Bybit Hack 2025 Explained: A Guide to What Went Wrong
The Bybit hack has sent shockwaves through the crypto space in 2025. The $1.5 billion security breach is now one of the biggest crypto exchange hacks in history. Hackers exploited a wallet vulnerability, draining Ethereum (ETH) and leaving traders asking what went wrong. So, could this have been prevented? And most importantly, are customer funds safe? Let’s break down exactly what happened, how Bybit has responded, and what this means for the crypto market moving forward.
KEY TAKEAWAYS ➤ The 2025 Bybit hack exploited transaction signing flaws, leading to a $1.5B loss. ➤ Hackers used cross-chain bridges and mixers to launder stolen funds. ➤ Third-party security flaws, like Safe{Wallet}’s AWS breach, can compromise exchanges.
- What was the Bybit hack 2025?
- How did the Bybit hack happen?
- What caused the Bybit hack of 2025?
- Who was behind the Bybit hack of 2025?
- What was Bybit’s response?
- How much has been recovered?
- What does the Bybit hack change for crypto?
- Frequently asked questions
What was the Bybit hack 2025?
The Bybit hack was a highly coordinated attack that resulted in $1.5 billion in Ethereum (ETH) being drained from the platform. Investigations suggest that hackers exploited a single-signing transaction vulnerability, allowing them to bypass wallet security and execute unauthorized withdrawals.
THE BYBIT HACK WAS THE LARGEST FINANCIAL HEIST IN HISTORYBybit sustained losses of $1.4 Billion at the time of the hack, 21st Feb 2025. The closest competitor is the theft from the Central Bank of Iraq, which lost $1 Billion on 18th March 2003. pic.twitter.com/OzAcWFUXPL
— Arkham (@arkham) February 24, 2025
How did the Bybit hack happen?
Blockchain security firms analyzing the Bybit hack have pointed to a flaw in the wallet signing process, which may have been the key entry point for attackers. Here’s how it might have played out:
- A transaction signing exploit started off everything where attackers took advantage of a single-signing transaction vulnerability. This move allowed them to authorize multiple withdrawals using one “single” approval.
- Cold wallet compromise followed next. Unlike most crypto hacks targeting hot wallets, this attack appears to have affected Bybit’s cold storage, raising concerns about deeper security loopholes.
- All of this was paired with phishing & social engineering attacks. The miscreants may have gained access to internal credentials through phishing scams targeting Bybit employees. But all that was a part of the early hypothesis, and Bybit seems to have cracked the primary reason (more on that later).
E110: Bybit's Hack EMERGENCY EPISODE: How @Bybit_Official survived the biggest Crypto Theft of all time!I sat down with @benbybit , the CoFounder & CEO of Bybit, just 72 hours after the largest heist ever in history affected his companyBen opens up on what exactly happened… pic.twitter.com/FvuCZb3I6f
— MR SHIFT 🦁 (@KevinWSHPod) February 26, 2025
What is a single-signing transaction vulnerability?
At its core, this vulnerability allows a single transaction approval to be reused or manipulated, leading to unauthorized withdrawals. Let us try to understand it in parts:
- Smart contract signing flaw – When funds are moved from a cold wallet to a hot wallet, the system generates an approval signature to verify the transaction.
- Exploiting the approval process – Attackers intercepted this signature and used it to trigger multiple unauthorized transactions.
- Draining funds in seconds – Since the system treated these as approved transactions, the attackers could move Ethereum (ETH) out of Bybit’s reserves without triggering immediate alarms.
Imagine signing a blank check for a trusted friend. But instead of withdrawing the agreed amount, they photocopy your signature and cash out your entire bank account. That’s what happened here; the hackers intercepted a valid signature and reused it to drain Bybit’s funds.
Were there other security loopholes?
While the single-signing transaction flaw appears to be the main exploit, other potential issues might include phishing attacks, smart contract vulnerabilities, and, obviously, the delayed detection of the attack.
Did you know? The Bybit hack 2025 was first detected by on-chain investigator ZachXBT, who observed significant fund outflows from Bybit’s platform on Feb. 21, 2025. Shortly thereafter, blockchain security firms SlowMist and PeckShield confirmed the breach, noting that Bybit was experiencing unprecedented fund withdrawals.
While all these insights surfaced initially, new information has surfaced regarding the root cause of the 2025 Bybit hack.
What caused the Bybit hack of 2025?
Contrary to initial fears of an internal security failure, forensic investigations have pointed to a breach in Safe{Wallet}, a third-party wallet infrastructure that Bybit used for multi-signature transactions.
Bybit Hack Forensics ReportAs promised, here are the preliminary reports of the hack conducted by @sygnia_labs and @Verichains Screenshotted the conclusion and here is the link to the full report: https://t.co/3hcqkXLN5U pic.twitter.com/tlZK2B3jIW
— Ben Zhou (@benbybit) February 26, 2025
What is Safe{Wallet}?
Think of Safe{Wallet} as a smart contract-powered vault designed to keep transactions secure using multi-signature approvals. It runs on AWS S3, meaning it stores and loads JavaScript files from the cloud to process transactions. Sounds efficient, right? Well, that’s also where things went south.
Hackers found a way to inject malicious JavaScript into Safe{Wallet}’s AWS S3 bucket, silently tweaking transactions in real time. So, while Bybit’s core security wasn’t technically “hacked,” the tool it used for approving and executing transactions was manipulated. Basically, Bybit signed off on transfers, but the hackers rewrote the final destination without anyone noticing.
TLDR: one SAFE dev had control over the frontend. That dev was hacked and then the attacker inserted malicious code into Safe frontend with the devs credentials. The malicious code was designed to hack specifically Bybit's wallet, they were waiting for the big fish.ALL companies… https://t.co/DfzI6gmOrf
— pablito.eth 🦇🔊 ♢ (@PabloSabbatella) February 26, 2025
How did the attack happen?
During a routine ETH cold wallet transfer to a warm wallet, the malicious script — embedded within Safe{Wallet}’s JavaScript; modified the transaction details as it was being signed.
Imagine paying at a store where the cashier quietly swaps out the payment terminal, redirecting your money elsewhere while making it seem like the transaction was legitimate.
That’s exactly what happened here — Bybit’s signers approved the transaction, believing it was secure, but the modified Safe{Wallet} script quietly changed the recipient address to the attacker’s.
Real-time transaction hijacking
The JavaScript injection was designed to trigger only when transactions originated from specific addresses — Bybit’s cold wallet contract and another unknown address (likely a test address used by the attackers). This meant:
- If a normal user interacted with Safe{Wallet}, nothing suspicious happened.
- When Bybit processed a high-value transfer, the script altered the destination wallet just before execution.
Because the transaction was still cryptographically signed by Bybit’s authorized wallets, there was no immediate red flag; it looked completely legitimate on the blockchain.
Not a typical exchange hack
Most crypto exchange hacks like Mt. Gox (2014) or Coincheck (2018) involved private key leaks or direct breaches of exchange wallets. Those are like burglars breaking into a bank vault.
The Bybit hack 2025, however, was different; it was an infrastructure-level attack. Instead of stealing private keys, the hackers manipulated the transaction signing process itself, meaning:
- Bybit’s actual wallet security was not breached.
- The hack exploited a tool used in signing transactions instead of the storage of assets themselves.
Why this matters for crypto security
This hack exposes a serious security flaw; even if an exchange locks down its own systems, third-party integrations can become weak points.
Safe{Wallet} wasn’t built to be a hacker’s playground, but its dependence on JavaScript files in AWS S3 turned out to be the weak link. No one expected attackers to slip in malicious code at the infrastructure level, but they did; quietly rewriting transactions right before execution.
This whole mess is a wake-up call: crypto platforms can’t just trust third-party tools without constant security audits, independent transaction checks, and tighter multi-signature protections. If hackers can hijack the signing process itself, even the best wallet security means nothing.
Even in a multi-sig setup, as this hack proves, if the signers are unknowingly approving fraudulent transactions, security measures become futile.
Who was behind the Bybit hack of 2025?
The Bybit hack 2025 has been attributed to the notorious Lazarus Group, a North Korean state-sponsored hacking collective infamous for orchestrating some of the largest cryptocurrency heists in history. This group has been linked to multiple high-profile cybercrimes, including the recent Phemex hack, where approximately $85 million was stolen.
JUST IN: 🇺🇸🇰🇵 FBI confirms North Korea is responsible for the $1.5 billion Bybit crypto hack. pic.twitter.com/64kxdBTN4Q
— Watcher.Guru (@WatcherGuru) February 27, 2025
How did they pull It off?
Lazarus Group didn’t just hack and grab. Instead, they executed a surgical strike on Bybit’s transaction approval process. By sneaking into the Safe{Wallet} system, they silently rerouted funds during legitimate transfers.
The result? 401,000 ETH vanished before anyone could blink, a $1.5 billion disaster.
BREAKING: FBI SAYS NORTH KOREA RESPONSIBLE FOR $1.5 BILLION @Bybit_Official HACK – "ENCOURAGES PRIVATE SECTOR ENTITIES… TO BLOCK TRANSACTIONS WITH OR DERIVED FROM ADDRESSES TRADERTRAITOR ACTORS ARE USING TO LAUNDER THE STOLEN ASSETS" pic.twitter.com/d8syGKPguv
— DEGEN NEWS (@DegenerateNews) February 27, 2025
How the hackers cleaned the money
Stealing crypto is easy. Spending it without getting caught is the real challenge. Lazarus followed their usual laundering playbook:
- Centralized mixers
- Cross-chain bridges
- Obscure exchanges
- Funneling funds through low-KYC platforms that don’t ask too many questions.
Same old tricks, just with a bigger bag this time. Want a deep dive? Check this breakdown:
@zachxbt revealed that #Lazarus Group transferred 5K ETH from the #BybitHack Hack to a new address and began laundering funds via eXch (a centralized mixer) and bridging funds to Bitcoin via Chainflip.Well, some quick info about how the entire thing might be working👇Step 1… pic.twitter.com/0PaR7Yze3z
— charlie0.eth (@A_B_boying) February 22, 2025
The Bybit hack 2025 wasn’t just a simple Ethereum theft; it was a sophisticated heist involving multiple assets beyond regular ETH. The attackers stole 401,347 ETH (~$1.4 billion), 90,376 stETH (Lido’s staked Ethereum), cmETH & METH tokens (Liquid-staked ETH from Mantle and other protocols), and $100,000 USDT (Later frozen by Tether).
This mix of assets made laundering trickier, as staked assets can’t be easily liquidated without detection. This forced the attackers to rely on bridges, mixers, and centralized exchanges — a move that made them more traceable.
What was Bybit’s response?
Bybit acted swiftly after the breach, implementing a multi-layered response plan.
Immediate actions
- Funds were secured & 1:1 asset backing assurance was given to the users.
- There was a security overhaul led by the strengthening of multi-sig wallets, monitoring tools, and API security.
- The exchange launched a 10% recovery bounty for white-hat hackers, amounting to $140mn+.
- Bybit froze orders & initiated fund tracking with partners like Chainalysis, Arkham, and more.
LazarusBounty.com – A new weapon against crypto crime
In a groundbreaking move, Bybit launched LazarusBounty.com, an industry-first bounty aggregator targeting North Korea’s Lazarus Group.
What makes it different?
- Bounty hunters can earn instantly
- Exchanges & mixers are incentivized to act
- Good vs. bad actor rankings
- Live wallet data for investigators
How could LazarusBounty improve?
Our suggestions to tighten this service include:
1. Introducing a “Hot Wallet Defense” network
Right now, LazarusBounty is reactive, tracking stolen funds after the fact. Bybit could pivot to proactively securing exchanges’ hot wallets before an attack happens.
This could be done via a decentralized honeypot system, where exchanges integrate real-time tracking scripts that flag suspicious transactions before they settle on-chain.
2. Involve regulators with real-time alerts
Bybit could add a regulatory dashboard, notifying law enforcement agencies immediately when Lazarus-linked funds move.
The current issue is that exchanges often freeze assets too late. A direct link to Interpol, OFAC, or FATF could speed up action.
3. Open bounties on wallet movements
Right now, the bounty is tied to fund freezes. But what if bounty hunters could track and claim specific wallets? Bybit could allow users to “claim” a wallet; if it moves, they receive a reward for tracking the laundering path.
4. Public blacklist API for exchanges
Exchanges don’t always act fast because they lack real-time wallet tracking. Solution? A live API that instantly updates high-risk wallets, forcing exchanges to act before funds disappear into mixers.
How much has been recovered?
As of late February 2025, $42.8 million of the stolen assets from the Bybit hack 2025 have been frozen or recovered. Read on for the complete breakdown:
- Ethereum (ETH): 34 ETH (≈$97,000) was intercepted and frozen by ChangeNOW, stopping the attackers from moving it further.
- Bitcoin (BTC): 0.38755 BTC (≈$37,000) was blocked on the Avalanche network after hackers bridged it cross-chain.
- Stablecoins (USDT/USDC): Tether froze 181,000 USDT, while FixedFloat locked down $120,000 in mixed USDT and USDC linked to the stolen funds.
- Staked Ethereum derivatives: 15,000 ETH was successfully recovered by mETH Protocol before the attackers could withdraw it. This move prevented further liquidation of liquid-staked assets.
In addition, ongoing blockchain forensics work has identified over 11,000 wallet addresses linked to the laundering of stolen funds, ensuring that exchanges and protocols can blacklist and freeze suspicious activity in real time.
How were the stolen funds tracked and frozen?
The recovery of these assets has been made possible through a multi-layered, global effort, combining:
- Exchange freezes: Platforms like FixedFloat, ChangeNOW, Bitget, and THORChain have identified and frozen deposits linked to the stolen funds.
- Stablecoin issuer blacklisting: Tether and Circle flagged and froze accounts holding stolen USDT and USDC, preventing the hackers from using these assets.
- Blockchain intelligence tracking: Forensic teams, including Elliptic, Arkham, Chainalysis, and TRM Labs, have mapped out how the attackers moved their funds, helping exchanges block transactions before they could be cashed out.
- Bounty programs & community participation: Bybit’s LazarusBounty.com has incentivized independent investigators to track stolen funds, offering 5% bounties for successful freezes and up to 10% for fund recoveries.
Even though a complete recovery remains unlikely, the combination of exchange coordination, real-time analytics, and bounty-driven investigations might prove effective. Mostly in limiting the hackers’ ability to cash out their stolen assets!
What does the Bybit hack change for crypto?
The Bybit hack of 2025 has proven that even multi-signature wallets and cold storage aren’t safe from infrastructure breaches. As hackers get more creative, exchanges must harden security, audit integrations, and implement real-time fraud detection. The idea is not to trust but “to verify.”
The future of crypto exchanges depends on proactive defense, industry-wide collaboration, and smarter fund recovery strategies to counteract increasingly sophisticated cyber threats.
Frequently asked questions
Was Bybit itself hacked, or was it a third-party vulnerability?
Not exactly. Bybit’s core systems weren’t directly breached, but the attackers exploited Safe{Wallet}’s AWS S3 bucket, which Bybit used for transaction signing. This allowed them to manipulate multi-signature transactions and redirect funds without raising alarms.
How much of the stolen crypto has been recovered so far?
As of late February 2024, about $42.8 million has been frozen or recovered through exchange freezes, stablecoin blacklisting, and forensic tracking. While that’s only a fraction of the $1.4 billion stolen, the chase is still on, and more funds could be locked down soon.
How did the hackers launder the stolen funds?
They used a mix of cross-chain bridges, mixing services, and decentralized swaps to obfuscate their transactions. They also relied on centralized exchanges that don’t enforce strict KYC policies, making it harder for investigators to track the money trail.
What’s Bybit doing to prevent future attacks like this?
Bybit has tightened security, launched LazarusBounty.com to track stolen funds, and is working with blockchain forensics firms and exchanges to freeze illicit transactions in real time. They’ve also revamped their third-party security audits to prevent similar vulnerabilities.
OKX
Explore
YouHodler
Explore
Wirex
Explore
BingX
Explore
OKX
YouHodler
Wirex
eToro
eToro
eToro
eToro
BingX
Disclaimer: Investing carries risk. This is not financial advice. The above content should not be regarded as an offer, recommendation, or solicitation on acquiring or disposing of any financial products, any associated discussions, comments, or posts by author or other users should not be considered as such either. It is solely for general information purpose only, which does not consider your own investment objectives, financial situations or needs. TTM assumes no responsibility or warranty for the accuracy and completeness of the information, investors should do their own research and may seek professional advice before investing.
Most Discussed
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10