Bybit Exchange Hack: A Billion-Dollar Operations Breakdown

Operational Collapse in Motion

On February 21, 2025, Bybit suffered what is now the largest CeFi hack in crypto history—losing $1.4 billion across multiple chains. The heart of the breach wasn’t a smart contract bug or bridge flaw, but poor operational hygiene and key management inside the exchange’s wallet infrastructure.

Attackers spear-phished multiple DevOps engineers over weeks, gradually acquiring login control over wallets linked to the multisignature withdrawal system. Although Bybit used a 4-of-5 signing scheme, at least 3 of the private keys were accessed or phished, and the 4th was exposed in a recently leaked Git repository.

With threshold met, the attacker created legitimate-looking withdrawal bundles spread across ETH, BNB Chain, Arbitrum, and Solana. Internal systems didn’t flag anything because the operations were technically valid transactions—only later post-event analysis revealed the sequence of social engineering that had paved the way for catastrophic approvals.

Reconstructing Trust from Ruin

This incident reshaped how CeFi platforms think about multisig safety. The first major shift was Bybit's move from key-based multisig to MPC (Multi-Party Computation), using threshold cryptography without key serialization. MPC nodes were split among isolated geo-locations with biometric and behavioral access constraints.

Second, Bybit introduced new flow protections: every large transaction now enters a time-defined pre-execution queue with multiple forms of approval—including automated AI-model checks on asset correlations, velocity, and operator behavior. No transaction gets processed instantly on admin keys alone.

All movement approvals now route through segment-specific teams—DevOps handles infrastructure; Finance handles thresholds; Security signs off final approval. No one person or team can approve any full movement. Additionally, all internal devices were rotated, hardened with YubiKey + VPN + MAC address verification, and email MFA was replaced with device-gated identity.

This hack showed the terrifying truth: even mature exchanges can crumble from phishing. Restoring architectural trust takes operational humility, public transparency, and turning every financial assumption into audit-coded reality.