Is Bybit safe? An honest look
Updated July 2026 · Affiliate Code Research
Any site sharing a referral code has a reason to call the exchange safe, so instead of adjectives this review sticks to checkable facts — including the biggest one: in February 2025 Bybit suffered the largest crypto theft in history. What matters is what happened next, and whether users were made whole.
The honest verdict: Bybit is one of the largest, most established exchanges in crypto, it survived a record hack without any customer losing funds, and it's now MiCA-regulated in the EU — but it carries the same custodial and regulatory risks as any centralized exchange, which this guide spells out.
Key takeaways
- In Feb 2025 attackers stole ~$1.4–1.5B in ETH — the largest crypto hack ever — via a compromised third-party (Safe{Wallet}) signing interface, not a breach of Bybit's own code.
- No customer lost funds: Bybit kept withdrawals open, covered the loss, and restored reserves within days.
- A Hacken proof-of-reserves audit confirmed Bybit held over 100% of customer assets after the hack.
- Bybit is the #2 crypto exchange by volume, founded 2018, led by CEO Ben Zhou, headquartered in Dubai.
- Real risks remain: it's custodial (KYC-gated), US-blocked, and EEA access is being restricted under MiCA — plus the usual leverage and market risk.
The February 2025 hack — what actually happened
On 21 February 2025, roughly 401,000 ETH — about $1.4–1.5 billion — was stolen from a Bybit Ethereum cold wallet, making it the largest cryptocurrency theft on record. The FBI and multiple blockchain-forensics firms attributed it to North Korea's Lazarus Group.
Crucially, it was not a break of Bybit's own systems. The attackers compromised a developer's workstation at Safe{Wallet}, the third-party multisig interface Bybit used, and injected malicious code into the signing UI. Bybit's signers were shown a legitimate-looking transaction while actually approving one that redirected the funds. It was a supply-chain attack on the tooling around the wallet, not a crack of Bybit's matching engine or user accounts.
Did users lose money? No.
This is the part that matters for whether Bybit is safe to use today. Despite the scale of the theft, no customer lost funds. Bybit kept withdrawals open through the crisis — reportedly processing hundreds of thousands of withdrawal requests within hours — and covered the shortfall using its own reserves plus a bridge loan and emergency ETH purchases from partners including Galaxy Digital, FalconX and Wintermute.
Within roughly 72 hours Bybit had replenished its ETH reserves, and an independent proof-of-reserves audit by Hacken confirmed the exchange held more than 100% of customer assets across BTC, ETH, SOL, USDT and USDC. In other words, the company absorbed a billion-dollar loss and stayed fully backed. That's the strongest evidence of solvency an exchange can offer short of never being hacked at all.
Regulation, reserves and track record
Bybit was founded in 2018 by Ben Zhou and is headquartered in Dubai. By 2025–2026 it's consistently the #2 crypto exchange by trading volume behind Binance, serving 70 million-plus registered users.
On the regulatory side, its EU entity (Bybit EU GmbH) holds a MiCA / CASP licence from Austria's Financial Market Authority as of May 2025 — a meaningful compliance milestone. Bybit also publishes regular proof-of-reserves attestations so users can independently check that customer assets are backed. It's worth noting the flip side: Bybit is blocked in the US, ceased UK operations in 2021, and has faced fines in some jurisdictions — it is not a US-regulated venue.
The risks that remain — read this part
Surviving one hack well doesn't make an exchange risk-free. The real risks of using Bybit, in rough order of practical importance:
- Custodial risk — Bybit holds your funds. Proof-of-reserves and the 2025 recovery are reassuring, but 'not your keys, not your coins' still applies; consider self-custody for long-term holdings.
- Leverage risk — derivatives up to 100× mean a small adverse move can liquidate you. Most retail losses come from liquidation, not hacks.
- Regulatory/access risk — Bybit is US-blocked, and EEA residents are being moved to the spot-only bybit.eu under MiCA, losing global-platform features.
- KYC and data — identity verification is mandatory, so you're trusting Bybit with personal documents.
- Market risk — crypto is volatile; a referral bonus doesn't offset the risk of the assets you buy.
Does using a referral code change any of this?
No. A referral code (WEB3 or MICA) is just metadata attached to your account at sign-up that makes you eligible for welcome rewards. It gives no one access to your account, changes nothing about custody or security, and can't be used against you. Your safety profile on Bybit is identical with or without a code.
Overall read: Bybit is a credible, established, now-MiCA-regulated exchange that handled a worst-case event about as well as possible — but it's still a custodial platform with real risks. Use strong security (2FA, withdrawal address whitelist), don't over-leverage, and keep long-term holdings you can't afford to lose in self-custody.
Sources
Sign up on Bybit with the code for your region
WEB3 on bybit.com (global) · MICA on bybit.eu (EU/EEA). Free, applied at sign-up.
For traders outside the EEA — the full global Bybit platform.
For traders in the EEA — Bybit's MiCA-regulated European platform.