On February 21, 2025, ByBit lost $1.5 billion in ETH to North Korea's Lazarus Group — the largest crypto theft ever recorded. What happened next rewrote the playbook on crisis response.
Every major milestone from the moment the breach was detected to ByBit's ongoing recovery.
Attackers compromise ByBit's Safe{Wallet} cold wallet interface, manipulating a routine ETH transfer. Approximately 401,000 ETH (~$1.5B) is drained to attacker-controlled addresses in a sophisticated supply-chain attack targeting the signing UI.
ByBit CEO Ben Zhou addresses the community on X within hours of the breach, confirming what happened, explaining the attack vector, and pledging that all client funds are safe and will be honored. Radical transparency from the start.
Despite a surge in withdrawal requests, ByBit processes every single one. No withdrawal freezes, no gates, no delays. ByBit uses its own reserves and emergency bridge loans from industry partners to cover the shortfall immediately.
The FBI formally attributes the hack to TraderTraitor, a sub-unit of North Korea's Lazarus Group. On-chain investigator ZachXBT had already traced the funds within hours of the attack. ByBit launches a $140M bounty program for recovery assistance.
ByBit announces a comprehensive security overhaul: new cold wallet architecture, enhanced multi-signature protocols, third-party security audits, and a new dedicated internal security team. Safe{Wallet} integration suspended pending independent review.
ByBit publishes real-time Proof of Reserves showing 1:1 asset backing across all major assets. Third-party auditors verify the reserves. Trading volumes begin recovering strongly as user confidence returns to the platform.
ByBit's trading volumes recover to approximately 92% of pre-hack levels. New user registrations exceed pre-hack rates in several markets. The exchange is widely cited as a model for post-breach crisis management in the crypto industry.
On-chain investigators continue tracking the stolen ETH as Lazarus Group attempts to launder through mixers and cross-chain bridges. International law enforcement coordination is ongoing. Several exchanges have frozen flagged addresses.
When the largest crypto hack in history hit, ByBit's response set a new standard for the industry. Here's what they did right.
Despite losing $1.5B, ByBit processed every single withdrawal request without freezing funds or imposing limits. They used their own reserves and emergency bridge financing to cover the gap immediately — no user lost a cent.
CEO Ben Zhou went live within hours of the breach, explaining exactly what happened, what was being done, and what users could expect. Regular updates followed. No spin, no delay, no corporate silence — just facts.
ByBit launched one of the largest bounty programs in crypto history — offering up to $140M for information leading to recovery of stolen funds. Coordinated with on-chain investigators and law enforcement globally.
New cold wallet architecture, enhanced multi-signature protocols, third-party security audits, and a dedicated internal security team. The Safe{Wallet} integration was suspended and independently reviewed before any reinstatement.
ByBit published real-time, third-party verified Proof of Reserves demonstrating 1:1 asset backing across all major assets. Ongoing transparency commitment with regular independent audits and public reporting.
ByBit coordinated with other exchanges, on-chain investigators including ZachXBT, and international law enforcement to track and freeze stolen funds. Shared intelligence with the broader crypto security community.
Compare ByBit's response to Mt. Gox (collapsed, users lost everything), FTX (fraud, executives arrested), or Celsius (froze withdrawals, filed bankruptcy). ByBit did the opposite at every step: immediate transparency, full user protection, and a credible path to recovery. The crypto industry now has a new benchmark for how exchanges should handle a breach.
ByBit's post-hack security infrastructure is more robust than before the breach. Here's what's been implemented.
Completely rebuilt cold storage with air-gapped signing, hardware security modules (HSMs), and isolated signing environments that prevent the interface manipulation used in the Feb 2025 attack.
Upgraded multi-sig with independent key holders, mandatory transaction verification across multiple secure channels, and time-locked large transfers with additional confirmation layers.
Ongoing independent security audits by leading blockchain security firms. All smart contract integrations and wallet interfaces now require external security review before deployment.
The Feb 2025 attack exploited a third-party wallet interface. ByBit now maintains strict supply chain security protocols, including cryptographic code verification for all third-party integrations.
ByBit maintains real-time, third-party verified Proof of Reserves. All major assets are backed 1:1 or above. Updated continuously and independently audited.
View Live Proof of Reserves ↗The latest on ByBit's recovery, Lazarus Group tracking, and platform developments. Updated regularly.
Four months after the $1.5B hack, ByBit's derivatives and spot trading volumes have recovered to approximately 92% of pre-February levels, with new user registrations exceeding pre-hack rates in key markets.
ZachXBT and other on-chain investigators continue tracking the stolen ETH as North Korea's Lazarus Group attempts to launder funds through mixers, cross-chain bridges, and OTC desks. Several exchanges have frozen flagged addresses.
ByBit publishes the results of its comprehensive third-party security audit, confirming the new cold wallet architecture and multi-sig protocols meet or exceed industry standards. Proof of Reserves goes live with real-time verification.
ByBit's unprecedented $140M bounty program for recovery of stolen funds has attracted submissions from blockchain analytics firms worldwide. We break down the program structure, eligibility, and progress to date.
The FBI issues a formal attribution linking the ByBit hack to TraderTraitor, a sub-unit of North Korea's Lazarus Group. The attribution confirms earlier on-chain analysis and triggers international law enforcement coordination.
Within hours of the breach, ByBit CEO Ben Zhou went live to address the community directly. We analyze his statement, the transparency it demonstrated, and why it set ByBit apart from every previous exchange hack response.
History shows most hacked exchanges collapse. ByBit is the exception — and the data proves it.
Exchange Hack Comparison
| Exchange | Amount | User Outcome | Status |
|---|---|---|---|
| Mt. Gox | 850K BTC | Partial BTC repaid (decade later) | Collapsed / Rehab |
| FTX | ~$8B | Funds frozen | Bankrupt/Fraud |
| Celsius | ~$1.2B | Withdrawals frozen | Bankrupt |
| Bitfinex | $72M | Partial recovery | Survived |
| ByBit ✓ | $1.5B ETH | 100% honored | Recovering |
ByBit survived the largest hack in crypto history, honored every withdrawal, and came back stronger. That's a track record no other exchange can match.
⚠️ Crypto trading involves significant risk. Only trade what you can afford to lose. Affiliate links may earn this site a commission.