On February 21, 2025, Bybit suffered the largest cryptocurrency heist in history.
A staggering $1.5 billion worth of Ethereum (ETH) and staked ETH (stETH) vanished in a highly sophisticated cyberattack.
This wasn’t just another routine exchange hack—it was a wake-up call. If a major exchange like Bybit can be breached, what does that mean for everyday crypto holders?
The reality is simple: no exchange is immune, and relying on centralized platforms for crypto storage carries inherent risks.
This incident reinforces the critical need for personal security measures, including self-custody, heightened transaction verification, and strict control over the devices used to access crypto wallets.
And the importance of choosing the right wallet provider.
What Happened?
The attack targeted Bybit’s multisignature cold wallet (the Safe wallet), a storage method typically considered among the most secure.
The hack was executed in two major parts. First, attackers exploited an Ethereum smart contract function that allowed a second smart contract’s code to be executed inside the first, effectively giving them control over the wallet’s transaction logic.
This allowed them to alter approvals and reroute funds.
Secondly, they faked the Safe wallet UI so that what the multisig wallet owners saw was not what was actually happening. The interface displayed correct transaction details while, in reality, funds were being siphoned away.
To execute the exploit, the attackers had likely installed malware on the multisig wallet owners’ devices, compromising their security at the device level.
This level of sophistication is only likely when targeting an exchange or a whale, but it underscores the need for security best practices at every layer of the tech stack you use for transacting in crypto.
When the dust settled, approximately 400,000 ETH and stETH were gone, making this the most significant theft in crypto history.
Who Did It?
Blockchain forensic experts quickly linked the attack to the Lazarus Group, a notorious North Korean hacking syndicate responsible for previous exchange breaches, including the $70 million Phemex hack in January 2025.
Bybit CEO Ben Zhou moved quickly to reassure users that the exchange remained solvent and could cover the losses. However, the breach triggered a massive surge in withdrawal requests, temporarily straining the platform.
To aid in recovery efforts, Bybit launched a $140 million bounty program, hoping to incentivize white-hat hackers and law enforcement to track down the stolen assets.
Meanwhile, investor confidence took a hit, and Ethereum’s price dropped by 4% in the aftermath of the attack.
How the Attack Was Executed
This was no ordinary hack. The attackers deployed a combination of technical exploits and social engineering tactics to breach Bybit’s defenses.
On the technical side, they manipulated the smart contract logic of Bybit’s multisig wallet. This allowed them to reroute transactions without raising immediate suspicion. They also leveraged the Safe Protocol’s execTransaction function, a known vulnerability that, when exploited, allows fraudulent transactions to appear legitimate.
But the real trick was in the user interface manipulation.
Bybit’s security custodians unknowingly approved the fraudulent transactions because the Safe wallet UI displayed the correct transfer details, masking the underlying malicious contract changes.
Behind the scenes, however, the smart contract had been altered, making it nearly impossible to detect the hack until it was too late.
Additionally, there are indications that phishing and credential theft played a role.
Attackers may have gained initial access through compromised employee credentials, giving them the foothold they needed to execute the exploit.
Lessons for Crypto Investors
The Bybit hack is a stark reminder that even the most secure-looking exchanges can be vulnerable. For investors, the key takeaway is this: don’t assume your funds are safe just because an exchange says so.
First and foremost, self-custody is king.
Exchanges are a big juicy target. They hold massive amounts of funds. And often a hack that exploits a single point of failure can give the thieves control of everybody’s assets.
If you’re serious about crypto security, storing assets on a hardware wallet like Ledger or Trezor is the best option. For larger holdings, consider using multisig solutions where YOU control approvals, not a third party.
Another critical lesson is to always verify transactions manually.
Use blockchain explorers to double-check transaction details before signing anything. If something looks off, take the time to investigate—it could save you from a costly mistake.
Diversification is another essential safeguard.
Keeping all your assets in one place—especially on a centralized exchange—is asking for trouble. Spread holdings across multiple wallets and platforms, and include a mix of hot wallets, cold storage, and decentralized solutions to minimize risk.
Security hygiene is equally important.
Enable two-factor authentication (2FA) using a hardware security key rather than SMS, and consider using a dedicated machine for crypto transactions. Everyday browsing, email, and instant messaging increase exposure to phishing and malware attacks, making it crucial to separate crypto-related activities from general internet use.
Be hyper-vigilant about phishing scams—never click on unsolicited links or enter credentials on unknown sites.
If you’re moving significant sums, consider using air-gapped devices for added protection.
Additionally, using up-to-date antivirus, anti-malware, and anti-tracking software is crucial, as even a single compromised link in your security can lead to catastrophic losses.
What This Means for the Crypto Industry
This attack has raised serious questions about the effectiveness of multisig cold wallets as a security standard. If a platform as large as Bybit can fall victim to an exploit of this magnitude, are multisig wallets as secure as we thought?
It also highlights the need for greater security in UI design for crypto transactions.
Safe and other wallet providers, along with crypto security firms, must ensure that their interfaces cannot be easily manipulated to deceive users.
Furthermore, regulatory bodies are likely to increase scrutiny on centralized exchanges, leading to tighter security requirements and potential compliance hurdles.
Some argue that decentralized finance (DeFi) solutions may provide a safer alternative to centralized platforms. By reducing reliance on third-party custodians, users can regain greater control over their assets, mitigating the risks associated with exchange hacks.
The Bottom Line
The Bybit hack is a sobering reminder that security in crypto is never absolute.
Even the most advanced storage methods, including multisig cold wallets, can be compromised when paired with clever social engineering tactics.
The best defense is proactive security: self-custody, manual verification, diversification, and ensuring every layer of your tech stack—from wallet software to the device you use—is fortified against potential threats.
The price of security in crypto is vigilance. Don’t wait until the next billion-dollar hack to take control of your financial sovereignty.