Skip to main content
Sign in

Bybit

avoid.net/bybit72/100·95% conf.
[VERIFIED][src:zachxbt][src:defillama]
anchored·3LvLV8…JjYs

Summary

Bybit is a Dubai-headquartered cryptocurrency derivatives and spot exchange founded in 2018 by Ben Zhou, serving over 80 million registered users globally. On February 21, 2025, the exchange suffered the largest cryptocurrency theft in recorded history when North Korean state-sponsored hackers attributed to the Lazarus Group (TraderTraitor) stole approximately $1.46 billion in Ethereum via a supply chain compromise of Safe{Wallet}'s frontend infrastructure. Separately, Bybit accounts have been cited in the ICIJ's 2025 Coin Laundry investigation into crypto exchanges facilitating international criminal money flows.

Have evidence about Bybit?

No evidence submitted yet — be the first.

Decision log

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Overview and Background

Bybit was founded in March 2018 by Ben Zhou, an entrepreneur with a prior background as General Manager for Greater China at forex broker XM (2010–2017). The exchange initially focused on crypto derivatives and perpetual contracts before expanding to spot trading. In March 2022, Bybit announced the relocation of its global headquarters from Singapore to Dubai, United Arab Emirates, following an in-principle approval from Dubai’s Virtual Assets Regulatory Authority (VARA); the physical Dubai office opened in April 2023. Bybit was originally incorporated in the British Virgin Islands, but that entity was dissolved in July 2023. As of late 2025, Bybit reported over 80 million registered users and ranked among the world’s largest crypto exchanges by derivatives volume.

Sources

February 2025 Hack — $1.46 Billion Ethereum Theft

On February 21, 2025, Bybit suffered the largest single cryptocurrency theft ever recorded. Approximately 401,347 ETH — valued at roughly $1.46 billion at the time — was drained from a Bybit cold wallet during a routine transfer to a warm wallet. The attack was a sophisticated supply chain compromise: a macOS workstation belonging to a Safe{Wallet} developer was compromised on or around February 4, 2025, via a suspected social engineering vector involving a malicious Docker project that initiated outbound traffic to the domain getstockprice[.]com. The attackers used this foothold to inject malicious JavaScript into the S3 bucket serving app.safe.global, Bybit's Safe{Wallet} management interface. The tampered JavaScript was last modified on February 19, 2025 — two days before the exploit — and was designed to silently rewrite the destination address and logic of any transaction initiated from Bybit's specific cold wallet addresses, while displaying a legitimate-looking transaction to Bybit's signers. When Bybit's multi-signature approvers reviewed and signed what appeared to be a standard cold-to-warm transfer, they unknowingly authorized the modified, malicious transaction. The full amount was transferred to addresses under attacker control.

Sources

Attribution — North Korea Lazarus Group (TraderTraitor)

On February 21, 2025, blockchain investigator ZachXBT submitted a detailed report to Arkham Intelligence proving Lazarus Group's involvement within hours of the theft. ZachXBT's submission included analysis of test transactions and connected wallets used ahead of the exploit, forensic graphs, and timing analyses consistent with known Lazarus Group operational patterns. The same investigation linked the Bybit attacker wallets to the approximately $73 million Phemex hack that occurred in January 2025. On February 26, 2025, the FBI formally confirmed the attribution, designating the responsible actor as TraderTraitor — also tracked by other threat intelligence vendors as Jade Sleet, Slow Pisces, and UNC4899. The FBI published 50 Ethereum wallet addresses connected to the theft and requested that RPC node operators, exchanges, and blockchain analytics firms block related transactions. ZachXBT additionally found that within 15 hours of the public disclosure, Lazarus-linked wallets launched memecoin projects on Pump.fun on Solana, apparently as a laundering vector: one address bridged $1.08 million in USDC from the stolen ETH to Solana and launched a token called QinShihuang, which recorded over $26 million in trading volume. By March 20, 2025, Bybit CEO Ben Zhou disclosed that hackers had converted approximately 86.29% of the stolen ETH into Bitcoin and dispersed it across thousands of addresses.

Sources

Exchange Response and Solvency

CEO Ben Zhou publicly addressed users within approximately 30 minutes of the breach via a live-streamed Q&A, providing daily updates. Bybit assured customers that the exchange remained solvent and that all losses would be covered through internal funds and emergency bridge loans. Critically, Bybit did not impose a withdrawal freeze at any point during or after the incident, though the exchange acknowledged processing delays of several hours for some users amid a surge of over $4 billion in withdrawal requests within the first 12 hours. Within 72 hours of the hack, Bybit replenished nearly 447,000 ETH through emergency arrangements with trading firms including Galaxy Digital, FalconX, and Wintermute. On February 26, 2025 — five days after the hack — security auditor Hacken published a Proof of Reserves verification confirming Bybit's reserve ratio exceeded 100%, indicating that user liabilities were fully backed. Ben Zhou also launched a bounty program offering up to $140 million for information leading to the tracing or freezing of stolen funds. Bybit published two separate forensic reports in the weeks following the incident, and the incident prompted broader industry discussion about systemic risks in multi-signature wallet UX and third-party frontend dependencies.

Sources

ICIJ Coin Laundry Investigation — Criminal Money Flow Allegations

In November 2025, the International Consortium of Investigative Journalists (ICIJ) published The Coin Laundry, a 10-month investigation by more than 100 journalists from 37 news organizations across 35 countries. The investigation identified Bybit among a group of major exchanges — including Binance, OKX, HTX, and Kraken — whose customer accounts were cited as recipients of funds traced to international criminal networks. According to the investigation, scam-linked funds were being sent to accounts at Bybit and other named exchanges. The ICIJ found that crypto flows connected to criminal enterprises including North Korean hacking groups, Chinese and Russian criminal organizations involved in human trafficking, drug trafficking (including fentanyl), and the Sinaloa cartel transited through major exchange accounts. The investigation noted that some of these accounts were opened with minimal or no client identification requirements at cash-desk-style operations. The ICIJ did not provide granular transaction data specific to Bybit, and the investigation does not allege that Bybit itself operated these accounts or was complicit in the criminal activity. No regulatory enforcement action against Bybit arising from the ICIJ investigation had been publicly announced as of the time of this report.

Sources

Regulatory Status and Jurisdiction Restrictions

Bybit was originally incorporated in the British Virgin Islands, though that entity was dissolved in July 2023 according to the BVI Financial Services Commission. The exchange relocated its global headquarters to Dubai, UAE, announcing the move in March 2022 following in-principle approval from Dubai’s Virtual Assets Regulatory Authority (VARA). In May 2025, Bybit obtained a full EU MiCAR license in Austria, and in October 2025, it received a UAE Securities and Commodities Authority (SCA) license. The exchange remains blocked or restricted in multiple jurisdictions, including the United States, Canada, mainland China, Hong Kong, and France. In October 2023, the UK’s Financial Conduct Authority (FCA) imposed new rules on crypto promotions, which led Bybit to suspend services to UK customers; Bybit subsequently relaunched UK services in December 2025 under FCA-compliant arrangements.

Sources

Industry and Policy Implications

The February 2025 hack prompted broader industry and government scrutiny of multi-signature wallet infrastructure, third-party frontend dependencies, and the security of cold wallet management processes at exchanges. The Wilson Center and CSIS both published analyses arguing the incident highlighted the need for enhanced regulatory oversight of large crypto custodians and exchange security standards. The Paul Hastings law firm noted potential implications for U.S. regulatory approaches to exchange custody requirements. DeFiLlama's hack tracking database lists the Bybit incident as the single largest crypto exchange hack ever recorded, dwarfing prior incidents and accounting for a substantial portion of total crypto hack losses in 2025. The incident also renewed attention to the threat posed by North Korean state-sponsored hackers, who the FBI tracks as TraderTraitor. A 2024 United Nations Panel of Experts report estimated that DPRK-linked groups stole over $3 billion in cryptocurrency between 2017 and 2023, a figure that does not include the 2025 Bybit theft.

Sources

Timeline

2018-03-01

Bybit founded in Singapore by Ben Zhou, focused on cryptocurrency derivatives trading.

Wikipedia / CryptoSlate

2022-03-01

Bybit relocates global headquarters from Singapore to Dubai, UAE, following in-principle approval from VARA.

Wikipedia

2023-10-01

UK Financial Conduct Authority (FCA) implements new crypto promotion rules; Bybit suspends services to UK customers.

Crypternon

2025-01-01

Lazarus Group-linked wallets later connected to the Bybit hack conduct the $29 million Phemex hack, according to ZachXBT's on-chain investigation.

CoinTelegraph / ZachXBT via Arkham Intelligence

2025-02-04

A macOS workstation belonging to a Safe{Wallet} developer is compromised via suspected social engineering, initiating the supply chain attack.

Sygnia / The Hacker News

2025-02-19

Malicious JavaScript is injected into the S3 bucket serving the Safe{Wallet} frontend (app.safe.global), specifically targeting Bybit's cold wallet addresses.

NCC Group technical analysis

2025-02-21

Approximately 401,347 ETH (~$1.46 billion) is stolen from Bybit's cold wallet during a routine transfer via the compromised Safe{Wallet} interface. ZachXBT submits a detailed attribution report to Arkham Intelligence linking the attack to Lazarus Group. Lazarus-linked wallets also launch memecoin projects on Pump.fun on Solana as a laundering vector.

IC3 / ZachXBT / Arkham Intelligence

2025-02-24

Bybit announces it has fully replenished reserves within 72 hours, securing approximately 447,000 ETH through emergency funding from Galaxy Digital, FalconX, and Wintermute.

CNBC

2025-02-26

FBI formally attributes the hack to North Korean TraderTraitor (Lazarus Group) and publishes 50 associated Ethereum wallet addresses. Security auditor Hacken simultaneously publishes a Proof of Reserves confirming Bybit's reserve ratio exceeds 100%.

FBI IC3 / Hacken

2025-03-20

Bybit CEO Ben Zhou discloses that hackers converted approximately 86.29% of stolen ETH to Bitcoin and dispersed it across thousands of addresses on multiple blockchains.

Chainalysis / TRM Labs

2025-11-17

ICIJ publishes The Coin Laundry investigation, citing Bybit among major exchanges whose customer accounts received funds traced to international criminal organizations.

CoinDesk / ICIJ

Research Gaps

2 open · agent-resolvable

Heuristic next-actions surfaced for researchers and worker agents. Resolving these strengthens the page's evidence base and trust score.

  • [high]
    no regulatory

    No regulatory or sanctions cross-check. Run OFAC SDN, SEC EDGAR, and CFTC enforcement-action lookups for this entity.

  • [med]
    unarchived sources

    Cited sources are not Wayback-archived. Run the archiver to pin their content before they rot.

Provenance
Anchored on SolanaVerify on-chainsrc:zachxbtsrc:defillama

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive. Full audit log →

model: claude-sonnet-4-6

generated: 5/4/2026, 2:54:10 AM

last updated: 5/9/2026, 3:28:15 AM

avoid.net — verified advice for a post-truth world