Cryptocurrency exchange Bybit suffered a $1.4 billion hack in February 2025 that exposed structural weaknesses in custody systems long considered industry standards, such as cold storage and multisignature wallets.
At the time, the exploit was the largest known hack in crypto history, though that distinction was later eclipsed by findings that Chinese mining pool LuBian lost $3.5 billion in 2020.
“The [Bybit] hack showed that cold storage and multisig labels are meaningless if the approval flow, transaction visibility, or signer environment can be manipulated,” said Ishai Shoham, head of product at crypto infrastructure company Utila. “After Bybit, custody architecture became a first-order risk topic, not a back-office detail.”
The incident also prompted the Financial Action Task Force (FATF) to urge global regulators to address illicit finance risks in cryptocurrencies, while exchanges tightened transaction approval processes and raised the standard for how breaches are detected and handled.
Private key hacks are responsible for big losses for centralized services. Source: ChainalysisWhat is FATF and why does it matter?
The FATF is an intergovernmental body that sets standards on money laundering and terrorist financing. Its recommendations are not legally binding, but its members are expected to abide by its standards. For non-members that fall short, inclusion on the FATF gray list could limit access to aid and damage banking relationships.
In a June 2025 report, the FATF cited the Bybit hack as the largest crypto theft ever. It warned that crosschain activity, stablecoins and uneven global enforcement were amplifying illicit finance risks faster than existing controls could contain them.
FATF called on jurisdictions to tighten licensing and assess risks associated with overseas exchanges. Source: FATF“The case highlights persistent gaps in the Travel Rule and in enforcement. Once funds move into DeFi, it becomes difficult to prevent layering and money laundering, particularly as automation tools make these processes faster and easier,” Joshua Chu, asset recovery lawyer and co-chair of the Hong Kong Web3 Association, told Cointelegraph.
Related: From Sony to Bybit: How Lazarus Group became crypto’s supervillain
FATF urged jurisdictions to accelerate licensing, supervision and international coordination, framing the incident as evidence that weaknesses in custody and transaction oversight now pose systemic risks to the global financial system. Like the US Federal Bureau of Investigation and countless security experts, FATF linked the exploit to hackers tied to North Korea.
Blockchain sleuth ZachXBT was the first to officially link Lazarus Group to the Bybit hack. Source: Arkham“If you ask who the most influential person in crypto was in 2025, I would say Kim Jong Un. Despite the political attention on crypto legislation and standards alignment, what dominated the FATF report was the Bybit hack.”
Around the same time, Singapore tightened its licensing regime, ordering unlicensed crypto firms to either obtain permits or leave the market. While Singapore drew most of the headlines, regulators in countries such as Thailand and the Philippines were pursuing similar enforcement campaigns.
Custody security and laundering assumptions break down
The industry’s understanding of both custody security and illicit fund movement shifted following the Bybit hack.
Shoham said the breach made clear that the primary weaknesses were no longer cryptographic.
Related: Are you a freelancer? North Korean spies may be using you
“Once funds leave a compromised wallet, attackers can atomize and recompose value across chains faster than human response cycles,” he said.
The Bybit hack also reignited a long-running debate over crosschain infrastructure and the responsibilities of decentralized protocols. As stolen funds moved across chains, attention once again turned to routing networks such as THORChain and eXch, which have been used by attackers to swap assets without relying on centralized intermediaries.
THORChain volume spiked as Bybit hackers moved funds. Source: THORChain ExplorerSupporters of decentralized models argued that such protocols are neutral infrastructure, designed to operate without discretion or gatekeeping. Critics countered that their architecture makes them uniquely attractive for laundering large volumes of stolen assets, particularly when combined with automation and fragmented liquidity across chains.
Some swappers like eXch ended up shutting down not long after the hack.
Bybit sets new standards for crisis response
The Bybit hack crystallized a broader shift in how the industry approaches both custody and compliance. As crosschain movement accelerates and static controls fall short, exchanges and infrastructure providers are increasingly expected to apply governance at the level of transaction behavior rather than rely solely on address-based restrictions.
For Bybit, the $1.4 billion breach could have marked the beginning of a prolonged collapse. Given the exchange’s size, early fears centered on the possibility of an FTX-like contagion that could have triggered another industry-wide downturn just as markets were recovering.
Instead, the exchange’s response set a different precedent. CEO Ben Zhou appeared publicly throughout the incident, hosting livestreams to update users on recovery efforts. Rather than halting withdrawals, a common reflex during crises, Bybit kept them open and sourced Ether from partner exchanges to meet immediate customer demand.
That approach has since influenced how other platforms prepare for and respond to major breaches.
Withdrawal freezes are no longer the default response, and real-time communication has become a baseline expectation. Despite the scale of the hack, Bybit remains one of the largest exchanges globally and frequently ranks as the second-largest platform by daily trading volume.
Magazine: Big questions: Would Bitcoin survive a 10-year power outage?
Source: https://cointelegraph.com/news/bybit-hack-kim-jong-un-crypto-most-influential-2025?utm_source=rss_feed&utm_medium=feed&utm_campaign=rss_partner_inbound
