The ByBit Crypto Hack Is the Biggest in the World. How did it Happen?

February 28, 2025The ByBit hack was huge in terms of sheer monetary value. Here is a breakdown of how it unfurled.
Nicole Buckler
AuthorNicole Buckler
The ByBit Crypto Hack Is the Biggest in the World. How did it Happen?

The recent security breach at Bybit has sent shockwaves through the cryptocurrency world, marking what is being called one of the largest digital asset thefts in history. CoinJar is not affected by this incident. Here’s a breakdown of what we know and what may have happened.

What Happened at ByBit

Bybit, a major cryptocurrency exchange, experienced a significant security breach resulting in the theft of a massive amount of

, ByBit reported that approximately $1.5 billion worth of digital assets were compromised.

How the attack unfolded

Based on ByBit’s investigation so far, here is a simplified explanation:

1. Compromised developer computer

A computer belonging to developers at (often referred to as Safe{Wallet}) was hacked. 

Safe Global is a provider of cryptocurrency wallets, and it is important to note that CoinJar does not use Safe Global for its crypto storage.

2. Malicious code inserted on AWS

The attackers gained access to Safe’s Amazon Web Services (AWS) S3 bucket, where key files were stored. They injected malicious JavaScript code into these files.

3. Supply chain attack trigger

This harmful code was specifically designed to alter transaction details during the signing process. It was triggered if a transaction originated from ByBit’s contract address.

4. Swift cover-up

Two minutes after executing each malicious transaction, the attackers replaced the compromised code in the S3 bucket with clean versions, erasing direct evidence of the tampering.

5. Impact on ByBit

When users tried to move funds via Safe’s service, the malicious script silently modified the transaction details during approval, affecting only those transactions associated with ByBit. 

This underscores that the attack started with Safe’s storage environment, rather than ByBit’s infrastructure.

What commentators are saying

A number of have pointed out that, in hindsight, certain security measures appear to have been inadequate. They a few points.

ByBit’s security checks

Commentators say that even though the attackers used a sophisticated supply chain approach, ByBit’s internal processes should have caught discrepancies in the transaction instructions. 

In particular, when moving large sums (over $1 billion) exchanges typically verify transaction details on a separate, air-gapped machine (a completely isolated computer).

Human vulnerabilities in complex attacks

While some aspects of this hack may appear “basic,” the broader supply chain tactic was sophisticated, using compromised third-party code that would not have been easy to detect in real time. It seems any system can be vulnerable when attackers gain access through indirect avenues.

Missed double-checks

According to industry best practices, large transfers should be verified more than once, especially if initiated by an external service. Some commentators believe ByBit could have implemented stronger fail-safes to confirm transaction details independently of Safe’s code.

ByBit’s response

ByBit’s CEO, Ben Zhou, has pledged to reimburse affected users, reassuring customers that their losses will be covered.

ByBit is reportedly working on securing bridge loans to cover losses, while emphasising its commitment to transparent communication with the community.

ByBit has partnered with blockchain forensic companies to track the stolen funds. Its prompt and open response has been relatively well-received, helping maintain some degree of market confidence despite the severity of the incident.

Conclusion: A lesson on sophisticated supply chain attacks

The ByBit hack, while a devastating blow to the exchange and its users, is a stark reminder of the ever-evolving threats in both traditional and decentralised finance. 

Although commentators have criticised ByBit for procedural lapses (such as a lack of transaction-verification methods), this breach also reveals the complexity of supply chain attacks. They often only become clear after the damage is done, because attackers exploit trust relationships with third parties and cover their tracks swiftly.

ByBit’s quick and transparent response, along with its pledge to reimburse users, has helped mitigate the immediate fallout. While some suggest that only a state-sponsored attacker could pull off such a large-scale theft, the exact identity of the perpetrators remains unknown. 

What is certain is that criminals continue to refine their methods, and vigilance remains crucial.

The finance industry, whether in the traditional space or the crypto realm, must accept the reality of increasingly sophisticated cyber threats.


UK residents: Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 minutes to learn more: .

Cryptoassets traded on CoinJar UK Limited are largely unregulated in the UK, and you are unable to access the Financial Service Compensation Scheme or the Financial Ombudsman Service. We use third party banking, safekeeping and payment providers, and the failure of any of these providers could also lead to a loss of your assets. We recommend you obtain financial advice before making a decision to use your credit card to purchase cryptoassets or to invest in cryptoassets. Capital Gains Tax may be payable on profits.​​

CoinJar’s digital currency exchange services are operated in Australia by CoinJar Australia Pty Ltd ACN 648 570 807, a registered digital currency exchange provider with AUSTRAC; and in the United Kingdom by CoinJar UK Limited (company number 8905988), registered by the Financial Conduct Authority as a Cryptoasset Exchange Provider and Custodian Wallet Provider in the United Kingdom under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (Firm Reference No. 928767).

EU residents: CoinJar Europe Limited (CRO 720832) is registered as a VASP and supervised by the Central Bank of Ireland (Registration number C496731) for Anti-Money Laundering and Countering the Financing of Terrorism purposes only.

On/Offchain

Your weekly dose of crypto news & opinion.

Join more than 150,000 subscribers to CoinJar's crypto newsletter.

More from CoinJar Blog

Opinion

March 27, 2025It's official now. Sparkling water isn't just part of assimilating to German culture anymore but has become an integral part of the alpha male morning routine, alongside dipping...
Opinion

March 12, 2025Prices are down, X was down (and for a little moment I had hope of being free), and people in crypto are realizing that they might have to re-think their priorities.  Story...
Opinion

February 27, 2025We're all down bad, but some, not just in financial terms but also morally. Story One Another presidential meme disaster  You'll be relieved that this is not about Trump....
CoinJar
Company
Support
Legal
Crypto on CoinJar
App storeApp store

CoinJar’s digital currency exchange services are operated by CoinJar Australia Pty Ltd ACN 648 570 807, a registered digital currency exchange provider with AUSTRAC.

CoinJar Card is a prepaid Mastercard issued by EML Payment Solutions Limited ABN 30 131 436 532 AFSL 404131 pursuant to license by Mastercard. CoinJar Australia Pty Ltd is an authorised representative of EML Payment Solutions Limited (AR No 1290193). We recommend you consider the and before making any decision to acquire the product. Mastercard and the circles design are registered trademarks of Mastercard International Incorporated.

Google Pay is a trademark of Google LLC. Apple Pay is a trademark of Apple Inc.

This site is protected by reCAPTCHA and the and apply.

CoinJar logo
CoinJarGet the app.
Install app