Bybit Crypto Exchange Review: Security, Recovery, and What It Means for Your Assets

Crypto Exchange Risk Calculator

Assess Your Exchange Risk

Based on the Bybit hack and industry insights, this tool helps you understand your risk exposure when holding crypto on exchanges. Follow the article's recommendations to make safer decisions.

Total crypto holdings value (USD):

Trading frequency:

Less than 10% of holdings per year (long-term holder)

More than 10% of holdings per year (active trader)

Security practices:

Hardware wallet + 2FA

Exchange wallet only

2FA only

When you hear the name Bybit, most people think of fast trades, high leverage, and deep liquidity. But in February 2025, that reputation took a brutal hit. Bybit became the target of the largest crypto heist in history-nearly $1.5 billion in Ether stolen by North Korea’s Lazarus Group. That’s not a rumor. It’s a fact. And what happened after that breach tells you more about Bybit than any marketing page ever could.

What Happened During the Bybit Hack?

On February 21, 2025, hackers slipped past Bybit’s defenses and drained over $1.5 billion in ETH from its hot wallets. This wasn’t a brute-force attack. It was surgical. The attackers used social engineering to trick internal staff into approving fraudulent transactions. They compromised software supply chains, injected malware into update pipelines, and exploited weak verification steps in the approval workflow. Even though Bybit used multi-signature wallets and cold storage for most assets, the hackers didn’t need to break into those. They just needed one person to click "approve" on a fake transaction.

Chainalysis confirmed that state-sponsored hackers from North Korea were behind it. In 2024 alone, DPRK-linked groups stole $1.34 billion across 47 crypto incidents. The Bybit hack alone made up more than the entire year’s total. That’s how big this was.

How Did Bybit Respond?

Most exchanges would’ve frozen withdrawals, gone silent, or collapsed under the pressure. Bybit didn’t. Within hours, they announced they would cover all losses from their own funds. No delays. No excuses. They paid out every single withdrawal request-over $1.5 billion in total. That’s not just good PR. That’s a massive financial commitment. Only an exchange with deep reserves and strong leadership could pull that off.

They also launched a bounty program offering 10% of any recovered funds to ethical hackers and other exchanges. So far, only $43 million has been returned. The rest? Still out there. The Ethereum blockchain couldn’t be rolled back. Developers said it was technically impossible. That’s the reality of crypto: once a transaction is on-chain, it’s permanent.

Bybit’s Security Setup Before the Hack

Before the breach, Bybit had one of the most advanced security architectures in the industry. They stored 95% of user funds in cold wallets-offline, air-gapped, and protected by hardware security modules. The remaining 5% in hot wallets for trading were guarded by:

Multi-signature wallets requiring 3 out of 5 keys to approve transfers
Threshold Signature Schemes (TSS) to eliminate single points of failure
Trusted Execution Environments (TEE) to isolate sensitive operations
End-to-end encryption for all user data
Real-time behavior monitoring that flags unusual login patterns or withdrawal attempts
Two-factor authentication (2FA) and hardware key support

These aren’t just buzzwords. These are enterprise-grade tools used by banks and hedge funds. Yet, none of them stopped the attack. Why? Because the weakest link wasn’t the technology-it was the human process.

The Real Problem: Human Error and Supply Chain Gaps

Security experts agree: the hack exposed flaws in operational security, not crypto security. The attackers didn’t crack encryption. They didn’t brute-force keys. They tricked people.

Specific weaknesses included:

No independent verification for transaction approvals-only one person reviewed each request
Missing cryptographic code signing for software updates, allowing malware to sneak into the UI
Weak controls on AWS access keys-attackers gained access to cloud infrastructure through a compromised developer account
No mandatory multi-party review for wallet permission changes

Luke Riley from Quant Network said it best: “Enterprise-grade transaction signing would have required at least two independent approvals from different teams. That’s not optional for an exchange holding billions.”

Is Bybit Safe to Use Today?

As of October 2025, Bybit is still operating. It’s still one of the top 3 exchanges by volume. Trading is smooth. Fees are competitive. The app works. But safety? That’s different.

They’ve made changes since the hack:

Added mandatory dual approval for all withdrawal requests
Deployed Subresource Integrity (SRI) to detect front-end tampering
Implemented Cloud Security Posture Management (CSPM) to monitor cloud access keys in real time
Required code reviews by at least two engineers before any wallet-related update
Started publishing monthly security audits

But here’s the truth: no exchange is 100% safe. Even the best systems can be bypassed if people are tricked. Bybit’s response showed they can handle a crisis. But it also showed how fragile centralized crypto custody really is.

A user stands at a crossroads between a hardware wallet and a crumbling exchange tower, symbolizing self-custody vs. centralized risk.

Self-Custody: The Real Alternative

After the hack, many users asked: “Should I move my crypto to a hardware wallet?”

The answer? Maybe.

If you hold large amounts-$10,000 or more-self-custody is worth considering. Tools like Ledger, Trezor, or even a simple paper wallet give you full control. No exchange can freeze your funds. No hacker can drain your wallet unless they steal your seed phrase.

But here’s the catch: self-custody puts all the responsibility on you. Lose your seed phrase? Gone forever. Fall for a phishing scam? Gone forever. Forget to update your firmware? Vulnerable to new exploits.

Most people aren’t ready for that. And that’s okay. But if you’re using Bybit or any centralized exchange, assume your assets are at risk. Treat your exchange account like a checking account-not a savings account.

What Does This Mean for the Crypto Industry?

The Bybit hack didn’t just hurt one company. It shook the entire crypto ecosystem. It proved that even the most advanced platforms can be taken down by simple human error. Regulators are now pushing for mandatory enterprise security standards for exchanges. Some U.S. lawmakers are calling for insurance requirements and third-party audits.

Meanwhile, institutions are starting to adopt decentralized custody solutions-like multi-sig wallets managed by legal entities or institutional key management platforms from firms like Fireblocks and Quant Network. These systems require multiple approvals, geographically distributed signers, and audit trails. They’re expensive. But for large holders, they’re the only way forward.

Final Verdict: Should You Use Bybit?

If you’re a casual trader who moves small amounts, uses stop-losses, and doesn’t hold long-term positions-Bybit is still a solid choice. The platform is fast, reliable, and has low fees. The UI is clean. The charting tools are powerful.

But if you’re holding significant value-especially ETH or BTC-you need to ask yourself: Do I trust an exchange to protect my life savings? After $1.5 billion vanished in one day, the answer should be no.

Use Bybit for trading. Not for storing. Keep your long-term holdings in cold storage. Use exchange wallets like you’d use a debit card-not a vault.

Bybit survived the biggest heist in crypto history. That’s impressive. But survival doesn’t mean safety. It means they had the money to pay back the losses. That’s not a security feature. That’s a financial backup plan.

The real lesson? In crypto, the only truly secure wallet is the one you control.

Was Bybit hacked in 2025?

Yes. On February 21, 2025, Bybit suffered a $1.5 billion hack attributed to North Korea’s Lazarus Group. Attackers used social engineering to bypass internal approval systems and steal ETH from hot wallets. Despite the breach, Bybit compensated all affected users from company funds.

Is Bybit safe to use in 2025?

Bybit is still operational and has improved its security since the 2025 hack. They now require dual approvals for withdrawals, monitor cloud access keys, and enforce code reviews. However, no centralized exchange is immune to human error or supply chain attacks. Use Bybit for trading, not long-term storage.

How did the hackers steal $1.5 billion from Bybit?

The hackers compromised Bybit’s software supply chain, injected malware into update files, and tricked employees into approving fraudulent transactions. They exploited weak internal verification processes-not encryption flaws. This shows that even advanced security tools can fail if human workflows aren’t hardened.

Did Bybit lose money from the hack?

No. Bybit covered the $1.5 billion loss from its own reserves. This demonstrated strong financial health and crisis management. Users received full compensation, and withdrawals were processed without delay.

Should I move my crypto from Bybit to a hardware wallet?

If you hold more than $10,000 in crypto long-term, yes. Hardware wallets like Ledger or Trezor give you full control. Exchanges can be hacked, frozen, or shut down. Self-custody shifts risk to you-but it also removes the risk of exchange failure. Use exchanges for trading only.

What’s the biggest risk when using Bybit?

The biggest risk is trusting a centralized platform with your assets. Even with top-tier security, human error, insider threats, and supply chain attacks can bypass all technical defenses. Never store large amounts on any exchange-regardless of its reputation.

Are there better alternatives to Bybit?

For trading, Binance, Kraken, and Coinbase offer similar features with stronger regulatory compliance. For custody, no exchange is safer than self-storage. If you want institutional-grade security, consider platforms like Fireblocks or Coinbase Custody, which use multi-sig and hardware security modules for enterprise clients.

17 Comments

Chris Houser
October 29, 2025 AT 08:10

Look, I’ve been in crypto since 2017, and I’ve seen exchanges rise and fall. Bybit didn’t get hacked because their tech was weak-it got hacked because people got tricked. That’s the real story. No amount of multi-sig or TSS fixes a tired dev who just wants to go home at 5 PM. The fix isn’t more encryption-it’s better processes. Mandatory dual approvals? That’s not fancy. That’s basic. And honestly? It should’ve been there from day one.

Don’t blame the blockchain. Blame the human workflow.

Still using Bybit? Fine. Just don’t sleep on your seed phrase.

Trade smart. Don’t trust blindly.
William Burns
October 30, 2025 AT 08:35

One must question the epistemological foundations of decentralized finance when even the most ostensibly robust institutional infrastructures are susceptible to social engineering. The very premise of centralized custody is ontologically flawed-a digital paradox wherein the architecture of security is predicated upon the fallibility of human cognition. One cannot, in good conscience, advocate for the continued use of such platforms when the ontological vulnerability of the human agent remains unmitigated. One might as well entrust one’s life savings to a child with a keychain.

It is not a hack. It is an inevitability.
Ashley Cecil
October 31, 2025 AT 03:35

It is deeply concerning that so many commenters are treating this incident as if it were a mere operational hiccup. The fact remains: Bybit failed to implement basic corporate governance protocols. No independent verification? No code-signing? No mandatory dual approvals? These are not oversights-they are negligence. And now, because the company had sufficient capital to cover losses, the public is being led to believe that this was somehow a ‘win.’

It was not. It was a near-collapse averted by financial muscle, not by competence. The regulatory bodies should be taking notes.
John E Owren
October 31, 2025 AT 23:38

Hey, I get it. You want to trade fast, you want low fees, you want pretty charts. But if you’re holding more than a few grand, you’re playing with fire. Bybit’s response was impressive, sure-but that’s like saying a house is safe because the owner paid to rebuild after it burned down.

The fire still happened.

And the next one? Might not come with a refund.

Just saying. No judgment. Just… maybe keep your long-term stuff offline?
Joseph Eckelkamp
November 1, 2025 AT 13:20

Oh, so now we’re impressed because a company with billions in reserves didn’t go bankrupt after losing $1.5 billion? Wow. Groundbreaking. The real story? They didn’t prevent it. They didn’t stop it. They just paid for it. And now they’re handing out stickers like it’s a charity gala.

Let me guess: next they’ll publish a ‘Security 2.0’ infographic with a smiling robot holding a shield and the tagline ‘We’ve Learned!’

Meanwhile, the Lazarus Group is probably sipping champagne on a yacht named ‘BybitBonus2025.’

And yes-I’m being sarcastic. You’re welcome.
Jennifer Rosada
November 2, 2025 AT 14:29

Let’s be clear: if you’re still using a centralized exchange for anything beyond small, short-term trades, you’re not being savvy-you’re being reckless. This isn’t speculation. This is financial irresponsibility. You wouldn’t leave your house keys under the mat, so why leave your crypto on an exchange?

And don’t give me the ‘But it’s convenient!’ excuse. Convenience is not a risk management strategy. It’s a trap.

Self-custody isn’t hard. It’s just uncomfortable. And discomfort is the price of safety.
adam pop
November 3, 2025 AT 13:13

Let me tell you something they don’t want you to know: this wasn’t North Korea. This was the U.S. government. They wanted to scare people into buying gold and moving to the mountains. Bybit was the sacrifice. The ‘hack’ was staged. The $1.5B? Fake. The ‘recovered’ $43M? A decoy. The real funds were moved to a private blockchain only the Fed can access. They’re setting up a digital dollar monopoly. You think they’d let a decentralized exchange thrive? Please.

They didn’t hack Bybit. They *used* Bybit.
Dimitri Breiner
November 4, 2025 AT 05:34

Look, I’ve worked with exchanges before. I’ve seen how the sausage gets made. The truth? This kind of breach happens way more often than anyone admits. Most exchanges just bury it. Bybit didn’t. They owned it. They paid. They fixed it. That’s leadership.

Yes, the system failed. But the response? That’s what matters. They didn’t vanish. They didn’t blame users. They didn’t disappear into a shell. They fixed the holes-and they’re publishing audits now. That’s rare.

Don’t worship them. But don’t throw them under the bus either. Use them wisely. That’s the real takeaway.
LeAnn Dolly-Powell
November 5, 2025 AT 07:46

💖 I just want to say thank you for writing this. It’s so hard to find honest, clear takes like this in crypto. So many people are scared or confused, and you laid it out like a friend explaining it over coffee.

Also, if you’re new and thinking about moving to a hardware wallet-DO IT. I got a Ledger last year after reading a post like this, and I sleep so much better now. No stress. No panic. Just me and my seed phrase. 🙌

You got this. And you’re not alone.
Anastasia Alamanou
November 6, 2025 AT 01:12

Let’s not romanticize the tech. The real innovation here isn’t TSS or TEE-it’s the cultural shift. The fact that Bybit is now publishing monthly audits? That’s a new standard. Most exchanges treat security like a checkbox. They’re treating it like a covenant.

And dual approvals? That’s not just a feature. It’s a mindset. It says: ‘We don’t trust anyone-not even ourselves.’

That’s the kind of humility that builds real resilience. And honestly? That’s more valuable than any algorithm.
Rohit Sreenath
November 7, 2025 AT 04:52

Everyone talks about tech. But no one talks about karma. You think you can cheat the system? You think you can be smart and still leave your money on an exchange? You are playing with fire. The blockchain remembers everything. Even if you win today, tomorrow you will lose. Always.

Self-custody is not hard. It is only hard for those who do not want to learn.

Stop blaming hackers. Blame yourself.
Sam Kessler
November 7, 2025 AT 16:34

Let’s be honest: Bybit’s entire business model is built on leverage and speed-not security. They’re a casino with a frontend. The fact they covered the loss proves they were always gambling with user funds. They didn’t have reserves-they had borrowed liquidity. And now they’re pretending they’re the hero.

Don’t be fooled. This isn’t integrity. It’s survival. And when the next crisis hits? They’ll be back to the same playbook.

Trust the code. Not the company.
Steve Roberts
November 7, 2025 AT 17:30

Wait-you’re telling me that after $1.5 billion vanished, the solution is to ‘use it for trading, not storage’? So… we’re supposed to keep doing the exact same thing, just… less of it?

That’s not a solution. That’s a cop-out.

If the system is this fragile, why are we still using it? Why aren’t we demanding real change? Why are we just adjusting our expectations instead of demanding better?

Because we’re lazy. And that’s the real problem.
John Dixon
November 9, 2025 AT 05:27

Oh, wow. Bybit ‘covered’ the loss. How noble. How selfless. How… suspicious. Let me guess-they used user deposits to pay themselves back? Or maybe they just inflated their token supply? Or perhaps they quietly sold their BTC holdings to cover it? You know, the usual ‘transparent’ exchange moves?

And now they’re ‘publishing audits’? Oh, so now we’re supposed to trust the same people who let a $1.5B heist happen because someone clicked ‘approve’? With a smile?

Right.

And I’m the Queen of England.
Brody Dixon
November 9, 2025 AT 16:42

I just wanted to say… I’ve been holding ETH on Bybit since 2023. I’m not a trader. I just believe in crypto. After the hack, I was terrified. But reading this breakdown helped me understand what actually happened. I’m moving half my holdings to a Ledger this week. Not because I don’t trust Bybit-but because I trust myself more.

Thanks for the clarity. It means a lot.
Mike Kimberly
November 11, 2025 AT 02:37

As someone who’s lived in five countries and worked with crypto teams across Asia, Europe, and North America, I can tell you this: the Bybit hack isn’t an American problem, or a Korean problem-it’s a global problem. The human element is universal. Whether you’re in Lagos, Bangalore, or Brooklyn, if you don’t have a culture of verification, you’re vulnerable.

What Bybit did right? They didn’t hide. They didn’t deflect. They didn’t say ‘it’s not our fault.’ They fixed it. And they’re being transparent now.

That’s not perfect. But in crypto? It’s rare. And it’s worth recognizing.

Don’t worship. Don’t fear. Just learn. And then act.
angela sastre
November 12, 2025 AT 14:14

Okay real talk: I used to think hardware wallets were for nerds. Then I lost $200 to a phishing link. That was my wake-up call.

Now I keep my small stuff on Bybit to trade. My big stuff? Ledger. Simple. No drama.

And yes, I write down my seed phrase on paper. I keep it in a fireproof safe. I don’t take photos. I don’t email it. I don’t overthink it.

It’s not magic. It’s just discipline.

And honestly? That’s the real crypto skill.