Considering that the Bybit exchange hack worth $1.4B became the largest in history, it requires us to learn crucial lessons about the reliability of this platform and the security of the whole crypto industry.
Here, we will dive deeply into Bybit’s system security measures, as well as funds and customer protection, to better understand how one of the biggest crypto platforms with millions of users worldwide became a victim of a successful cyber attack.
Was Bybit Hacked?
First things first, and let’s get a clear definition of “hack” and determine whether Bybit hacked. Hack means that some system has a vulnerability, and bad actors explored and exploited it earlier than the security team could fix it.
Thus, from a purely technical standpoint, a system can be considered hacked if:
- A critical vulnerability in the target system is found, allowing attackers to gain control over the stored information, delete it, or steal it.
- The system is infected with malicious code that covertly executes harmful activities or blocks the availability of infrastructure, information, and other assets (servers, user accounts, and databases).
Let’s evaluate this from a technical perspective, with the recent research from two cybersecurity firms, Verichains and Sygnia Labs, being particularly helpful. Specifically, Verichains’ report clarifies that the issue was not on Bybit’s side but rather in the multi-sign service Safe:
Proxy wallet management compromise
- At 14:13:35 UTC, an attacker initiates a transaction through SafeWallet.
- Uses delegatecall to a GnosisSafe contract that trusts SafeWallet.
Spoofs the logic of the proxy contract
- A malicious contract executes consecutive delegate calls.
- The storage slot of the proxy implementation (control contract) is changed.
- The new code gives the attacker full control over the transaction.
Funds withdrawal
- The attacker signs transactions on behalf of the hot wallet.
- Funds are transferred to addresses controlled by the attacker.
Does This Mean That Bybit Was Not Hacked?
First, let’s answer another question: Can a hack only occur due to technical reasons? Not really, because today’s systems are mostly too complex, meaning an attacker must develop a sophisticated attack that includes both technical vulnerabilities in the target system or its integrations, as well as social engineering, where the targets are internal staff, vendors, etc.
Therefore, dividing attack tactics and scenarios into technical and non-technical categories does not provide a clear-cut definition of whether this qualifies as a hack; assessing it based on the outcome is more accurate.
One of the classic and precise ways to evaluate this is the CIA triad, which states that a system should be designed to ensure that its information maintains three key principles: Confidentiality, Integrity, and Availability.
Confidentiality – Not Compromised Overall
- The attack did not leak user data, passwords, or access keys.
- The core infrastructure of Bybit (databases, user accounts) was not compromised.
- However, if the attacker gained access to the transaction signing mechanism, there is a potential risk of a multi-signature key leak, which could create long-term security concerns.
Integrity – Compromised, But Not in Bybit’s Infrastructure
- The compromise did not affect Bybit directly but rather the third-party service Safe (Gnosis Safe), which was used for signing hot wallet transactions.
- The attacker modified the implementation of a smart contract via delegatecall, allowing them to redirect assets to their own addresses.
- However, Bybit’s internal databases, user accounts, and trading infrastructure remained unchanged, meaning the integrity breach only impacted the asset management process and not the entire system.
Availability – Not Compromised Overall
- The platform’s operations and user access to assets were not disrupted.
- Deposits and withdrawals were temporarily suspended but were quickly restored.
- Trading operations continued without interruption.
After reviewing this situation from multiple perspectives, we can conclude that, strictly speaking, Bybit was not hacked, but it was subjected to a sophisticated and successful attack by the Lazarus Group, as discovered ZachXBT. Although the investigation is still ongoing, the latest reports indicate that Bybit’s systems, infrastructure, and data were not compromised, further confirming my initial assumption.
Bybit Security Measures
Let’s use an analogy: suppose a criminal decides to rob a bank. If the bank lacks proper security, they can simply walk in, make threats, and leave with the stolen money. However, with many cameras and guards, the attacker will be forced to look for alternative ways to carry out the heist—otherwise, the risk would be too high.
Now, this leads us to the logical conclusion that since the attackers chose not to conduct a direct attack but instead carried out a more complex and costly operation, it indicates that Bybit is well-protected against direct intrusions.
Let’s look at the specific security mechanisms and protective measures Bybit has in place, which forced the attackers to compromise intermediaries rather than the platform itself.
Asset Protection: Cold Wallets and Cryptographic Security
Bybit places significant emphasis on the secure storage of assets, and ironically, this was not enough to prevent the incident. Specifically, they store the majority of funds in cold wallets, withdrawing a portion every three weeks to facilitate user withdrawals and other platform operations. In this context, they implement a triple-layer security system:
Multi-Signature Authentication – Requiring multiple independent signatures for withdrawals from cold wallets, preventing unauthorized access.
Trusted Execution Environment (TEE) – A secure execution environment that protects critical operations from external attacks.
Threshold Signature Schemes (TSS) – Distributing signing authority among multiple independent participants to eliminate single points of failure.
However, as we now know, the third-party Multi-Signature Authentication service turned out to be one of the weak points. Yet, everything under Bybit’s direct control remained secure—otherwise, we would have seen all of the exchange’s funds stored in hot wallets, exposed to direct attacks, and putting not just some wallets but the entire platform at risk.
Real-Time Transaction Monitoring and Control
As a part of its risk control system, Bybit implements continuous analysis of user activity and transactions.
User Behavior Analysis – The exchange detects and analyzes suspicious activities such as logins from new devices, abnormal transaction volumes, or IP address changes.
Automated Authentication Enhancement – If the system detects deviations from normal behavior, such as an attempt to withdraw large amounts of funds, the user will be required to undergo additional identity verification.
Notification and Logging System – Any changes to the account, login attempts, API key modifications, or large withdrawals are instantly recorded and reported to the user.
Such monitoring is crucial for protecting not only hot wallets but the whole system operations and user accounts, reducing the risk of phishing and fraudulent activities. Unfortunately, these measures were not applicable to the recent incident and its prevention.
Data Protection and User Privacy
Bybit utilizes a multi-layered data security system, preventing unauthorized access from both external attacks and internal threats.
End-to-End Encryption – User data is encrypted both in transit and at rest.
Hierarchical Data Classification – Sensitive information (such as KYC documents) is processed at different security levels.
Strict Access Control – Only authorized processes can interact with encrypted data, minimizing the risk of leaks.
It reduces the risk of internal compromises and makes access to personal data impossible without multi-layer authentication. It would also be a critical security measure in the event of a targeted attack or if attackers had sought alternative methods to steal credentials, escalate privileges, and exfiltrate data or paralyze the system.
In such a case, they would have only obtained encrypted and unusable data and likely would not have had time to act, as the monitoring system would have detected the deviation from normal behavior.
Authentication and API Access Control
Bybit has implemented mandatory two-factor authentication (2FA) and additional measures to protect user accounts:
Login Security – Authentication includes CAPTCHAs, 2FA, and hardware authentication keys.
Flexible API Access Management – Users can restrict API access by IP address and set strict permissions for API keys.
Instant Notifications – Any account changes or API activity are immediately logged and reported to the user.
These measures protect both retail users and institutional clients, reducing the risk of account hijacking. However, they do not apply to administrator accounts authorized to perform critical tasks, such as those that could lead to the recent security incident.
Regulatory Compliance and Security Audits
Bybit claims to actively collaborate with industrial regulators and independent auditors to comply with security standards.
PCI-DSS Service Provider Level 1 Certification – Ensuring the highest level of payment data protection.
Regular Proof of Reserves Audits – Verifying that all user funds are fully backed and stored 1:1, which, notably, was restored to normal at record speed after the recent incident.
Engagement with Regulators – Bybit participates in the development of security standards for centralized crypto exchanges.
Regarding Bug Bounty Programs and external threat protection, Bybit leverages active vulnerability detection programs in collaboration with the cybersecurity research community:
Bug Bounty Program – Rewarding researchers for discovering security vulnerabilities.
24/7 Security Teams – Ensuring round-the-clock incident response and continuous threat monitoring.
Conclusion
Bybit remains an exceptionally secure and resilient platform, implementing multi-layered security across multiple operational areas. However, this did not prevent the recent incident, which highlighted several constant security gaps relevant to probably everyone, such as third-party security risks and social engineering attacks.
So, is this hack about Bybit in the end? Opinions may differ, but if you ask me, I would frame it as follows:
Is Bybit to blame for the recent incident?
No. Bybit cannot control the security mechanisms and policies of third-party providers that offer necessary services to the platform. Following this logic, you might conclude that to bake the perfect apple pie, first you must reinvent the universe. That’s why different teams offer different solutions they focus on, enabling other companies to do the same.
Is Bybit responsible for the security incident?
Yes. The choice of third-party providers, the verification of their security, and the consideration of the human factor—which played a crucial role in the success of the attack—all fall under Bybit’s responsibility.
And it is worth noting that Bybit handled this responsibility well—even with the powerful support of partners and the consolidation of major crypto industry players around the issue, it does not diminish the scale, intensity, and, ultimately, the success of Bybit’s direct response to the problem.
Disclaimer: The information provided in this article is for informational and educational purposes only and does not constitute financial, investment, or trading advice. Any actions you take based on the information provided are solely at your own risk. We are not responsible for any financial losses, damages, or consequences resulting from your use of this content. Always conduct your own research and consult a qualified financial advisor before making any investment decisions. Read more
