Was the Bybit hack the biggest crypto theft ever?

Yes. The February 2025 attack drained approximately $1.5 billion in ETH from Bybit's cold wallet, making it the largest cryptocurrency theft on record at the time. The FBI attributed it to North Korea's Lazarus Group within days of the incident.

Did Bybit users lose money in the February 2025 hack?

No. Bybit covered the full loss from its own reserves and confirmed all client assets remained 1:1 backed. That outcome depended on Bybit's capital position — a smaller exchange facing the same attack may not have been able to make users whole.

How did hackers steal $1.5 billion from a cold wallet?

They did not attack Bybit's cold wallet directly. They compromised a third-party platform, injected malicious code into its web interface, and modified the transaction data Bybit's signers saw — turning a routine internal transfer into a transfer to attacker-controlled wallets.

Should I move my crypto off exchanges after the Bybit hack?

Long-term holdings are better held in self-custody using a hardware wallet, where you control the keys directly. Exchange balances make sense for assets you are actively trading. The key question is what proportion of your total holdings sits on any single exchange.

What is a blind-signing attack in crypto?

A blind-signing attack manipulates what is displayed to a transaction signer so they approve a different transaction than they believe they are approving. The signer sees a legitimate-looking request; the underlying code has already changed the destination address or amount.

Bybit Hack 2025: What Exchange Holders Should Know

On February 21, 2025, the Bybit hack became the largest cryptocurrency theft on record — approximately $1.5 billion in ETH and other assets drained from the exchange in a single targeted operation (FBI/IC3, 2025). The FBI attributed the attack to North Korea's Lazarus Group within five days. No user assets were lost; Bybit covered the shortfall from its own reserves. But the mechanics of the attack reveal a custody risk that applies to any exchange setup, regardless of the platform's size or security reputation.

How the Attackers Got In Without Touching Bybit Directly

The breach didn't start at Bybit. It started at Safe{Wallet}, a third-party multi-signature platform Bybit used to manage its cold wallet. In early February 2025, attackers compromised a Safe{Wallet} developer's macOS workstation through social engineering, then stole AWS session tokens — bypassing multi-factor authentication entirely. Using those credentials, they injected malicious JavaScript into the Safe{Wallet} web interface, which was stored in an AWS S3 bucket and served directly to Bybit's authorised signers (NCC Group, 2025).

The injected code was designed to activate only on Bybit's specific cold wallet transactions. When Bybit's signers reviewed an internal transfer on February 21, the malicious code quietly swapped the destination address for an attacker-controlled wallet. From the signers' perspective, everything looked normal. They approved what appeared to be a routine transfer, and 401,347 ETH left the exchange.

This is a blind-signing attack: the person approving the transaction cannot see what they are actually signing because the display layer has been tampered with. The signers followed their normal workflow; the deception happened in the software layer between them and the transaction data.

What Exchange Custody Actually Means for Holders

When you hold assets on an exchange, you hold a claim on that exchange's balance sheet — not the assets themselves. The exchange controls the private keys; you hold an IOU. That arrangement works when the exchange is solvent and secure. The Bybit incident illustrates both what that model can absorb and where it breaks down.

On the upside: Bybit remained solvent. CEO Ben Zhou confirmed all client assets remained 1:1 backed, and the exchange covered the full loss from its own reserves. Users who held assets on Bybit at the time of the attack lost nothing.

On the downside: that outcome depended entirely on Bybit's capital and its leadership's decisions. A smaller exchange facing the same attack would be unlikely to have reserves to cover it. That distinction matters when you're deciding how much to hold on any single platform.

Concentration in a single exchange amplifies this exposure. If most of your holdings sit with one custodian, a single event — hack, insolvency, regulatory freeze — affects your entire position. The Bybit incident demonstrates the scale this risk can reach, but the underlying dynamic is the same for any exchange holder.

What to Check in Your Own Setup

The most direct way to reduce exchange custody risk is to move long-term holdings into self-custody. Hardware wallets give you direct control over your keys — no third-party web interface, no cloud dependency, no IOU. The three proven setup configurations article walks through how to balance self-custody with the convenience of exchange access based on your total holdings.

For assets you need quick access to, keeping a working balance on an exchange is reasonable. The question is whether that balance is proportionate to your total holdings.

A few things to check in your current setup:

How much sits on a single exchange? Above 50% of your total holdings is a concentration gap worth addressing.
Do you have any self-custody at all? Even a basic hardware wallet changes your exposure materially.
Are you spread across multiple exchanges? Using two or three reputable platforms reduces the impact of any single incident.

You can map your current setup and see how it scores for concentration and custody risk at Asset Alert.

The Bybit Hack: What It Means for Your Exchange Holdings

How the Attackers Got In Without Touching Bybit Directly

What Exchange Custody Actually Means for Holders

What to Check in Your Own Setup

Frequently asked questions

Check your own setup

Related Articles

The Danger of Single-Platform Dependency