The decentralized nature of cryptocurrency stands as the asset’s primary appeal. Being backed by blockchain technologies and distributed on a public ledger, cryptocurrency transactions bypass the traditional financial system. It ultimately makes Peer-to-Peer (P2P) transactions faster, cheaper, and more efficient.
However, its decentralized nature also causes a major drawdown. As it’s uncontrolled by any central authority, cryptocurrency is generally lawless. This lawless environment is a hotspot for cyberattacks.
This drawdown is evident in the growing cryptocurrency heist in the market. Two months into 2025, the world has seen another crypto heist as ByBit suffered a staggering $1.4 billion exploit on February 21, 2025.
In this TRU Insight, we’ll discuss everything you must know about the ByBit hack that resulted in USD1.4 billion lost. Read on to discover how the attack happened, the effort of ByBit to recover the stolen cryptos, and how this heist underpins the security concerns on cryptocurrency wallets.
The $1.4B ETH ByBit Hack in a Glance
What Happened
Just a week before the end of February 2025, ByBit—one of the biggest cryptocurrency wallets in the world—was exploited and lost a staggering estimate of USD 1.4 billion worth of Ethereum (ETH). This raises concerns about the security of even cold wallets, which are generally considered more secure than hot wallets.
What Do We Know
Two months into 2025, the cryptocurrency market witnessed another cyberattack under the crypto wallet ByBit. According to ZachXBT, the analytic group noticed a suspicious outflow of ETH assets from the ByBit wallet on February 21, 2025.
As it turns out, the suspicious outflow was the wallet exploitation itself. The hacker breached the multi-signature cold wallet and transferred all ETH coins (including stETH, cmETH, and mETH) to an unidentified address.
This event marks the largest cryptocurrency heist in history.
What Is ByBit?
ByBit is a Dubai-based cryptocurrency exchange founded by Ben Zhou in 2018. Since its launch, this cryptocurrency exchange has been one of the biggest exchanges in the cryptocurrency market.
ByBit, regulated in the British Virgin Islands, offers multi-asset crypto trading opportunities to its clients. Through ByBit, you can buy, sell, and hold crypto on the derivative or the spot market. And you don’t have to worry about the cryptocurrency selection because ByBit provides access to small-cap, mid-cap, and large-cap cryptos.
Notably, coins like Bitcoin (BTC), Ethereum (ETH), LINK (Chainlink), USDC, USDT, LUNA, SOL (Solana), and DOGE (DogeCoin).
Is It Easy to Withdraw Money on ByBit?
ByBit is registered and regulated as a crypto exchange in the British Virgin Islands.
As of the writing, this country has no set of regulations ruled out to oversee the operation of crypto businesses. This allows ByBit to operate its crypto exchange business without all the red tape and hassle of paperwork.
This includes a layered process of KnowYourCustomer (KYC) – a policy used to combat money laundering, financial crimes, and identity theft.
This withdrawal convenience was a selling point for ByBit, making investors and traders flock to the platform. If the user only needs to withdraw a maximum of 2 BTC daily, they don’t have to undergo KYC verification.
However, a KYC verification process is required if you wish to withdraw more than 2 BTC daily. You can increase your withdrawal daily limit to 50 to 100 BTC by submitting the necessary requirements.
What Happened to the ByBit Hack?
According to Ben Zhou, the CEO of ByBit, hackers breached ByBit’s multi-signature cold wallet by exploiting the system’s vulnerable single-signing transactions.
Ultimately, the hacker managed to move all of Bybit’s ETH assets by exploiting the approval process and using one single approval to verify the billion worth of unauthorized transfers.
But what caused the hacking? Several experts said the cyberattack was orchestrated with phishing and social engineering attacks. Bybit employees were targeted by phishing, which grants hackers access to the Bybit system, which allowed them to replicate a valid signature.
The hacker then used the replicated signature to initiate the suspicious USD 1.4 billion transaction.
What is more concerning is that the hacker targeted and ultimately exploited a cold wallet. As it’s considered the most secure crypto wallet, this hack raises concerns about the general safety of the cryptocurrency industry.
According to ZachXBT, the suspicious outflow of ETH from ByBit amounted to 401,347 ETH, 90,376 stETH, 15,000 cmETH, and 8,000 mETH. Accumulatively, this amount to ETH is valued at around USD 1.4 billion. This makes the 2025 ByBit hack the biggest cryptocurrency heist in history.
Investigations revealed that the North Korea-linked hacking group Lazarus Group was behind the attack – the same suspected hacker responsible with the $600 million Ronin Network exploit.
ByBit’sByBit’s 10% Recovery Efforts
Fortunately, the exchange promptly addressed the exploit and campaign recovery project to ensure that the stolen ETHs were restored to the wallet.
Despite the system’s exploitation, Ben Zhou announced on X (formerly known as Twitter) that the remaining cold wallets were safe and untouched. Additionally, to recover the lost ETHs, Bybit launched a recovery campaign by pledging 10% of recovered funds to ethical cyber and network security experts who assist in retrieving the stolen cryptocurrencies.
Three days after the cyberattack, the crypto wallet raised around 446,870 ETH (USD 1.23 billion) through ETH OTC purchases, loans, and whale deposits.
This means that ByBit is only 1.70 million shy of returning the exchange to 1:1 client assets.
Recovery Funds Source
The stolen ETHs were replenished back to the crypto wallet through the following sources:
- Private Deals: 157,660 ETH
- Crypto Exchanges: 109,033 ETH
- Institutional Investors & Lenders: 47,800 ETH
- Bitget Loan: 40,000 ETH
- Small Private Deals: 22,609 ETH
- Contribution from other investors
The Concern Cryptocurrency Security
This ByBit hack sent shockwaves through the crypto market, raising concerns about the security of even cold wallets, which are generally considered more secure than hot wallets.
However, the forensic analysts found the exploitation happened in the system of the third-party service, namely Safe{Wallet}. According to the forensic findings, hackers found a way to hijack Bybits’Bybits’ integrated Safe{Wallet}. This resulted in the injection of malicious JavaScript into the third-party approver to manipulate the transaction approval.
It’s the third-party integration that was hacked, not Bybit.
