When Bybit disclosed on February 21, 2025 that approximately $1.4 billion in ETH had been stolen from its cold wallet infrastructure, the announcement sent shockwaves through the industry. Thirteen months later, the exchange has completed what may be the most ambitious user reimbursement programme in crypto history — paying back every affected user in full. The full story of Bybit's recovery is a case study in crisis management, institutional resilience, and the improving infrastructure of the exchange industry. For an updated assessment of Bybit's current platform, see the Bybit review.
The Hack: How It Happened
The attack exploited Bybit's use of Safe (formerly Gnosis Safe) multi-signature wallets for cold storage. Attackers — subsequently attributed to North Korea's Lazarus Group by the FBI and multiple blockchain forensics firms — compromised the signing devices of three of five required signers through a sophisticated social engineering campaign. The malicious transactions appeared legitimate in the signing interface but contained hidden payload instructions that redirected funds to attacker-controlled addresses.
The attack bypassed standard multi-signature security because the compromise occurred at the device level, not the smart contract level. All five signers used the same interface software, which had been secretly modified by the attackers — meaning even careful humans reviewing the transaction would have seen a legitimate-looking approval request while the underlying transaction was malicious.
The Bybit hack accelerated industry-wide reassessment of multi-signature custodial architectures. Within weeks, several major exchanges including Coinbase and Kraken published security disclosures detailing their own cold wallet procedures and differences from Bybit's setup.
The Recovery Timeline: 13 Months From Crisis to Closure
Bybit's recovery unfolded in five distinct phases. In the first 72 hours, the exchange halted withdrawals temporarily, secured a $400M emergency bridge loan from institutional lenders, and began paying reimbursements to users with balances under $10,000 — covering approximately 85% of affected accounts by user count but only 20% by value.
Over the following three months, Bybit raised $250 million in a private placement led by existing investors and new strategic backers, sold non-core business assets, and worked with blockchain analytics firms Chainalysis and TRM Labs to trace the stolen ETH. On-chain tracking identified approximately 32,000 ETH (about $112M) converted through mixers and bridges, of which 11,200 ETH ($39M) was frozen at exchanges that responded to law enforcement requests. The frozen funds were returned to Bybit through legal processes over the subsequent six months.
- Total stolen: ~400,000 ETH ($1.4B at time of hack)
- Recovered via exchange freezes: ~11,200 ETH ($39M)
- Funded via own reserves: ~$400M
- Raised from investors: ~$250M
- Bridge loans repaid: ~$710M (over 12 months)
- Final reimbursement completion: March 2026
Security Architecture After the Hack
Bybit's post-hack security overhaul is among the most comprehensive in exchange history. The core change was replacing Safe multisig with a custom Hardware Security Module (HSM) architecture developed in partnership with Thales — the same vendor used by major tier-1 banks for signing financial transactions. Each HSM is a tamper-resistant physical device that signs transactions in an air-gapped environment, making remote software compromise impossible.
Additional changes include: mandatory video-verified co-signing for any transaction above $1M, real-time cold wallet monitoring with anomaly alerts, quarterly penetration testing by three independent firms, and a $50M bug bounty programme for responsible disclosure of vulnerabilities. The exchange's new CISO joined from JPMorgan's cybersecurity division, bringing traditional finance security governance standards to the role.
Proof of Reserves audits are now published monthly using Merkle tree verification and independently attested by a top-four accounting firm — a level of transparency that exceeds most exchange peers. All proof-of-reserve reports are publicly accessible and include liability-side attestations, not just asset snapshots.
User Trust Recovery and Platform Metrics
Despite the severity of the hack, Bybit's user base proved resilient. Withdrawals during the hack totalled approximately $5.6 billion in the week following disclosure — significant, but less than 15% of total assets under custody. The controlled withdrawal management, clear communication, and rapid partial reimbursements maintained confidence among the majority of users.
By Q4 2025, Bybit's assets under custody had recovered to pre-hack levels. By Q1 2026, the platform reported record daily active users for the first time since the incident, aided partly by competitive fee promotions and partly by the completion of reimbursements demonstrating institutional credibility. Derivatives volume has also recovered, with Bybit maintaining its position as the third-largest CEX perpetuals platform globally behind Binance and OKX.
For traders evaluating Bybit in light of its security track record and recovery, the detailed Bybit review covers current fees, security architecture, and a comparison with other major platforms at the exchange ratings hub.




