The ByBit Hack — Full Timeline of February 21, 2025

A minute-by-minute walkthrough of the largest crypto exchange theft in history, from the Safe{Wallet} supply-chain compromise at 14:30 UTC through the FBI's formal Lazarus Group attribution five days later.

Published: February 22, 2025 · Last reviewed: April 23, 2026 · Author: Dan Navarro

What happened, in one paragraph

On Friday, February 21, 2025, at approximately 14:30 UTC, attackers — later identified by the FBI as TraderTraitor, a sub-unit of North Korea's Lazarus Group — executed a supply-chain compromise of Safe{Wallet}, the third-party multi-signature wallet interface ByBit used for cold storage operations. By manipulating the signing UI presented to ByBit's authorised signers during what looked like a routine internal transfer, the attackers caused those signers to approve a transaction that drained approximately 401,000 ETH (~$1.5 billion at the time) to attacker-controlled addresses. ByBit CEO Ben Zhou went live on X within hours to confirm the breach and pledge that all withdrawals would be honored. On-chain investigator ZachXBT had the first traced addresses public before the end of the day. ByBit honoured every withdrawal request over the following 48 hours using its own reserves plus emergency bridge loans from industry partners. The FBI issued its formal attribution on February 26, 2025.

Minute-by-minute timeline

Feb 21, 2025 — ~14:30 UTC

Attack executes

Routine ETH cold-wallet transfer initiated on ByBit's end. Safe{Wallet} UI, compromised upstream, presents a transaction that appears legitimate to ByBit's multi-sig signers. Signers approve. Approximately 401,000 ETH moves to attacker-controlled addresses.

Feb 21, 2025 — within minutes

On-chain detection

Unusual outflow from a known ByBit cold wallet is flagged by on-chain monitoring services and by ZachXBT almost simultaneously. Initial Twitter/X posts speculate that ByBit has been hacked; ByBit has not yet confirmed.

Feb 21, 2025 — within ~30 minutes

ByBit internal response begins

ByBit identifies the unauthorized transfer, isolates the affected signing environment, and begins drafting an external disclosure. Withdrawal processing continues throughout — no freeze is imposed.

Feb 21, 2025 — within hours

CEO Ben Zhou goes live on X

Ben Zhou confirms the hack publicly, describes the attack vector at a high level, and pledges that all client funds are safe and all withdrawals will be honored. The transparency and speed of this disclosure — within hours, from the CEO level — is widely noted as unprecedented in crypto crisis-response history.

Feb 21, 2025 — same evening

ZachXBT publishes first on-chain trace

ZachXBT publishes the first public thread tracing the stolen ETH to Lazarus Group-linked wallet clusters, based on transaction patterns consistent with the 2022 Ronin Bridge attack and several other confirmed North Korean thefts. The attribution is probabilistic at this point but strongly supported.

Feb 21–22, 2025

All withdrawals processed

Surge of withdrawal requests overnight. ByBit processes every single one without freezes, gates, or delays — drawing on its own reserves plus emergency bridge loans from industry partners (including reported on-chain assistance from competing exchanges). No user loses access to funds. No withdrawal is reversed.

Feb 22–25, 2025

Investigation broadens

Independent blockchain-analytics firms (Elliptic, TRM Labs, Chainalysis) publish their own attribution analyses, all converging on Lazarus Group. Several cooperating exchanges begin freezing flagged addresses. ByBit launches preliminary bounty outreach to analytics firms.

Feb 26, 2025

FBI attribution: TraderTraitor / Lazarus Group

The FBI Internet Crime Complaint Center (IC3) publishes a formal advisory attributing the hack to TraderTraitor, a sub-unit of North Korea's Lazarus Group, naming specific wallet addresses and asking the industry to block listed deposits. ByBit announces a $140M bounty program for recovery assistance.

March 2025

Security overhaul announced

ByBit announces a full security overhaul: new cold-wallet architecture, enhanced multi-signature protocols, Safe{Wallet} integration suspended pending independent review, a dedicated internal security team, and a programme of rolling third-party audits.

April 2025

Proof of Reserves goes live

ByBit publishes real-time, Merkle-tree-verifiable Proof of Reserves showing 1:1 asset backing across all major assets. Hacken and other third-party auditors verify. Trading volume has already begun to recover.

Primary sources

FBI IC3 advisory (Feb 26, 2025) — formal TraderTraitor / Lazarus attribution and flagged-address list.
ByBit CEO Ben Zhou's X account — initial and follow-up disclosure threads (Feb 21–Mar 2025).
ZachXBT on-chain threads — first public attribution on Feb 21, 2025 evening UTC.
Elliptic, TRM Labs, Chainalysis — independent attribution reports published Feb 22–25, 2025.
ByBit corporate blog — post-incident disclosures, security-overhaul announcement, Proof of Reserves portal.

Why this matters

The Feb 21, 2025 ByBit hack is the first time a centralized crypto exchange has lost more than a billion dollars in a single event and kept operating without user losses. Every prior exchange of comparable scale that has been hacked — Mt. Gox, FTX (fraud rather than hack, but similar scale), Celsius, QuadrigaCX — has collapsed, frozen withdrawals, or entered bankruptcy. ByBit's decision to honor every withdrawal in the first 48 hours, using its own balance sheet plus emergency bridge loans, is the variable that defines the post-hack outcome. See the crisis-response analysis for the full breakdown of why.

🚀 Trade on ByBit

⚠️ Affiliate link. Crypto trading involves significant risk.

Last reviewed: April 23, 2026 · Back to Home