Bybit recovers market share to 7% after $1.4B hack

Bybits market share rebounded to its pre-hack levels of over 7% despite a broader macro “de-risking” among cryptocurrency investors.

Bybits market share has rebounded to pre-hack levels following a $1.4 billion exploit in February, as the crypto exchange implements tighter security and improves liquidity options for retail traders.

The crypto industry was rocked by its largest hack in history on Feb. 21 when Bybit lost over $1.4 billion in liquid-staked Ether (stETH), Mantle Staked ETH (mETH) and other digital assets.

Despite the scale of the exploit, Bybit has steadily regained market share, according to an April 9 report by crypto analytics firm Block Scholes.

“Since this initial decline, Bybit has steadily regained market share as it works to repair sentiment and as volumes return to the exchange,” the report stated.

Block Scholes said Bybits proportional share rose from a post-hack low of 4% to about 7%, reflecting a strong and stable recovery in spot market activity and trading volumes.

Bybits spot volume market share as a proportion of the market share of the top 20 CEXs. Source: Block Scholes

The hack occurred amid a “broader trend of macro de-risking that began prior to the event,” which signals that Bybits initial decline in trading volume was not solely due to the exploit.

It took the Bybit hackers 10 days to launder all the stolen Bybit funds through the decentralized crosschain protocol THORChain, Cointelegraph reported on March 4.

Source: Ben Zhou

Despite efforts, 89% of the stolen $1.4 billion was traceable by blockchain analytics experts.

Lazarus Groups 2024 pause was repositioning for Bybit hack

Blockchain security firms, including Arkham Intelligence, have identified North Koreas Lazarus Group as the likely culprit behind the Bybit exploit, as the attackers have continued swapping the funds in an effort to render them untraceable.

Illicit activity tied to North Korean cyber actors declined after July 1, 2024, despite a surge in attacks earlier that year, according to blockchain analytics firm Chainalysis.

The slowdown in crypto hacks by North Korean agents had raised significant red flags, according to Eric Jardine, Chainalysis cybercrimes research Lead.

North Korean hacking activity before and after July 1. Source: Chainalysis

North Koreas slowdown “started when Russia and DPRK [North Korea] met for their summit that led to a reallocation of North Korean resources, including military personnel to the war in Ukraine,” Jardine told Cointelegraph during the Chainreaction show on March 26, adding:

“So, we speculated in the report that there might have been additional things unseen in terms of resources reallocation from the DPRK, and then you roll forward into early February, and you have the Bybit hack.”

— Cointelegraph (@Cointelegraph) March 26, 2025

The Bybit attack highlights that even centralized exchanges with strong security measures remain vulnerable to sophisticated cyberattacks, analysts said.

The attack shares similarities with the $230 million WazirX hack and the $58 million Radiant Capital hack, according to Meir Dolev, co-founder and chief technical officer at Cyvers.