The Bybit Hack: What Happened and How It Could Have Been Prevented

On February 21, 2025, Bybit, a major cryptocurrency exchange based in Dubai, suffered one of the largest hacks in crypto history. Hackers successfully stole approximately $1.4 billion to $1.5 billion worth of digital currency, primarily Ethereum (ETH) and MegaETH (mETH).

How the Hack Happened

The attackers exploited Bybit’s Ethereum cold wallet, a secure offline storage system designed to protect funds. The breach occurred due to vulnerabilities in Bybit’s multi-signature authentication process, which typically requires multiple approvals for transactions.

Investigations suggest that the hackers employed a sophisticated attack involving a fake user interface. Bybit’s security team was tricked into signing off on what appeared to be a legitimate transaction, unknowingly granting the hackers access to the cold wallet. Once inside, they transferred 401,347 ETH to an unknown address. The stolen funds were then moved through decentralized exchanges and privacy-enhancing protocols, making recovery extremely difficult.

Discovery and Immediate Response

Blockchain security analyst ZackXBT was among the first to detect the hack, urging users to blacklist the hacker-controlled addresses. Bybit’s co-founder and CEO, Ben Zhou, acknowledged the breach and assured users that other cold wallets remained secure.

Bybit did not halt withdrawals, emphasizing that the exchange was still solvent and able to cover the losses through internal funds and bridge loans covering 80 percent of the stolen ETH. The exchange immediately partnered with cybersecurity firms and law enforcement agencies to investigate and trace the stolen assets.

Who Was Behind the Attack?

Emerging analysis from Arkham Intelligence suggests that the Lazarus Group, North Korea’s state-sponsored cybercriminal unit, may have orchestrated the attack. This group has a history of targeting cryptocurrency exchanges using advanced hacking techniques.

The Bybit hack highlights critical vulnerabilities in blind signing, a practice where users approve transactions without fully understanding them. Preventing similar breaches requires adopting more secure and transparent transaction authorization systems.

How Porto by Anchorage Digital Prevents Blind Signing Risks

Bybit’s failure stemmed from multi-signature security loopholes and manipulated UI approvals. A more secure approach, as demonstrated by Porto, Anchorage Digital’s self-custody wallet, eliminates blind signing by displaying clear, human-readable transaction details on secure devices like iPhones with secure enclaves.

Here is how Porto protects against attacks like this:

Transparent transactions ensure users see exactly what they are approving, preventing fake UI exploits.

Zero-trust security requires every transaction to be reviewed and confirmed on a trusted device, preventing unauthorized approvals.

Advanced transaction protection integrates tools like WalletConnect, Blockaid, and TRM Labs to detect risky transactions and flag malicious actors.

Institutional oversight applies human risk reviews and customizable policies to high-value transactions, preventing unauthorized access and fraudulent withdrawals.

Bybit’s compromise underscores the urgent need for better security standards in the crypto industry. Platforms that prioritize secure and transparent signing processes and zero-trust models can help prevent similar attacks, ensuring user funds remain safe.

This attack reignited discussions about the security of digital asset platforms. While Bybit assured users that funds were covered, the incident raised concerns about hidden regulatory risks, solvency transparency, and cybersecurity gaps in major exchanges.

To move forward, the industry must prioritize stronger security infrastructure, transparent transaction flows, and institutional-grade risk management. As crypto adoption grows, blind signing and opaque security models must be replaced with systems designed to withstand sophisticated attacks like the one Bybit faced.

Security is not just about reacting to breaches. It is about preventing them before they happen.