The Bybit Hack: $1.5 Billion Stolen and What It Means for Exchange Security
In February 2025, hackers stole approximately $1.5 billion from Bybit, a Dubai-based cryptocurrency exchange. It was the largest single exchange hack in crypto history, surpassing every previous incident including Mt. Gox, Ronin Bridge, and Poly Network.
The attack demonstrated that even major, well-funded exchanges remain vulnerable to sophisticated state-sponsored intrusion. For traders, it reinforced a core lesson: exchange custody is always a risk position, not a safe harbor.
What Happened
The attack targeted Bybit’s Ethereum cold wallet infrastructure during a routine transfer process. The hackers exploited a vulnerability in the signing workflow to redirect funds during what appeared to be a standard internal operation.
Key details:
- approximately $1.5 billion in Ethereum and related tokens were drained
- the attack exploited the transaction signing process, not a smart contract flaw
- funds were rapidly dispersed across multiple wallets and mixing services
- blockchain analysts traced the operation to the Lazarus Group, a North Korean state-sponsored hacking unit
The speed and precision of the attack indicated extensive pre-planning and deep knowledge of Bybit’s operational procedures.
The North Korean Connection
The Bybit hack was attributed to North Korea’s Lazarus Group, which has become the most prolific state-sponsored crypto theft operation in the world.
In 2025 alone, North Korean hackers stole $2.02 billion in cryptocurrency, a 51% increase year-over-year. Their cumulative total now exceeds $6.75 billion.
These operations fund the North Korean government’s weapons programs, making crypto exchange security a matter of international security policy, not just individual platform risk.
The Lazarus Group’s methodology includes:
- long-term infiltration of target organizations
- social engineering of employees through fake job offers and compromised communication channels
- exploitation of multi-signature and custody transfer workflows
- rapid laundering through mixers, bridges, and chain-hopping
How Bybit Responded
Bybit’s response included:
- public disclosure within hours of the incident
- coordination with blockchain analytics firms to trace stolen funds
- maintaining withdrawal operations for users (a critical trust signal)
- working with law enforcement and international agencies
The fact that Bybit continued to process user withdrawals distinguished this incident from historical failures like Mt. Gox and FTX, where user funds became inaccessible during crisis periods.
However, the core damage was done: $1.5 billion was stolen, and recovery of the majority of those funds remains uncertain.
What This Means for Traders
1. Exchange Custody Is Not Cold Storage Safety
Many traders assume that funds held on a major exchange are “safe enough.” The Bybit hack shows that even cold wallet infrastructure can be compromised when the signing and transfer processes around it are vulnerable.
Cold storage is only as secure as:
- the people who manage the signing keys
- the operational procedures for moving funds
- the security of the systems used in the approval chain
- the ability to detect anomalies during routine operations
2. Size Does Not Equal Security
Bybit was one of the top five global exchanges by volume. It had significant security investment and infrastructure. The attack succeeded anyway because state-sponsored adversaries operate with resources and patience that exceed normal threat models.
If a $1.5 billion attack can succeed against a top exchange, no platform is guaranteed safe.
3. Diversification Includes Custody
The same way traders diversify across assets and strategies, custody should be diversified:
- keep only active trading capital on exchanges
- use hardware wallets for longer-term holdings
- consider multiple exchanges if active trading requires centralized access
- maintain independent records of all balances and transfer history
4. Withdrawal Testing Remains Essential
Regularly withdraw small amounts from any exchange you use. This tests:
- the platform’s operational health
- whether your withdrawal process works without friction
- your own readiness to move funds if needed urgently
If withdrawal mechanics change unexpectedly, treat it as a signal to reduce exposure.
The Broader 2025 Security Picture
The Bybit hack was not an isolated event. In 2025, the cryptocurrency industry lost over $3.4 billion to hacks and exploits:
- State-sponsored actors accounted for the majority of total value stolen
- DeFi protocols continued to experience smart contract exploits and bridge vulnerabilities
- Social engineering became the primary initial access method, surpassing technical exploits
- Supply chain attacks targeted wallet software and infrastructure dependencies
The security environment is deteriorating in terms of attacker capability even as defensive practices improve.
Practical Security Controls for 2026
For Active Traders
- Enable all available security features: hardware 2FA, whitelisted withdrawal addresses, anti-phishing codes
- Use a dedicated email address for exchange accounts, separate from personal email
- Do not click links in emails or messages claiming to be from exchanges; navigate directly
- Review authorized sessions and API keys regularly
- Set up withdrawal address whitelisting with mandatory time delays
For Longer-Term Holders
- Move assets to self-custody hardware wallets (Ledger, Trezor, or equivalent)
- Store seed phrases offline in multiple secure locations
- Never enter seed phrases digitally or store them in cloud services
- Consider multi-signature setups for large holdings
- Maintain a documented recovery procedure that a trusted person could execute
For Everyone
- Monitor official exchange communications during any security incident
- Do not rely on social media for security updates during crises
- Have a plan for rapid withdrawal if an incident is reported
- Accept that exchange custody always carries counterparty risk
Comparison with Previous Exchange Failures
| Incident | Year | Loss | User Access |
|---|---|---|---|
| Mt. Gox | 2014 | ~$470M | Halted, bankruptcy |
| QuadrigaCX | 2019 | ~$190M | Halted, insolvency |
| FTX | 2022 | ~$8B+ | Halted, bankruptcy |
| Bybit | 2025 | ~$1.5B | Maintained |
Bybit’s ability to maintain operations matters, but the fundamental vulnerability — centralized custody attracting sophisticated attackers — remains unchanged.
Final Takeaway
The Bybit hack proved that no exchange is too large or too secure to be compromised. State-sponsored hackers with unlimited patience and resources will continue targeting centralized crypto infrastructure.
For traders, the lesson is operational: treat every exchange as a temporary vehicle for active trading, not a permanent storage solution. Custody risk is real, measurable, and your responsibility to manage.
Self-custody for assets you are not actively trading is not paranoia. After Bybit, it is basic risk management.
