Skip to main content
Sign in
Bybit5 decisions on this page

Audit log

Every state-changing event for Bybit: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1reviewby reviewerreviewer
    2026-05-08 20:51:17Z
    Score: 4242 (no score change)
    The page is broadly accurate on the core factual narrative of the February 2025 Bybit hack — attack mechanics, attribution, amount stolen, and remediation response are all well-supported by high-credibility sources. The most significant issues are in the regulatory section, which contains two materially stale claims: the assertion that Bybit is still registered in the British Virgin Islands (the BVI entity was dissolved in July 2023) and the claim that Bybit holds no full regulatory license from major jurisdictions (Bybit obtained an EU MiCAR license in May 2025 and a UAE SCA license in October 2025). Minor factual errors include the FBI wallet address count (51, not 50) and the DPRK total theft figure ($3 billion understates the CSIS-cited $3.4 billion). One cited CoinTelegraph URL is link-rotted (404).
    anchoranchored
    chain
    mainnet-betaslot 418,471,884
    sig
    3LvLV8xeDUSm…gZ7ZJjYsexplorer ↗
    hash
    55phVb13joSE…ReHXMUv3sha256 → base58
    verifying row…full verify ↗
    canonical bytes (1156 B) ▸
    {"actor":"reviewer","decided_at":"2026-05-08T20:51:17.606Z","decision":"review","investigation_id":"cc5d2629-b918-4554-b41b-cf765ff31285","new_score":42,"page_slug":"bybit","prev_score":42,"reason":"The page is broadly accurate on the core factual narrative of the February 2025 Bybit hack — attack mechanics, attribution, amount stolen, and remediation response are all well-supported by high-credibility sources. The most significant issues are in the regulatory section, which contains two materially stale claims: the assertion that Bybit is still registered in the British Virgin Islands (the BVI entity was dissolved in July 2023) and the claim that Bybit holds no full regulatory license from major jurisdictions (Bybit obtained an EU MiCAR license in May 2025 and a UAE SCA license in October 2025). Minor factual errors include the FBI wallet address count (51, not 50) and the DPRK total theft figure ($3 billion understates the CSIS-cited $3.4 billion). One cited CoinTelegraph URL is link-rotted (404).","score_delta":0,"sequence_num":1,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 75b07346-1f86-4118-a733-d4006ecc2c6e
  2. #2review reviseby judgejudge
    2026-05-08 20:51:17Z
    Score: 4227 (-15)
    The core factual narrative of the February 2025 hack — attack mechanics, ETH amount, supply chain vector, Lazarus Group attribution, and Bybit's remediation — is well-supported across multiple high-credibility sources and does not require correction. However, the regulatory section contains materially stale and incorrect claims that require revision: claim_findings[7] states Bybit is registered in the British Virgin Islands, but a Tier 1 BVI FSC public statement confirms that entity was dissolved in July 2023; claim_findings[30] states Bybit holds no full regulatory license in major Western jurisdictions, which is contradicted by Tier 1 CoinDesk reporting that Bybit obtained a full EU MiCAR license in Austria (May 2025) and a UAE SCA license (October 2025). Additionally, claim_findings[22] attributes the characterization of Bybit's crisis response as 'unusually transparent' to CSIS and Wilson Center, but direct review of both Tier 1 sources shows neither contains that characterization — CSIS is mildly critical. The disputed_pct of 18% and three high-priority coverage gaps confirm the page needs targeted factual corrections, not wholesale revision.
    anchoranchored
    chain
    mainnet-betaslot 418,471,888
    sig
    23WZn25WRKAV…yA8nUoNhexplorer ↗
    hash
    p83y42fBZriS…2savvadksha256 → base58
    verifying row…full verify ↗
    canonical bytes (1512 B) ▸
    {"actor":"judge","decided_at":"2026-05-08T20:51:17.606Z","decision":"review_revise","investigation_id":"cc5d2629-b918-4554-b41b-cf765ff31285","new_score":27,"page_slug":"bybit","prev_score":42,"reason":"The core factual narrative of the February 2025 hack — attack mechanics, ETH amount, supply chain vector, Lazarus Group attribution, and Bybit's remediation — is well-supported across multiple high-credibility sources and does not require correction. However, the regulatory section contains materially stale and incorrect claims that require revision: claim_findings[7] states Bybit is registered in the British Virgin Islands, but a Tier 1 BVI FSC public statement confirms that entity was dissolved in July 2023; claim_findings[30] states Bybit holds no full regulatory license in major Western jurisdictions, which is contradicted by Tier 1 CoinDesk reporting that Bybit obtained a full EU MiCAR license in Austria (May 2025) and a UAE SCA license (October 2025). Additionally, claim_findings[22] attributes the characterization of Bybit's crisis response as 'unusually transparent' to CSIS and Wilson Center, but direct review of both Tier 1 sources shows neither contains that characterization — CSIS is mildly critical. The disputed_pct of 18% and three high-priority coverage gaps confirm the page needs targeted factual corrections, not wholesale revision.","score_delta":-15,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 42c9280b-0e73-48aa-89bb-272823126386
  3. #3reviewby reviewerreviewer
    2026-05-09 03:28:15Z
    Score: 7272 (no score change)
    The core hack narrative is well-sourced and accurate: dates, ETH amounts, attribution chain, and exchange response details are confirmed by primary sources including the FBI IC3 PSA and blockchain analytics firms. The two significant issues are (1) the Overview section's present-tense claim that Bybit 'is registered in the British Virgin Islands' — the BVI entity was dissolved July 4, 2023 and the Regulatory section correctly acknowledges this, creating an internal contradiction — and (2) the UK is listed as a restricted jurisdiction despite Bybit relaunching UK services in December 2025. Secondary issues include the Phemex hack amount ($29M stated vs ~$73M actual total), imprecise DPRK cumulative theft sourcing, and an understated user count.
    anchoranchored
    chain
    mainnet-betaslot 418,531,328
    sig
    BnyPdDvsL7Y5…91DRx4ESexplorer ↗
    hash
    A29qP5TUyTAD…rEvxcCo9sha256 → base58
    verifying row…full verify ↗
    canonical bytes (1094 B) ▸
    {"actor":"reviewer","decided_at":"2026-05-09T03:28:15.267Z","decision":"review","investigation_id":"cc5d2629-b918-4554-b41b-cf765ff31285","new_score":72,"page_slug":"bybit","prev_score":72,"reason":"The core hack narrative is well-sourced and accurate: dates, ETH amounts, attribution chain, and exchange response details are confirmed by primary sources including the FBI IC3 PSA and blockchain analytics firms. The two significant issues are (1) the Overview section's present-tense claim that Bybit 'is registered in the British Virgin Islands' — the BVI entity was dissolved July 4, 2023 and the Regulatory section correctly acknowledges this, creating an internal contradiction — and (2) the UK is listed as a restricted jurisdiction despite Bybit relaunching UK services in December 2025. Secondary issues include the Phemex hack amount ($29M stated vs ~$73M actual total), imprecise DPRK cumulative theft sourcing, and an understated user count.","score_delta":0,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision e7665d36-ffec-47cc-b870-f9959795aea2
  4. #4review approveby judgejudge
    2026-05-09 03:28:15Z
    Score: 7272 (no score change)
    The reviewer examined 28 claims across 7 sections and found 0 disputed, 17 confirmed, 6 partially supported, and 2 stale. The reviewer initially flagged two high-priority issues (BVI present-tense claim in Overview and UK listed as restricted despite December 2025 re-entry) plus three medium-priority corrections (Phemex amount, DPRK figure attribution, user count). All five issues were editorially corrected prior to this decision. The corrected page is factually sound with well-sourced hack narrative confirmed by FBI IC3, multiple forensic firms, and blockchain analytics providers.
    anchoranchored
    chain
    mainnet-betaslot 418,531,332
    sig
    47tRjbnSsST1…wwo1zFXUexplorer ↗
    hash
    DB8xKNbaGDAT…Bpq3FkATsha256 → base58
    verifying row…full verify ↗
    canonical bytes (934 B) ▸
    {"actor":"judge","decided_at":"2026-05-09T03:28:15.267Z","decision":"review_approve","investigation_id":"cc5d2629-b918-4554-b41b-cf765ff31285","new_score":72,"page_slug":"bybit","prev_score":72,"reason":"The reviewer examined 28 claims across 7 sections and found 0 disputed, 17 confirmed, 6 partially supported, and 2 stale. The reviewer initially flagged two high-priority issues (BVI present-tense claim in Overview and UK listed as restricted despite December 2025 re-entry) plus three medium-priority corrections (Phemex amount, DPRK figure attribution, user count). All five issues were editorially corrected prior to this decision. The corrected page is factually sound with well-sourced hack narrative confirmed by FBI IC3, multiple forensic firms, and blockchain analytics providers.","score_delta":0,"sequence_num":4,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 2cf72f12-83eb-4ee8-9848-f245e6659d0b
  5. #5publishby system:backfill
    2026-05-30 13:02:45Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 423,161,772
    sig
    5uXPPP4bKKYG…fpQHUdxgexplorer ↗
    hash
    5QFRjRqLicmk…ceBKc8B7sha256 → base58
    verifying row…full verify ↗
    canonical bytes (25818 B) ▸
    {"actor":"system:backfill","investigation_id":"cc5d2629-b918-4554-b41b-cf765ff31285","kind":"publish","page_slug":"bybit","published_at":"2026-05-30T13:02:45.244Z","sequence_num":5,"snapshot":{"content_type":"investigation","entity_name":"Bybit","sections":[{"content":"Bybit was founded in March 2018 by Ben Zhou, an entrepreneur with a prior background as General Manager for Greater China at forex broker XM (2010–2017). The exchange initially focused on crypto derivatives and perpetual contracts before expanding to spot trading. In March 2022, Bybit announced the relocation of its global headquarters from Singapore to Dubai, United Arab Emirates, following an in-principle approval from Dubai’s Virtual Assets Regulatory Authority (VARA); the physical Dubai office opened in April 2023. Bybit was originally incorporated in the British Virgin Islands, but that entity was dissolved in July 2023. As of late 2025, Bybit reported over 80 million registered users and ranked among the world’s largest crypto exchanges by derivatives volume.","heading":"Overview and Background","severity":"low","sources":[{"credibility":2,"name":"Bybit – Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/Bybit"},{"credibility":2,"name":"Ben Zhou – CryptoSlate profile","type":"other","url":"https://cryptoslate.com/people/ben-zhou/"}]},{"content":"On February 21, 2025, Bybit suffered the largest single cryptocurrency theft ever recorded. Approximately 401,347 ETH — valued at roughly $1.46 billion at the time — was drained from a Bybit cold wallet during a routine transfer to a warm wallet. The attack was a sophisticated supply chain compromise: a macOS workstation belonging to a Safe{Wallet} developer was compromised on or around February 4, 2025, via a suspected social engineering vector involving a malicious Docker project that initiated outbound traffic to the domain getstockprice[.]com. The attackers used this foothold to inject malicious JavaScript into the S3 bucket serving app.safe.global, Bybit's Safe{Wallet} management interface. The tampered JavaScript was last modified on February 19, 2025 — two days before the exploit — and was designed to silently rewrite the destination address and logic of any transaction initiated from Bybit's specific cold wallet addresses, while displaying a legitimate-looking transaction to Bybit's signers. When Bybit's multi-signature approvers reviewed and signed what appeared to be a standard cold-to-warm transfer, they unknowingly authorized the modified, malicious transaction. The full amount was transferred to addresses under attacker control.","heading":"February 2025 Hack — $1.46 Billion Ethereum Theft","severity":"critical","sources":[{"credibility":1,"name":"FBI / IC3 Public Service Announcement: North Korea Responsible for $1.5 Billion Bybit Hack","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"credibility":2,"name":"Bybit Hack Traced to Safe{Wallet} Supply Chain Attack – The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html"},{"credibility":2,"name":"NCC Group: In-Depth Technical Analysis of the Bybit Hack","type":"research","url":"https://www.nccgroup.com/research/in-depth-technical-analysis-of-the-bybit-hack/"},{"credibility":2,"name":"Sygnia's Investigation into the Bybit Hack","type":"research","url":"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"},{"credibility":2,"name":"Chainalysis: Collaboration in the Wake of Record-Breaking Bybit Theft","type":"on_chain","url":"https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/"},{"credibility":2,"name":"Elliptic: Bybit Hack – Largest in History, Following the Money Trail","type":"on_chain","url":"https://www.elliptic.co/blog/bybit-hack-largest-in-history"}]},{"content":"On February 21, 2025, blockchain investigator ZachXBT submitted a detailed report to Arkham Intelligence proving Lazarus Group's involvement within hours of the theft. ZachXBT's submission included analysis of test transactions and connected wallets used ahead of the exploit, forensic graphs, and timing analyses consistent with known Lazarus Group operational patterns. The same investigation linked the Bybit attacker wallets to the approximately $73 million Phemex hack that occurred in January 2025. On February 26, 2025, the FBI formally confirmed the attribution, designating the responsible actor as TraderTraitor — also tracked by other threat intelligence vendors as Jade Sleet, Slow Pisces, and UNC4899. The FBI published 50 Ethereum wallet addresses connected to the theft and requested that RPC node operators, exchanges, and blockchain analytics firms block related transactions. ZachXBT additionally found that within 15 hours of the public disclosure, Lazarus-linked wallets launched memecoin projects on Pump.fun on Solana, apparently as a laundering vector: one address bridged $1.08 million in USDC from the stolen ETH to Solana and launched a token called QinShihuang, which recorded over $26 million in trading volume. By March 20, 2025, Bybit CEO Ben Zhou disclosed that hackers had converted approximately 86.29% of the stolen ETH into Bitcoin and dispersed it across thousands of addresses.","heading":"Attribution — North Korea Lazarus Group (TraderTraitor)","severity":"medium","sources":[{"credibility":1,"name":"FBI / IC3 Public Service Announcement: North Korea Responsible for $1.5 Billion Bybit Hack","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"credibility":2,"name":"Bybit's $1.4 Billion Hack Traced to Lazarus Group: ZachXBT – Mitrade","type":"news_article","url":"https://www.mitrade.com/insights/news/live-news/article-3-655123-20250222"},{"credibility":2,"name":"ZachXBT: Bybit Hackers May Be Behind Solana Memecoin Scams – CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/bybit-hackers-solana-memecoin-scams-zachxbt"},{"credibility":2,"name":"ZachXBT Links Bybit Hack Launderers to Memecoin Activity on Pump.fun – The Coinomist","type":"news_article","url":"https://thecoinomist.com/personalities/zachxbt-just-tracked-the-bybit-hack-funds-whos-really-behind-it/"},{"credibility":2,"name":"FBI Confirms Lazarus Hackers Were Behind $1.5B Bybit Crypto Heist – Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/fbi-confirms-lazarus-hackers-were-behind-15b-bybit-crypto-heist/"},{"credibility":2,"name":"TRM Labs: The Bybit Hack – Following North Korea's Largest Exploit","type":"on_chain","url":"https://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploit"}]},{"content":"CEO Ben Zhou publicly addressed users within approximately 30 minutes of the breach via a live-streamed Q&A, providing daily updates. Bybit assured customers that the exchange remained solvent and that all losses would be covered through internal funds and emergency bridge loans. Critically, Bybit did not impose a withdrawal freeze at any point during or after the incident, though the exchange acknowledged processing delays of several hours for some users amid a surge of over $4 billion in withdrawal requests within the first 12 hours. Within 72 hours of the hack, Bybit replenished nearly 447,000 ETH through emergency arrangements with trading firms including Galaxy Digital, FalconX, and Wintermute. On February 26, 2025 — five days after the hack — security auditor Hacken published a Proof of Reserves verification confirming Bybit's reserve ratio exceeded 100%, indicating that user liabilities were fully backed. Ben Zhou also launched a bounty program offering up to $140 million for information leading to the tracing or freezing of stolen funds. Bybit published two separate forensic reports in the weeks following the incident, and the incident prompted broader industry discussion about systemic risks in multi-signature wallet UX and third-party frontend dependencies.","heading":"Exchange Response and Solvency","severity":"low","sources":[{"credibility":1,"name":"CNBC: Bybit Says It Fully Replenished Reserves After Record $1.5 Billion Hack","type":"news_article","url":"https://www.cnbc.com/2025/02/24/bybit-replenished-reserves-after-record-breaking-1point5-billion-hack.html"},{"credibility":2,"name":"Hacken: Bybit Proof of Reserves Case Study","type":"research","url":"https://hacken.io/case-studies/bybit-proof-of-reserves/"},{"credibility":2,"name":"Yahoo Finance: Bybit CEO Declares War on Lazarus Group, Launches $140M Bounty","type":"news_article","url":"https://finance.yahoo.com/news/bybit-ceo-declares-war-lazarus-075657067.html"},{"credibility":1,"name":"CSIS: The ByBit Heist and the Future of U.S. Crypto Regulation","type":"research","url":"https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation"}]},{"content":"In November 2025, the International Consortium of Investigative Journalists (ICIJ) published The Coin Laundry, a 10-month investigation by more than 100 journalists from 37 news organizations across 35 countries. The investigation identified Bybit among a group of major exchanges — including Binance, OKX, HTX, and Kraken — whose customer accounts were cited as recipients of funds traced to international criminal networks. According to the investigation, scam-linked funds were being sent to accounts at Bybit and other named exchanges. The ICIJ found that crypto flows connected to criminal enterprises including North Korean hacking groups, Chinese and Russian criminal organizations involved in human trafficking, drug trafficking (including fentanyl), and the Sinaloa cartel transited through major exchange accounts. The investigation noted that some of these accounts were opened with minimal or no client identification requirements at cash-desk-style operations. The ICIJ did not provide granular transaction data specific to Bybit, and the investigation does not allege that Bybit itself operated these accounts or was complicit in the criminal activity. No regulatory enforcement action against Bybit arising from the ICIJ investigation had been publicly announced as of the time of this report.","heading":"ICIJ Coin Laundry Investigation — Criminal Money Flow Allegations","severity":"medium","sources":[{"credibility":2,"name":"Protos: Binance, OKX, HTX, Bybit, Kraken Cited in ICIJ Scam Probe","type":"news_article","url":"https://protos.com/binance-okx-htx-bybit-kraken-cited-in-icij-scam-probe/"},{"credibility":1,"name":"ICIJ: About the Coin Laundry Investigation","type":"news_article","url":"https://www.icij.org/investigations/coin-laundry/about-coin-laundry-investigation-cryptocurrency/"},{"credibility":1,"name":"CoinDesk: ICIJ Exposes 'Coin Laundry,' Crypto's Criminal Financial System","type":"news_article","url":"https://www.coindesk.com/policy/2025/11/17/investigative-reporter-group-icij-exposes-the-coin-laundry-crypto-s-criminal-financial-system"}]},{"content":"Bybit was originally incorporated in the British Virgin Islands, though that entity was dissolved in July 2023 according to the BVI Financial Services Commission. The exchange relocated its global headquarters to Dubai, UAE, announcing the move in March 2022 following in-principle approval from Dubai’s Virtual Assets Regulatory Authority (VARA). In May 2025, Bybit obtained a full EU MiCAR license in Austria, and in October 2025, it received a UAE Securities and Commodities Authority (SCA) license. The exchange remains blocked or restricted in multiple jurisdictions, including the United States, Canada, mainland China, Hong Kong, and France. In October 2023, the UK’s Financial Conduct Authority (FCA) imposed new rules on crypto promotions, which led Bybit to suspend services to UK customers; Bybit subsequently relaunched UK services in December 2025 under FCA-compliant arrangements.","heading":"Regulatory Status and Jurisdiction Restrictions","severity":"medium","sources":[{"credibility":2,"name":"Bybit Restricted Countries – Datawallet","type":"other","url":"https://www.datawallet.com/crypto/bybit-restricted-countries"},{"credibility":2,"name":"Bybit UK Ban Explained – Crypternon","type":"news_article","url":"https://crypternon.com/en/bybit-uk-ban/"},{"credibility":2,"name":"BrokerChooser: Is Bybit Safe or a Scam Broker?","type":"research","url":"https://brokerchooser.com/safety/bybit-broker-safe-or-scam"}]},{"content":"The February 2025 hack prompted broader industry and government scrutiny of multi-signature wallet infrastructure, third-party frontend dependencies, and the security of cold wallet management processes at exchanges. The Wilson Center and CSIS both published analyses arguing the incident highlighted the need for enhanced regulatory oversight of large crypto custodians and exchange security standards. The Paul Hastings law firm noted potential implications for U.S. regulatory approaches to exchange custody requirements. DeFiLlama's hack tracking database lists the Bybit incident as the single largest crypto exchange hack ever recorded, dwarfing prior incidents and accounting for a substantial portion of total crypto hack losses in 2025. The incident also renewed attention to the threat posed by North Korean state-sponsored hackers, who the FBI tracks as TraderTraitor. A 2024 United Nations Panel of Experts report estimated that DPRK-linked groups stole over $3 billion in cryptocurrency between 2017 and 2023, a figure that does not include the 2025 Bybit theft.","heading":"Industry and Policy Implications","severity":"low","sources":[{"credibility":1,"name":"Wilson Center: The Bybit Heist — What Happened and What Now?","type":"research","url":"https://www.wilsoncenter.org/article/bybit-heist-what-happened-what-now"},{"credibility":1,"name":"CSIS: The ByBit Heist and the Future of U.S. Crypto Regulation","type":"research","url":"https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation"},{"credibility":2,"name":"Paul Hastings: The Bybit Hack of 2025 — Potential Implications","type":"news_article","url":"https://www.paulhastings.com/insights/crypto-policy-tracker/the-bybit-hack-of-2025-potential-implications"},{"credibility":2,"name":"DeFiLlama Hacks Database","type":"on_chain","url":"https://defillama.com/hacks"},{"credibility":2,"name":"The Block: From Bybit to GMX — The 10 Biggest Crypto Hacks of 2025","type":"news_article","url":"https://www.theblock.co/post/380992/biggest-crypto-hacks-2025"}]}],"sources_used":[{"archive_timestamp":"2026-05-15T20:49:17+00:00","archive_url":"http://web.archive.org/web/20260515204917/https://www.ic3.gov/PSA/2025/PSA250226","credibility":1,"name":"FBI / IC3: North Korea Responsible for $1.5 Billion Bybit Hack","type":"regulatory","url":"https://www.ic3.gov/psa/2025/psa250226"},{"archive_timestamp":"2026-03-09T19:19:46+00:00","archive_url":"http://web.archive.org/web/20260309191946/https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation","credibility":1,"name":"CSIS: The ByBit Heist and the Future of U.S. Crypto Regulation","type":"research","url":"https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation"},{"archive_timestamp":null,"archive_url":null,"credibility":1,"name":"Wilson Center: The Bybit Heist — What Happened and What Now?","type":"research","url":"https://www.wilsoncenter.org/article/bybit-heist-what-happened-what-now"},{"archive_timestamp":null,"archive_url":null,"credibility":1,"name":"CNBC: Bybit Says It Fully Replenished Reserves After Record $1.5 Billion Hack","type":"news_article","url":"https://www.cnbc.com/2025/02/24/bybit-replenished-reserves-after-record-breaking-1point5-billion-hack.html"},{"archive_timestamp":null,"archive_url":null,"credibility":1,"name":"ICIJ: About the Coin Laundry Investigation","type":"news_article","url":"https://www.icij.org/investigations/coin-laundry/about-coin-laundry-investigation-cryptocurrency/"},{"archive_timestamp":"2025-12-04T10:26:13+00:00","archive_url":"http://web.archive.org/web/20251204102613/https://www.coindesk.com/policy/2025/11/17/investigative-reporter-group-icij-exposes-the-coin-laundry-crypto-s-criminal-financial-system","credibility":1,"name":"CoinDesk: ICIJ Exposes Coin Laundry","type":"news_article","url":"https://www.coindesk.com/policy/2025/11/17/investigative-reporter-group-icij-exposes-the-coin-laundry-crypto-s-criminal-financial-system"},{"archive_timestamp":"2026-05-05T09:58:54+00:00","archive_url":"http://web.archive.org/web/20260505095854/https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html","credibility":2,"name":"The Hacker News: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack","type":"news_article","url":"https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html"},{"archive_timestamp":"2026-04-20T23:34:45+00:00","archive_url":"http://web.archive.org/web/20260420233445/https://www.nccgroup.com/research/in-depth-technical-analysis-of-the-bybit-hack/","credibility":2,"name":"NCC Group: In-Depth Technical Analysis of the Bybit Hack","type":"research","url":"https://www.nccgroup.com/research/in-depth-technical-analysis-of-the-bybit-hack/"},{"archive_timestamp":"2026-03-07T21:03:22+00:00","archive_url":"http://web.archive.org/web/20260307210322/https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/","credibility":2,"name":"Sygnia: Investigation into the Bybit Hack","type":"research","url":"https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"},{"archive_timestamp":"2026-05-02T19:31:23+00:00","archive_url":"http://web.archive.org/web/20260502193123/https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/","credibility":2,"name":"Chainalysis: Collaboration in the Wake of Record-Breaking Bybit Theft","type":"on_chain","url":"https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/"},{"archive_timestamp":"2026-03-24T17:24:18+00:00","archive_url":"http://web.archive.org/web/20260324172418/https://www.elliptic.co/blog/bybit-hack-largest-in-history","credibility":2,"name":"Elliptic: Bybit Hack — Largest in History","type":"on_chain","url":"https://www.elliptic.co/blog/bybit-hack-largest-in-history"},{"archive_timestamp":null,"archive_url":null,"credibility":2,"name":"TRM Labs: The Bybit Hack — Following North Korea's Largest Exploit","type":"on_chain","url":"https://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploit"},{"archive_timestamp":null,"archive_url":null,"credibility":2,"name":"Bleeping Computer: FBI Confirms Lazarus Hackers Behind $1.5B Bybit Heist","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/fbi-confirms-lazarus-hackers-were-behind-15b-bybit-crypto-heist/"},{"archive_timestamp":"2025-10-07T14:40:55+00:00","archive_url":"http://web.archive.org/web/20251007144055/https://cointelegraph.com/news/bybit-hackers-solana-memecoin-scams-zachxbt","credibility":2,"name":"CoinTelegraph: Bybit Hackers May Be Behind Solana Memecoin Scams — ZachXBT","type":"news_article","url":"https://cointelegraph.com/news/bybit-hackers-solana-memecoin-scams-zachxbt"},{"archive_timestamp":"2026-01-10T07:11:09+00:00","archive_url":"http://web.archive.org/web/20260110071109/https://protos.com/binance-okx-htx-bybit-kraken-cited-in-icij-scam-probe/","credibility":2,"name":"Protos: Binance, OKX, HTX, Bybit, Kraken Cited in ICIJ Scam Probe","type":"news_article","url":"https://protos.com/binance-okx-htx-bybit-kraken-cited-in-icij-scam-probe/"},{"archive_timestamp":"2026-02-11T22:13:05+00:00","archive_url":"http://web.archive.org/web/20260211221305/https://www.paulhastings.com/insights/crypto-policy-tracker/the-bybit-hack-of-2025-potential-implications","credibility":2,"name":"Paul Hastings: The Bybit Hack of 2025 — Potential Implications","type":"news_article","url":"https://www.paulhastings.com/insights/crypto-policy-tracker/the-bybit-hack-of-2025-potential-implications"},{"archive_timestamp":"2026-01-16T12:24:49+00:00","archive_url":"http://web.archive.org/web/20260116122449/https://hacken.io/case-studies/bybit-proof-of-reserves/","credibility":2,"name":"Hacken: Bybit Proof of Reserves Case Study","type":"research","url":"https://hacken.io/case-studies/bybit-proof-of-reserves/"},{"archive_timestamp":"2026-04-22T17:59:40+00:00","archive_url":"http://web.archive.org/web/20260422175940/https://en.wikipedia.org/wiki/Bybit","credibility":2,"name":"Bybit – Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/Bybit"},{"archive_timestamp":"2026-05-15T11:52:58+00:00","archive_url":"http://web.archive.org/web/20260515115258/https://defillama.com/hacks","credibility":2,"name":"DeFiLlama Hacks Database","type":"on_chain","url":"https://defillama.com/hacks"},{"archive_timestamp":"2026-01-07T13:52:07+00:00","archive_url":"http://web.archive.org/web/20260107135207/https://www.theblock.co/post/380992/biggest-crypto-hacks-2025","credibility":2,"name":"The Block: Biggest Crypto Hacks of 2025","type":"news_article","url":"https://www.theblock.co/post/380992/biggest-crypto-hacks-2025"},{"archive_timestamp":"2025-09-01T16:46:38+00:00","archive_url":"http://web.archive.org/web/20250901164638/https://brokerchooser.com/safety/bybit-broker-safe-or-scam","credibility":2,"name":"BrokerChooser: Is Bybit Safe or a Scam Broker?","type":"research","url":"https://brokerchooser.com/safety/bybit-broker-safe-or-scam"},{"archive_timestamp":"2025-09-15T21:11:07+00:00","archive_url":"http://web.archive.org/web/20250915211107/https://crypternon.com/en/bybit-uk-ban/","credibility":2,"name":"Crypternon: Bybit UK Ban","type":"news_article","url":"https://crypternon.com/en/bybit-uk-ban/"}],"summary":"Bybit is a Dubai-headquartered cryptocurrency derivatives and spot exchange founded in 2018 by Ben Zhou, serving over 80 million registered users globally. On February 21, 2025, the exchange suffered the largest cryptocurrency theft in recorded history when North Korean state-sponsored hackers attributed to the Lazarus Group (TraderTraitor) stole approximately $1.46 billion in Ethereum via a supply chain compromise of Safe{Wallet}'s frontend infrastructure. Separately, Bybit accounts have been cited in the ICIJ's 2025 Coin Laundry investigation into crypto exchanges facilitating international criminal money flows.","timeline":[{"date":"2018-03-01","event":"Bybit founded in Singapore by Ben Zhou, focused on cryptocurrency derivatives trading.","source":"Wikipedia / CryptoSlate","source_url":"https://en.wikipedia.org/wiki/Bybit"},{"date":"2022-03-01","event":"Bybit relocates global headquarters from Singapore to Dubai, UAE, following in-principle approval from VARA.","source":"Wikipedia","source_url":"https://en.wikipedia.org/wiki/Bybit"},{"date":"2023-10-01","event":"UK Financial Conduct Authority (FCA) implements new crypto promotion rules; Bybit suspends services to UK customers.","source":"Crypternon","source_url":"https://crypternon.com/en/bybit-uk-ban/"},{"date":"2025-01-01","event":"Lazarus Group-linked wallets later connected to the Bybit hack conduct the $29 million Phemex hack, according to ZachXBT's on-chain investigation.","source":"CoinTelegraph / ZachXBT via Arkham Intelligence","source_url":"https://cointelegraph.com/news/bybit-hackers-solana-memecoin-scams-zachxbt"},{"date":"2025-02-04","event":"A macOS workstation belonging to a Safe{Wallet} developer is compromised via suspected social engineering, initiating the supply chain attack.","source":"Sygnia / The Hacker News","source_url":"https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html"},{"date":"2025-02-19","event":"Malicious JavaScript is injected into the S3 bucket serving the Safe{Wallet} frontend (app.safe.global), specifically targeting Bybit's cold wallet addresses.","source":"NCC Group technical analysis","source_url":"https://www.nccgroup.com/research/in-depth-technical-analysis-of-the-bybit-hack/"},{"date":"2025-02-21","event":"Approximately 401,347 ETH (~$1.46 billion) is stolen from Bybit's cold wallet during a routine transfer via the compromised Safe{Wallet} interface. ZachXBT submits a detailed attribution report to Arkham Intelligence linking the attack to Lazarus Group. Lazarus-linked wallets also launch memecoin projects on Pump.fun on Solana as a laundering vector.","source":"IC3 / ZachXBT / Arkham Intelligence","source_url":"https://www.ic3.gov/psa/2025/psa250226"},{"date":"2025-02-24","event":"Bybit announces it has fully replenished reserves within 72 hours, securing approximately 447,000 ETH through emergency funding from Galaxy Digital, FalconX, and Wintermute.","source":"CNBC","source_url":"https://www.cnbc.com/2025/02/24/bybit-replenished-reserves-after-record-breaking-1point5-billion-hack.html"},{"date":"2025-02-26","event":"FBI formally attributes the hack to North Korean TraderTraitor (Lazarus Group) and publishes 50 associated Ethereum wallet addresses. Security auditor Hacken simultaneously publishes a Proof of Reserves confirming Bybit's reserve ratio exceeds 100%.","source":"FBI IC3 / Hacken","source_url":"https://www.ic3.gov/psa/2025/psa250226"},{"date":"2025-03-20","event":"Bybit CEO Ben Zhou discloses that hackers converted approximately 86.29% of stolen ETH to Bitcoin and dispersed it across thousands of addresses on multiple blockchains.","source":"Chainalysis / TRM Labs","source_url":"https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/"},{"date":"2025-11-17","event":"ICIJ publishes The Coin Laundry investigation, citing Bybit among major exchanges whose customer accounts received funds traced to international criminal organizations.","source":"CoinDesk / ICIJ","source_url":"https://www.coindesk.com/policy/2025/11/17/investigative-reporter-group-icij-exposes-the-coin-laundry-crypto-s-criminal-financial-system"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 1115ad8f-a019-45f4-99f9-150d8f2829ab
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.