Hot Features
Premium
Level up your trading with our powerful tools and real-time insights all in one place.
On February 21, 2025, Bybit—one of the crypto industry’s most trusted exchanges—suffered a major security breach that shook the digital asset world. This wasn’t just another hack; it was a wake-up call.
Traders suffered sudden losses, security teams scrambled to respond, and users began questioning their asset safety.
Founded in 2018 by Ben Zhou, Bybit was known for its user-friendly platform and strong security measures. Yet the breach exposed a harsh reality: even well-defended platforms remain vulnerable to advanced attacks.
The incident sent shockwaves through the crypto community, underscoring that no system is fully secure.
So, How Did the Bybit Hackers Pull It Off?
Let’s break it down step by step.
Step 1: Infiltrating a Developer’s Computer
The breach began with a single compromised device. Hackers infiltrated a Bybit developer’s computer, likely through a deceptive Docker container disguised as a legitimate project.
According to Mandiant, the method resembled past Lazarus Group attacks—using social engineering to trick developers into installing malware. In this case, the hackers created a convincing scenario, gained access through the corrupted container, and quietly established a backdoor into the system.
Step 2: Breaching the AWS Codebase
Once inside the developer’s machine, the hackers quickly accessed Bybit’s AWS code repository on February 5. While their attempt to register an MFA device failed, they adapted.
Over 12 days, they quietly observed AWS activity, learning how authentication worked. They exploited temporary session tokens—valid for 12 hours—and used a VPN to mask their presence. Instead of forcing access, they blended in seamlessly, operating undetected.
Step 3: Planting the Malicious Code
By February 17, attackers injected malicious code into Bybit’s AWS repository, targeting the SAFE UI used for transaction management. For four days, users unknowingly interacted with the compromised system.
The breach was narrowly focused on Bybit’s wallet addresses, aiding its concealment. Investigators suspect social engineering or a supply chain vulnerability was used to plant JavaScript that monitored and altered transactions in real time.
Step 4: Tampering With the Interface
Inside the UI, the attackers made subtle changes to disguise their activity. Transactions appeared normal to Bybit’s security team, but malicious code was quietly altering key details.
Using a hidden `delegate call`, the hackers manipulated approvals so that staff unknowingly authorized transfers to attacker-controlled wallets—believing they were routine moves to Bybit’s hot wallet.
Step 5: The Heist Goes Live
Once the hackers gained control of Bybit’s cold wallet, they quickly executed a series of withdrawals, spreading funds across unknown wallets. The attack bypassed Bybit’s strong on-chain defenses by exploiting off-chain weaknesses like human error and software flaws.
The stolen assets were rapidly converted into crypto and dispersed using chain hopping, making them nearly impossible to trace.
Bybit’s Response
In the aftermath, Bybit acted swiftly—publicly confirming the breach, promising full user reimbursement, and launching broader recovery efforts to regain trust.
Here’s what followed:
1. Lockdown and Reinforcement
Once the intrusion was detected, Bybit’s security team took the compromised cold wallet offline and halted unauthorized withdrawals. With support from blockchain analysts and law enforcement, a full investigation began. Partnering with SAFE, Bybit overhauled its multi-sig wallet system and added stricter manual checks for large transfers.
2. Asset Protection and Liquidity Support
Despite the \$1.5 billion loss, Bybit quickly reassured users that funds remained fully backed and withdrawals stayed open. Within 72 hours, they secured 447,000 ETH through loans and support from partners like Binance, Bitget, and Galaxy Digital. To avoid market disruption, Bybit avoided buying ETH on the open market, using targeted liquidity injections to rebuild reserves responsibly.
Their swift, strategic response helped limit damage and set a new standard for crypto crisis management.
3. Transparent Communication
Transparency was key to Bybit’s recovery. Within 30 minutes of the breach, CEO Ben Zhou held a live Q\&A to address user concerns. The exchange then provided daily updates on the investigation, fund recovery, and security improvements. By February 24, just three days later, Bybit completed a full proof-of-reserves audit, publicly confirming its financial stability.
4. Aggressive Asset Recovery
Bybit refused to treat the stolen funds as a total loss. Instead, it launched a coordinated effort with other major exchanges, stablecoin issuers, and blockchain forensic specialists to trace, freeze, and recover the stolen assets.
To amplify these efforts, Bybit introduced a high-stakes bounty program, offering 10% of any recovered funds—equivalent to a potential \$140 million payout—to anyone who could help bring back the stolen crypto.
The Aftermath: A New Benchmark in Crisis Response
Thanks to swift action, transparent leadership, and a solid financial footing, Bybit was able to avoid a panic-driven exodus of users. The platform’s proactive handling of the breach not only stabilized operations but also set a new benchmark for how exchanges should respond when things go wrong.
Though the attack marked one of the most serious threats to Bybit’s credibility, its recovery strategy proved resilient—and may ultimately strengthen its position in the crypto landscape.
Learn from market wizards: Books to take your trading to the next level
