 1:1 asset backing. No exchange is risk-free, but ByBit's current security posture is materially stronger than before the breach.

A portion of the stolen funds has been frozen at cooperating exchanges and in on-chain traps, but the majority remains in Lazarus Group-controlled wallets and is being laundered through mixers, cross-chain bridges, and OTC desks. ByBit launched a $140 million bounty program for recovery assistance, and international law enforcement coordination is ongoing. Full recovery is unlikely based on historical outcomes of North Korean crypto thefts.

ByBit launched one of the largest recovery bounty programs in crypto history, offering up to $140 million for actionable intelligence leading to the recovery of stolen funds. The program is coordinated with blockchain analytics firms, on-chain investigators, and law enforcement agencies. Payouts are tiered based on the amount of funds recovered or frozen as a direct result of the submitted intelligence.

ByBit publishes real-time Proof of Reserves using a Merkle tree methodology, allowing any user to cryptographically verify that their account balance is included in the exchange's published reserves. Third-party auditors (including Hacken) verify that the reserves shown on-chain match the liabilities to customers. Reserves are updated continuously and audited on a recurring schedule.

Unlike Mt. Gox, FTX, Celsius, or other collapsed exchanges, ByBit maintained solvency throughout the breach. The $1.5 billion loss was covered by existing reserves and emergency financing within hours. ByBit's decision to honor every withdrawal, communicate transparently from the CEO level, and publish verified Proof of Reserves preserved user confidence. Trading volumes recovered to approximately 92% of pre-hack levels within four months.

That decision depends on your own risk tolerance and due diligence. What's factually true: ByBit lost $1.5 billion and paid every user back in full, implemented a comprehensive security overhaul, now publishes verified Proof of Reserves, and has returned to near-normal trading volumes. Every centralized exchange carries platform risk — regulatory, operational, and security — and crypto trading involves substantial loss potential regardless of which platform you use.