This is the largest hack of a centralized cryptocurrency exchange in history.

The cyberattack occurred in February of this year. Hackers exploited a vulnerability in the software provider to withdraw 401,000 ETH from the exchange’s cold wallet. This resulted in a loss of approximately $1.46–$1.5 billion at the time of the hack. The attack topped the list of the most high-profile hacks in crypto history, bringing the debate about the security of centralized platforms to a new level.

In our article, you will learn the details of the ByBit hack, the criminal group behind it, how hackers operate in the crypto market, the progress of the investigation, and why even the largest CEXs will remain vulnerable in 2025 despite their multi-million-dollar security budgets. 

What happened?

On February 21, 2025, ByBit, the second-largest crypto exchange by trading volume after Binance, lost approximately $1.5 billion in a classic supply-chain attack. In the context of crypto exchange hacks, this is an attack through a third party to whom the exchange has entrusted part of its critical infrastructure, such as code, access, transaction signatures, or key storage. It is one of the most effective and “silent” ways to attack a well-protected CEX because the exchange typically trusts the supplier and does not check them as rigorously as its internal systems.

How did the hackers steal cryptocurrency from ByBit? During the attack, the hackers compromised the JavaScript code of one of the external multisig signatory providers. According to the investigation, this provider was the Safe{Wallet} service. They did this through a malicious Docker container in a fake job offer, which gave them access to the code repository. Then, malicious JavaScript was injected into the provider’s UI, which ByBit employees used to approve transactions.  This means that ByBit employees weren’t directly hacked. They were working in a “poisoned” interface where the substitution occurred after they approved a legitimate test transaction. On February 21, when a ByBit employee approved a routine test transaction to transfer assets from cold storage, the malicious code substituted its contents and triggered a mass transfer of ~401,000 ETH to the attackers’ addresses. This was thus a single transaction worth ~$1.5 billion, which occurred instantly after the substitution in the interface.

In short, the key vulnerability lay in the manipulation of the multi-signature wallet interface used to manage ByBit’s cold storage. It’s also worth noting that the attack on ByBit did not involve direct phishing. The ByBit employee was working on a legitimate interface of an external provider, SafeWallet, which had already been compromised by the provider. After the user clicked “Confirm,” malicious JavaScript spoofed the transaction, rendering traditional anti-phishing measures useless. Therefore, social engineering techniques were used to compromise the workstation of one of SafeWallet’s developers; most likely, it was a phishing attack disguised as a job interview.

Detection occurred almost immediately. Within minutes, ByBit detected unauthorized activity in its cold wallet and immediately raised the alarm, asking the industry for assistance in freezing the funds. An investigation into the largest cryptocurrency theft of 2025 began immediately after the losses were discovered. Within hours, the exchange had activated its internal forensic team and contacted external experts.

• FBI: On February 26, the agency issued an official statement directly accusing the North Korean hacker group Lazarus of launching the cyberattack. This was the first time the authorities publicly confirmed the source of the cyberattack. The FBI based this confirmation on a combination of intelligence, IP address analysis, and the attackers’ tactics. The FBI also relied on data from partners, including South Korean intelligence agencies, which demonstrated ties to the North Korean regime. Lazarus allegedly finances 50% of North Korea’s foreign exchange earnings.
• Blockchain analytics: Chainalysis, TRM Labs, and Elliptic tracked the stolen funds on the blockchain. These analyses demonstrated the important role of blockchain technology in cyberattack investigations, as its transparency and immutability facilitate evidence collection. In a February 26 report, TRM Labs experts emphasized that this is the “latest in a series” of Lazarus attacks. They used identical laundering methods: the funds were broken into small transactions, mixed through mixers, and transferred to exchanges in Asia. On-chain traces showed that approximately 30% of the funds ($450 million) were linked to Lazarus-associated wallets.
• Technical Investigations: In March 2025, NCC Group published an in-depth analysis confirming a malicious JavaScript injection into SafeWallet. UI, which enabled transaction substitution. Sygnia’s analysis of the crypto exchange’s systems revealed vulnerabilities in the multi-domain architecture. Hackers exploited weaknesses in the provider, including an unsecured content delivery network (CDN) and a lack of end-to-end verification. This method of transaction substitution via JavaScript injection mirrored previous attacks on 3Commas (2022) and DMM Bitcoin (2024), in which Lazarus employed similar tools.

As of November 2025, the investigation is ongoing. Less than 5% of the funds have been recovered, and approximately $200 million remains frozen on the exchanges. ByBit is cooperating with the authorities, and it is estimated that Lazarus has lost some of its loot due to improved monitoring. However, a full recovery of the stolen funds remains unlikely. 

Scale and Consequences

This is the only hack in CEX history involving such a significant amount of funds. The next largest attack on a centralized exchange was the 2022 Binance theft of approximately $570 million, almost three times less than this hack. Back then, two million BNB were stolen as a result of a BNB Chain bridge hack.

Other examples of the largest crypto exchange hacks inсlude:

• Coincheck: In January 2018, $534 million was stolen through phishing.
• BitMart: In December 2021, approximately $196–$230 million was drained from a wallet and sent to the Tornado Cash mixer.
• KuCoin: In September 2020, approximately $285 million worth of ETH, BTC, and other tokens were stolen.

Market reaction

The ByBit hack had a noticeable, albeit short-lived, impact on the cryptocurrency market, resulting in volatility. BTC and altcoin prices declined. Bitcoin’s price fell approximately 3.07% that day, reaching around $95,000–$97,000. Ethereum (ETH), the primary target of the attack, fell by nearly 4%, reaching $2,700. Other altcoins experienced selling pressure amid increased market uncertainty and concerns about the security of centralized exchanges. However, the market stabilized relatively quickly after ByBit confirmed that it would cover client financial losses from its own funds. In response to the ByBit incident, other major cryptocurrency exchanges, such as Binance, OKX, and Coinbase, focused on cooperating with law enforcement and analytics firms to track the stolen assets and strengthen their security.

Traders and analysts reacted intensely. Market participants sounded the alarm, as any major centralized exchange could now be considered a risk zone. Some analysts suggested that, following such an incident, the market would need to reevaluate its approach to asset management on CEXs. This theft also raised questions about exchanges’ ability to protect assets and the privacy of their internal operations when part of their infrastructure is outsourced.

The technical side of the hack

This attack exemplifies a new trend expected in 2024–2025. Instead of directly penetrating exchange systems, attackers increasingly target trusted third parties. Hackers exploit weaknesses in CEX interactions with providers.

• CEXs increasingly outsource critical components, such as signatories, MPC wallets, and oracles, to external providers for convenience and regulatory compliance.
• These providers (e.g., Fireblocks, Safe, Copper, Zodia, and Cobo) service dozens of major exchanges simultaneously, so hacks on one provider provide access to many.
• Typically, auditing and monitoring of external services is weaker than that of internal ones.

Fortunately, blockchain transparency allowed analysts to quickly pinpoint the withdrawal route. Using on-chain monitoring tools, analysts tracked several large flows sent through Tornado Cash, Orbiter, and lesser-known L2 bridges. Experts note that, unlike the attacks of 2018–2020, modern on-chain analysis mechanisms allow for the faster identification of anomalous routes. However, it remains extremely difficult to completely stop the “layering” of withdrawals through dozens of intermediate addresses. Thus, the question of where the stolen ByBit funds disappeared remains partially unanswered for both users and analytics companies tracking asset movements across dozens of networks.

ByBit’s Response

ByBit swiftly formed an internal crisis committee and enlisted the help of external digital forensics teams that had previously worked on cases involving Mt. Gox, Euler Finance, and CoinEx. Meanwhile, ByBit sent requests to over 20 centralized platforms, asking them to monitor addresses associated with asset withdrawals.

ByBit complied with all user protection standards, and in its initial statement following the hack, confirmed the existence of reserves totaling over $20 billion. The company informed users that their funds were safe and that they could withdraw their full cryptocurrency holdings. Ultimately, ByBit processed over 350,000 withdrawal requests in 24 hours. Users withdrew nearly $5 billion in assets, setting a record daily volume in the industry’s history.

Following the cyberattack, ByBit conducted internal and external audits, leading to the implementation of over 50 new security measures. These measures included strengthening cold storage security, updating information security, and updating procedures for interacting with third-party services. ByBit is demonstrating to the market that it has implemented post-incident security measures that can serve as a baseline updаte for all major centralized services.

Crypto Exchange Security in 2025

Despite overall progress, the security of cryptocurrency exchanges remains vulnerable in 2025 due to systemic factors.

• The main problem is the high level of centralization of internal processes. Even the largest exchanges continue to use a single access infrastructure for their internal APIs, monitoring systems, and service accounts. This creates a single “weak link” that can be exploited through phishing attacks or configuration errors.
• Second, the growing complexity of the infrastructure is a concern. Exchanges support dozens of Layer 1 and Layer 2 servers, as well as bridges, cross-chain routes, and custodial services. Each new integration creates an additional attack surface. Chainalysis’ reports on crypto market cyberattacks in 2025 feature this factor.

In 2025, we observed a trend of exchanges transitioning from passive protection to active security models. Key solutions inсlude:

• MPC (multi-party computation) storage. This allows keys to be distributed across multiple nodes, thus eliminating the risk posed by a single compromised secret.
• Another key solution is behavioral analytics based on machine learning. Major exchanges already use this to detect output anomalies before transactions are confirmed.
• HSM (high security modules). Modern versions allow signing operations without direct access to the key.
• Zero-trust models are used for internal teams. Exchanges are reducing the number of employees with direct access to withdrawal systems.

FAQ— Frequently Asked Questions

1. How did hackers steal $1.5 billion?

Hackers compromised a multisig signature provider and stole $1.5 billion from ByBit. They hacked a third-party service, SafeWallet, through a malicious Docker container and injected poisoned JavaScript code into the interface used by ByBit employees. As a result, a routine internal operation turned into a massive transfer of 401,000 ETH to the attackers’ wallets.

1. Who is investigating the ByBit attack?

This issue requires inter-exchange and intergovernmental cooperation. Independent forensic teams, analytical companies, and law enforcement agencies are investigating the largest exchange hack to date.

1. Are users being refunded their lost funds?

Did users lose their funds? No, the exchange has processed all customer withdrawal requests in full. The issue of returning stolen funds is not about compensating customers, but rather about returning the exchange’s stolen assets.

1. What can you do to protect your assets?

If you’re unsure what to do if a crypto exchange is hacked, the answer is simple: Take preventive measures to protect your funds. How can you protect your funds on a crypto exchange amid high levels of hacker activity? Security lessons learned from the ByBit theft boil down to simple, basic rules:

• Store most of your assets in personal cold wallets.
• Use two-factor authentication and unique passwords generated by password managers.
• Keep only a limited amount of funds on centralized exchanges and set withdrawal limits.

Conclusion

The $1.5 billion hack of the ByBit crypto exchange should serve as a wake-up call for the entire crypto market. The scale of the losses and the sophistication of the attackers demonstrate that even the largest centralized platforms are vulnerable. This case has heightened awareness of CEX infrastructure, the role of internal controls, and the need for immediate responses to anomalous transactions.

Thank you for your attention. Invest safely and profitably!

AnyExchange is an exchanger where you can convert cryptocurrency at the best rates and make secure money transfers worldwide.