Exploring the 2025 Bybit Hack: Insights into the $1.5 Billion Ethereum Breach and Its Impact on Crypto Security

• In February 2025, the crypto world was rocked by the Bybit hack, one of the largest security breaches in history, resulting in the loss of $1.5 billion in Ethereum.

• This incident has raised serious questions about the adequacy of existing security measures in cryptocurrency exchanges and third-party providers.

• According to the forensic investigation, “Bybit’s core systems were not breached; instead, attackers exploited a vulnerability in Safe{Wallet}, the third-party wallet service used for transaction processing.”

The Bybit hack has revealed critical vulnerabilities in crypto exchanges, leading to a $1.5B loss and prompting urgent calls for improved security measures.

What was the Bybit hack 2025?

The Bybit hack was a highly coordinated attack that resulted in $1.5 billion in Ethereum (ETH) being drained from the platform. Investigations suggest that hackers exploited a single-signing transaction vulnerability, allowing them to bypass wallet security and execute unauthorized withdrawals.

THE BYBIT HACK WAS THE LARGEST FINANCIAL HEIST IN HISTORY

Bybit sustained losses of $1.4 billion at the time of the hack, 21st February 2025. The closest competitor is the theft from the Central Bank of Iraq, which lost $1 billion on 18th March 2003. pic.twitter.com/OzAcWFUXPL

— Arkham (@arkham) February 24, 2025

How did the Bybit hack happen?

Blockchain security firms analyzing the Bybit hack have pointed to a flaw in the wallet signing process, which may have been the key entry point for attackers. Here’s how it might have played out:

• A transaction signing exploit began when attackers took advantage of a single-signing transaction vulnerability. This allowed them to authorize multiple withdrawals using one “single” approval.
• Cold wallet compromise followed, raising concerns about deeper security loopholes.
• Additionally, phishing and social engineering attacks may have helped gain internal credentials.

E110: Bybit’s Hack EMERGENCY EPISODE: How @Bybit_Official survived the biggest Crypto Theft of all time!

I sat down with @benbybit, the CoFounder & CEO of Bybit, just 72 hours after the largest heist ever in history affected his company.

Ben opens up on what exactly happened… pic.twitter.com/FvuCZb3I6f

— MR SHIFT 🦁 (@KevinWSHPod) February 26, 2025

What is a single-signing transaction vulnerability?

This vulnerability allows a single transaction approval to be reused or manipulated, leading to unauthorized withdrawals. Here’s how it breaks down:

• Smart contract signing flaw – When funds are moved from a cold wallet to a hot wallet, the system generates an approval signature to verify the transaction.
• Attackers intercepted this signature and triggered multiple unauthorized transactions.
• Since the system treated these as approved transactions, the funds could be drained without immediate alerts.

Think of it as signing a blank check; the hackers did exactly that by intercepting a valid signature and draining Bybit’s funds.

Were there other security loopholes?

While the single-signing transaction flaw appears to be the main exploit, phishing attacks and delayed detection contributed to the vulnerability. The breach was first spotted by ZachXBT, who noticed excessive fund outflows on February 21.

What caused the Bybit hack of 2025?

Finally, it was determined that a breach in Safe{Wallet}, a third-party service used for transaction verification, enabled the hack.

Bybit Hack Forensics Report
Here are preliminary reports from @sygnia_labs and @Verichains
Check out the full report: here

— Ben Zhou (@benbybit) February 26, 2025

What is Safe{Wallet}?

Safe{Wallet} is a smart contract-based wallet service that ensures secure transactions using multi-signature approvals. However, a security flaw led to JavaScript exploits that compromised its integrity.

Hackers embedded malicious code into the Safe{Wallet} service running on AWS, allowing them to modify transaction details unnoticed.

How did the attack happen?

During a typical ETH cold wallet transfer, the compromised Safe{Wallet} script altered transaction details just as they were being authorized.

Bybit’s authorized wallets approved what they thought was a secure transfer while the malicious script redirected funds to the hacker’s destination.

Why this matters for crypto security

This hack emphasizes that vulnerabilities can arise not from direct attacks but from third-party integrations. Transactions must undergo continuous audits, ensuring that dependencies do not weaken exchange security.

How much has been recovered?

As of late February 2025, approximately $42.8 million of the stolen assets have been secured or frozen. The recovery is facilitated through coordinated efforts across different exchanges and blockchain forensics.

• Ethereum (ETH): 34 ETH (≈$97,000) was intercepted.
• Bitcoin (BTC): $37,000 was blocked after being bridged cross-chain.
• Stablecoins (USDT/USDC): Tether froze 181,000 USDT linked to the stolen funds.

What does the Bybit hack change for crypto?

The Bybit hack demonstrates a pressing need for enhanced security across all cryptocurrency exchanges. Stronger protocols and collaborative efforts are essential to mitigate the risks posed by increasingly sophisticated cyber threats.

Frequently asked questions

Was Bybit itself hacked, or was it a third-party vulnerability?

Bybit wasn’t directly hacked; instead, the attackers exploited vulnerabilities in the third-party service, Safe{Wallet}.

How much of the stolen crypto has been recovered so far?

As of late February 2024, about $42.8 million has been frozen or recovered.

What’s Bybit doing to prevent future attacks like this?

Bybit has implemented tighter security measures and launched initiatives like LazarusBounty.com, which aims to track stolen funds.