Crypto Assets exchange security alert: In-depth analysis of the $1.5 billion Bybit theft incident
Overview
A compilation and analysis of security incidents in some of the historically famous centralized exchanges for crypto assets. Each event includes attack details, stolen assets and fund flow, as well as official responses and subsequent handling results.
1. Mt. Gox Incident (2014)
Attack Details and Hacker Tactics Analysis
Mt. Gox was once one of the largest Bitcoin exchanges, but in 2014, a security vulnerability led to a large amount of Bitcoin being stolen. Hackers exploited a security flaw in the exchange’s hot wallets, gradually transferring assets through multiple small transactions. The attack lasted for several years until the exchange declared bankruptcy in 2014. Insufficient security measures, lack of cold wallet storage, and multi-signature technology left the assets exposed to risks for an extended period.
Stolen Assets and Fund Flows
Approximately 850,000 bitcoins were stolen, worth about $450 million at the time. The flow of funds is unclear, and some of the stolen bitcoins have been traced to multiple wallet addresses, but most of the assets have not been recovered to this day.
Official response and follow-up processing results
Mt. Gox announced bankruptcy and ceased operations. The Japanese court initiated civil rehabilitation proceedings, freezing user assets. Some users have recovered partial losses through legal means, but most assets remain unrecovered. The incident has sparked widespread concern in the industry about the security of exchanges.
2. Bitfinex Incident (2016)
Attack Details and Hacker Tactics Analysis
In August 2016, Bitfinex was hacked, and the hackers exploited a vulnerability in the exchange’s multi-signature wallet. The hackers used social engineering to obtain the keys of internal personnel of the exchange, and then transferred assets by forging transaction signatures. The attack resulted in about 119,756 bitcoins being stolen, valued at approximately $72 million at the time.
Stolen Assets and Fund Flow
Assets have been transferred to multiple Bitcoin wallet addresses, with some funds traced to the dark web market. Bitfinex has tracked some of the stolen assets through blockchain analysis and cooperation, but most of the funds have not been recovered.
Official response and follow-up handling results
Bitfinex announced the freezing of all user assets and initiated a snapshot of user assets. The exchange is collaborating with a blockchain analysis company to track stolen assets. Bitfinex compensated user losses by issuing tokens (BFX) and gradually repurchasing them. The incident prompted the exchange to enhance security measures, including the introduction of cold wallets and multi-signature technology.
3. Coincheck Incident (2018)
Attack details and hacker tactics analysis
In January 2018, the Japanese exchange Coincheck was hacked, and the hackers exploited a vulnerability in the exchange’s hot wallet. The hackers used an SQL injection attack to obtain internal keys and directly accessed the exchange’s hot wallet. The attack resulted in approximately 523 million NEM coins being stolen, valued at around 530 million dollars at the time.
Stolen assets and fund flow
Assets have been transferred to an unknown wallet address, and some funds have been traced to multiple exchanges. Due to the transparency of NEM coin transactions, some stolen assets have been frozen, but most of the funds have not yet been recovered.
Official response and follow-up processing results
Coincheck announced the freezing of all user assets and is cooperating with the police to track the stolen assets. The exchange compensated users approximately 46.3 billion yen (about 420 million U.S. dollars). Coincheck was required by the Japanese Financial Services Agency to enhance security measures and was eventually acquired by Monex Group. The incident triggered strict regulations on crypto asset exchanges in Japan.
4. Binance Incident (2019)
Attack details and hacker tactics analysis
In May 2019, Binance was hacked, and the hacker exploited a vulnerability in the exchange’s API key. The hacker obtained some users’ API keys through phishing attacks and used automated scripts to transfer assets. The attack resulted in about 7000 bitcoins being stolen, worth approximately $40 million at the time.
Stolen Assets and Fund Flows
Assets have been transferred to multiple Bitcoin wallet addresses, and some funds have been traced to other exchanges. Binance has tracked some of the stolen assets through blockchain analysis and cooperation, and has frozen the related addresses.
Official response and follow-up processing results
Binance announced the freezing of all user assets and initiated a user asset snapshot. The exchange compensated users’ losses with its own funds and did not let users bear any losses. Binance has strengthened security measures, including the introduction of cold wallets and multi-signature technology, and cooperated with global law enforcement agencies to track hackers. After the incident, Binance established the ‘Secure Asset Fund for Users’ (SAFU) to address potential security events in the future.
5. KuCoin Incident (2020)
Attack details and hacker tactics analysis
In September 2020, KuCoin was hacked, and the hackers exploited a vulnerability in the exchange’s hot wallet keys. The hackers used social engineering tactics to obtain the keys of internal personnel at the exchange and gained direct access to the hot wallet. The attack resulted in approximately $150 million in crypto assets being stolen, including Bitcoin, Ethereum, and ERC-20 tokens.
Stolen Assets and Fund Flow
Assets have been transferred to multiple wallet addresses, and some funds have been traced to other exchanges. KuCoin has tracked some of the stolen assets through blockchain analysis and cooperation, and frozen the related addresses.
Official response and follow-up processing results
KuCoin announced the freezing of all user assets and initiated a user asset snapshot. The exchange compensated users for losses through its own funds and insurance funds, without letting users bear any losses. KuCoin has strengthened security measures, including the introduction of cold wallets and multi-signature technology, and has collaborated with global law enforcement agencies to track hackers. Following the incident, KuCoin established a ‘User Protection Fund’ to address potential security incidents in the future.
6. Bybit Theft Incident (2025)
On February 21, 2025, the crypto asset exchange Bybit suffered a serious security incident, resulting in the theft of assets from its Ethereum (ETH) multi-signature cold wallet. The direct loss from this incident exceeded $1.5 billion, as hackers used sophisticated attack methods to tamper with the smart contract logic of the cold wallet and steal a large amount of crypto assets.
Attack details and hacker tactics analysis
Based on the analysis of the incident, hackers gained access to Bybit’s multi-signature cold wallet system through sophisticated means. By exploiting vulnerabilities in the front-end UI, the attackers successfully tricked the signers of the multi-signature wallet into signing malicious content in a fake interface, thus taking control of the cold wallet. Specifically, by tampering with the smart contract logic, the attackers made the signers see the correct transaction address, but the actual signed content transferred the funds to an address controlled by the hackers.
Stolen assets and fund flows
According to on-chain data analysis, the stolen assets include:
- 401,347 ETH, about 11.2 billion US dollars;
- 90,376 stETH, about 2.53 billion US dollars;
- 15,000 cmETH, about $44.13 million;
- 8,000 mETH, about 23 million US dollars.
The above prices are calculated based on the prices at the time of the theft on the evening of February 21. The funds were transferred to multiple addresses by the hacker, and stETH and mETH were exchanged for ETH through decentralized exchanges (DEX) for further fund laundering. To avoid tracking, the hacker dispersed the ETH to 49 addresses on the same day, with each address transferring approximately 10,000 ETH.
Bybit Official Response and Industry Reaction
After the incident, Bybit co-founder and CEO Ben Zhou confirmed the attack on X platform and emphasized that other wallets on the platform were not affected, and user withdrawal services were normal. He stated that even if the stolen funds cannot be recovered, Bybit still has the ability to pay and can withstand this loss. On-chain analyst ZachXBT and others called on major exchanges to blacklist the hacker’s address to prevent further movement of stolen funds. In addition, security company Beosin quickly added the relevant address to its KYT tag library and issued alerts.
7. Summary
These events demonstrate the importance of security for crypto asset exchanges. Hackers often exploit vulnerabilities in hot wallets, improper key management, or smart contract bugs in exchanges. The flow of stolen assets is often difficult to trace, but through blockchain analysis and cooperation with law enforcement agencies, some funds can be frozen or recovered. Exchanges typically compensate user losses through insurance funds or their own funds, and strengthen security measures to prevent future incidents.
Using Gate.io as an example, Gate.io has always attached great importance to the security of user funds and has taken a series of innovative measures to ensure the security of platform assets. In January 2025, Gate.io released the latest reserve data, with a total reserve of up to 10.328 billion US dollars, and a reserve ratio of 128.58%, far exceeding the industry standard of 100%. Among them, Gate.io holds over 20,000 BTC and 257,000 ETH, with reserve ratios of 123.06% and 112.04% respectively. In addition, Gate.io has also introduced zero-knowledge proof (zk-SNARK) technology, further enhancing the platform’s transparency and privacy protection capabilities, allowing users to verify the adequacy of platform assets without revealing any transaction details.
The Bybit theft incident once again reminds the crypto assets industry that exchanges are facing increasingly complex security threats. With the development of the industry, exchanges must continuously innovate security technologies and strengthen the protection of user assets. In addition to basic cold wallet protection, smart contract audits, and multi-signature mechanisms, exchanges should also introduce more cutting-edge technologies such as artificial intelligence and blockchain analysis to enhance security capabilities. The innovation of security technologies in the crypto assets industry will be a key factor in determining the long-term competitiveness of exchanges.
This event also reflects the unity and cooperation of the cryptocurrency industry in the face of challenges. Exchanges such as Gate.io also immediately contacted Bybit after receiving the news and provided technical or financial support. In a way, this security incident also reflects the industry’s solidarity and cooperation in the face of challenges, creating a good competitive environment in adversity.
Related articles
Pi Coin Transaction Guide: How to Transfer to Gate.io
What is N2: An AI-Driven Layer 2 Solution
What is Official Elon Coin (ELON)?
Crypto Assets exchange security alert: In-depth analysis of the $1.5 billion Bybit theft incident
1. Mt. Gox Incident (2014)
2. Bitfinex Incident (2016)
3. Coincheck Incident (2018)
4. Binance Incident (2019)
5. KuCoin Incident (2020)
6. Bybit Theft Incident (2025)
7. Summary
Overview
A compilation and analysis of security incidents in some of the historically famous centralized exchanges for crypto assets. Each event includes attack details, stolen assets and fund flow, as well as official responses and subsequent handling results.
1. Mt. Gox Incident (2014)
Attack Details and Hacker Tactics Analysis
Mt. Gox was once one of the largest Bitcoin exchanges, but in 2014, a security vulnerability led to a large amount of Bitcoin being stolen. Hackers exploited a security flaw in the exchange’s hot wallets, gradually transferring assets through multiple small transactions. The attack lasted for several years until the exchange declared bankruptcy in 2014. Insufficient security measures, lack of cold wallet storage, and multi-signature technology left the assets exposed to risks for an extended period.
Stolen Assets and Fund Flows
Approximately 850,000 bitcoins were stolen, worth about $450 million at the time. The flow of funds is unclear, and some of the stolen bitcoins have been traced to multiple wallet addresses, but most of the assets have not been recovered to this day.
Official response and follow-up processing results
Mt. Gox announced bankruptcy and ceased operations. The Japanese court initiated civil rehabilitation proceedings, freezing user assets. Some users have recovered partial losses through legal means, but most assets remain unrecovered. The incident has sparked widespread concern in the industry about the security of exchanges.
2. Bitfinex Incident (2016)
Attack Details and Hacker Tactics Analysis
In August 2016, Bitfinex was hacked, and the hackers exploited a vulnerability in the exchange’s multi-signature wallet. The hackers used social engineering to obtain the keys of internal personnel of the exchange, and then transferred assets by forging transaction signatures. The attack resulted in about 119,756 bitcoins being stolen, valued at approximately $72 million at the time.
Stolen Assets and Fund Flow
Assets have been transferred to multiple Bitcoin wallet addresses, with some funds traced to the dark web market. Bitfinex has tracked some of the stolen assets through blockchain analysis and cooperation, but most of the funds have not been recovered.
Official response and follow-up handling results
Bitfinex announced the freezing of all user assets and initiated a snapshot of user assets. The exchange is collaborating with a blockchain analysis company to track stolen assets. Bitfinex compensated user losses by issuing tokens (BFX) and gradually repurchasing them. The incident prompted the exchange to enhance security measures, including the introduction of cold wallets and multi-signature technology.
3. Coincheck Incident (2018)
Attack details and hacker tactics analysis
In January 2018, the Japanese exchange Coincheck was hacked, and the hackers exploited a vulnerability in the exchange’s hot wallet. The hackers used an SQL injection attack to obtain internal keys and directly accessed the exchange’s hot wallet. The attack resulted in approximately 523 million NEM coins being stolen, valued at around 530 million dollars at the time.
Stolen assets and fund flow
Assets have been transferred to an unknown wallet address, and some funds have been traced to multiple exchanges. Due to the transparency of NEM coin transactions, some stolen assets have been frozen, but most of the funds have not yet been recovered.
Official response and follow-up processing results
Coincheck announced the freezing of all user assets and is cooperating with the police to track the stolen assets. The exchange compensated users approximately 46.3 billion yen (about 420 million U.S. dollars). Coincheck was required by the Japanese Financial Services Agency to enhance security measures and was eventually acquired by Monex Group. The incident triggered strict regulations on crypto asset exchanges in Japan.
4. Binance Incident (2019)
Attack details and hacker tactics analysis
In May 2019, Binance was hacked, and the hacker exploited a vulnerability in the exchange’s API key. The hacker obtained some users’ API keys through phishing attacks and used automated scripts to transfer assets. The attack resulted in about 7000 bitcoins being stolen, worth approximately $40 million at the time.
Stolen Assets and Fund Flows
Assets have been transferred to multiple Bitcoin wallet addresses, and some funds have been traced to other exchanges. Binance has tracked some of the stolen assets through blockchain analysis and cooperation, and has frozen the related addresses.
Official response and follow-up processing results
Binance announced the freezing of all user assets and initiated a user asset snapshot. The exchange compensated users’ losses with its own funds and did not let users bear any losses. Binance has strengthened security measures, including the introduction of cold wallets and multi-signature technology, and cooperated with global law enforcement agencies to track hackers. After the incident, Binance established the ‘Secure Asset Fund for Users’ (SAFU) to address potential security events in the future.
5. KuCoin Incident (2020)
Attack details and hacker tactics analysis
In September 2020, KuCoin was hacked, and the hackers exploited a vulnerability in the exchange’s hot wallet keys. The hackers used social engineering tactics to obtain the keys of internal personnel at the exchange and gained direct access to the hot wallet. The attack resulted in approximately $150 million in crypto assets being stolen, including Bitcoin, Ethereum, and ERC-20 tokens.
Stolen Assets and Fund Flow
Assets have been transferred to multiple wallet addresses, and some funds have been traced to other exchanges. KuCoin has tracked some of the stolen assets through blockchain analysis and cooperation, and frozen the related addresses.
Official response and follow-up processing results
KuCoin announced the freezing of all user assets and initiated a user asset snapshot. The exchange compensated users for losses through its own funds and insurance funds, without letting users bear any losses. KuCoin has strengthened security measures, including the introduction of cold wallets and multi-signature technology, and has collaborated with global law enforcement agencies to track hackers. Following the incident, KuCoin established a ‘User Protection Fund’ to address potential security incidents in the future.
6. Bybit Theft Incident (2025)
On February 21, 2025, the crypto asset exchange Bybit suffered a serious security incident, resulting in the theft of assets from its Ethereum (ETH) multi-signature cold wallet. The direct loss from this incident exceeded $1.5 billion, as hackers used sophisticated attack methods to tamper with the smart contract logic of the cold wallet and steal a large amount of crypto assets.
Attack details and hacker tactics analysis
Based on the analysis of the incident, hackers gained access to Bybit’s multi-signature cold wallet system through sophisticated means. By exploiting vulnerabilities in the front-end UI, the attackers successfully tricked the signers of the multi-signature wallet into signing malicious content in a fake interface, thus taking control of the cold wallet. Specifically, by tampering with the smart contract logic, the attackers made the signers see the correct transaction address, but the actual signed content transferred the funds to an address controlled by the hackers.
Stolen assets and fund flows
According to on-chain data analysis, the stolen assets include:
- 401,347 ETH, about 11.2 billion US dollars;
- 90,376 stETH, about 2.53 billion US dollars;
- 15,000 cmETH, about $44.13 million;
- 8,000 mETH, about 23 million US dollars.
The above prices are calculated based on the prices at the time of the theft on the evening of February 21. The funds were transferred to multiple addresses by the hacker, and stETH and mETH were exchanged for ETH through decentralized exchanges (DEX) for further fund laundering. To avoid tracking, the hacker dispersed the ETH to 49 addresses on the same day, with each address transferring approximately 10,000 ETH.
Bybit Official Response and Industry Reaction
After the incident, Bybit co-founder and CEO Ben Zhou confirmed the attack on X platform and emphasized that other wallets on the platform were not affected, and user withdrawal services were normal. He stated that even if the stolen funds cannot be recovered, Bybit still has the ability to pay and can withstand this loss. On-chain analyst ZachXBT and others called on major exchanges to blacklist the hacker’s address to prevent further movement of stolen funds. In addition, security company Beosin quickly added the relevant address to its KYT tag library and issued alerts.
7. Summary
These events demonstrate the importance of security for crypto asset exchanges. Hackers often exploit vulnerabilities in hot wallets, improper key management, or smart contract bugs in exchanges. The flow of stolen assets is often difficult to trace, but through blockchain analysis and cooperation with law enforcement agencies, some funds can be frozen or recovered. Exchanges typically compensate user losses through insurance funds or their own funds, and strengthen security measures to prevent future incidents.
Using Gate.io as an example, Gate.io has always attached great importance to the security of user funds and has taken a series of innovative measures to ensure the security of platform assets. In January 2025, Gate.io released the latest reserve data, with a total reserve of up to 10.328 billion US dollars, and a reserve ratio of 128.58%, far exceeding the industry standard of 100%. Among them, Gate.io holds over 20,000 BTC and 257,000 ETH, with reserve ratios of 123.06% and 112.04% respectively. In addition, Gate.io has also introduced zero-knowledge proof (zk-SNARK) technology, further enhancing the platform’s transparency and privacy protection capabilities, allowing users to verify the adequacy of platform assets without revealing any transaction details.
The Bybit theft incident once again reminds the crypto assets industry that exchanges are facing increasingly complex security threats. With the development of the industry, exchanges must continuously innovate security technologies and strengthen the protection of user assets. In addition to basic cold wallet protection, smart contract audits, and multi-signature mechanisms, exchanges should also introduce more cutting-edge technologies such as artificial intelligence and blockchain analysis to enhance security capabilities. The innovation of security technologies in the crypto assets industry will be a key factor in determining the long-term competitiveness of exchanges.
This event also reflects the unity and cooperation of the cryptocurrency industry in the face of challenges. Exchanges such as Gate.io also immediately contacted Bybit after receiving the news and provided technical or financial support. In a way, this security incident also reflects the industry’s solidarity and cooperation in the face of challenges, creating a good competitive environment in adversity.
Related articles
Pi Coin Transaction Guide: How to Transfer to Gate.io
What is N2: An AI-Driven Layer 2 Solution