Verdict: yes, with four risks to understand before depositing. In 2026, Bybit has a strong operational record since the February 2025 hot wallet exploit, the largest single-exchange security event on record. The platform absorbed a $1.5B loss without user fund impact and emerged with tightened compliance posture and operational hardening. It is a centralized custodial exchange and carries the standard CEX risk category on top of the platform-specific story. This is a focused safety review, not a feature breakdown. For full scoring see the Bybit review; for KYC detail see the Bybit review’s KYC section.
Not financial advice. Crypto trading is high risk. Custody on any centralized exchange is non-zero risk regardless of operating history. Derivatives products carry leverage risk that can wipe an account in minutes. Verify country availability before depositing. Read the risk disclaimer before scaling capital.
Short answer
In 2026, Bybit is operationally safer than most centralized crypto exchanges on three specific dimensions (incident-response track record, proof-of-reserves cadence, demonstrated recovery from the largest single-exchange exploit on record without user loss), and operationally riskier on two dimensions (less regulatory coverage than Binance, Kraken, or Coinbase; the February 2025 exploit is the freshest major security event in major-CEX recent memory). If you use Bybit as a trading platform and move material holdings to self-custody, the platform sits well within the normal CEX risk band. If you use it as long-term storage or expect US-licensed regulatory clarity, you will be uncomfortable.
Four risks to know, ordered by how often they actually bite users:
- Leverage liquidation on futures. The dominant cause of user fund loss on Bybit, by a wide margin.
- User-side security failures. Phished credentials, SIM swap, weak 2FA.
- Regulatory access change. Country added to restricted list, account transition friction.
- Hot wallet exploit recurrence. Possible but architecturally hardened post-February 2025.
What is not on this list: platform-level theft of balances, operator failure (FTX-category), withdrawal freezes. None of these have happened, and the architecture plus recent incident response makes the first two structurally difficult.
The February 2025 hack
This is the defining operational event in Bybit’s recent history. On February 21, 2025, attackers drained approximately $1.5 billion from one of Bybit’s ETH hot wallets, widely reported as the largest single-exchange exploit on record. Public attribution from chain-analytics firms (Elliptic, TRM Labs, Chainalysis) pointed to North Korean threat actor activity, specifically operations associated with Lazarus Group.
The post-mortem identified the attack vector as a sophisticated infrastructure compromise rather than a smart contract bug or fundamental architectural flaw. The attackers compromised an operational layer that gave them signing capability on a hot wallet authorized for large outbound transactions.
What happened next is the part that matters going forward. Within 24 hours, Bybit publicly acknowledged the incident, kept the platform operational with continued withdrawal availability, and announced that user balances would be made whole regardless of the loss. Within 7 days, the platform obtained bridge financing through a combination of insurance reserves, treasury liquidity, and direct loans from third-party partners, restoring wallet balance to a fully collateralized position against user liabilities. No user lost funds. The platform did not suspend withdrawals at any point during the incident response window.
Post-incident operational changes shipped through 2025-2026:
- Hot wallet limits materially tightened. Smaller fraction of total reserves in any single hot wallet.
- Multi-signature requirements expanded across operational withdrawal flows.
- Independent security audits commissioned and published.
- KYC tightened across the platform (covered in the KYC section below).
- Proof of reserves cadence increased, with Merkle-tree attestation published more frequently than the prior schedule.
Forward-looking risk assessment: Bybit demonstrated clean incident-response capability under one of the largest stress events in industry history. The same custodial-CEX risk shape applies as to any peer (Binance, OKX, KuCoin), but the operational track record on the most consequential event is now better-documented than for most. For long-term holdings the standard rule applies: keep on the platform only what is actively allocated to open positions or short-duration yield products; withdraw the rest to self-custody.
Custody and counterparty risk
Bybit is a centralized custodial exchange. Funds deposited to a Bybit address are held in Bybit’s hot and cold wallet infrastructure under platform control until you withdraw. This is the same model as Binance, Coinbase, Kraken, KuCoin, and every other CEX. The risk shape:
- Hot wallet compromise. Mitigated by smaller hot wallet allocations, cold storage majority, multi-sig. Realistic but at Bybit historically recovered without user loss (the February 2025 event).
- Cold wallet compromise. Extraordinary event. Has not happened on Bybit or in the peer set at scale. Defense rests on physical and operational security.
- Operator failure. FTX category. Has not happened on Bybit. The platform did not commingle user funds at the level FTX did. Proof of reserves is the public verification of the wall between user balances and corporate balance sheet.
- Withdrawal suspension under stress. Has not happened on Bybit, even during the February 2025 incident. Withdrawals continued throughout both the immediate aftermath and the recovery window.
The realistic forward-looking probability of a platform-level custody failure is low but not zero. This is the same statement that is true for any CEX. Standard mitigation applies: do not park position-style holdings on the platform; use it as a trading venue and active yield surface, not as cold storage.
Proof of reserves and the trust stack
Bybit publishes Merkle-tree proof of reserves on a regular cadence (monthly post-February 2025, previously quarterly), covering main wallet balances against total user liabilities. The methodology follows the shape most major centralized exchanges adopted in the 2022-2023 post-FTX trust reset cycle: snapshot user balances, compute Merkle root, publish a tree against which each user can independently verify their own balance.
What proof of reserves verifies:
- The exchange held at least X assets at the snapshot moment
- Total user liabilities on the platform sum to no more than X
What proof of reserves does not verify:
- Off-chain liabilities (loans, debts, future commitments)
- Encumbrances on wallet contents (collateral pledges, locks)
- Continuity between snapshots (a brief solvent moment for the snapshot does not prove ongoing solvency)
- Source of reserves (could be borrowed for the snapshot)
Treat the attestations as a meaningful but partial trust signal. Bybit’s specific implementation was independently audited by a third-party firm post-February 2025, partially mitigating the off-chain liability ambiguity that affects most peer implementations.
Regulatory risk
Bybit operates from Dubai with regional sub-entities across multiple jurisdictions. The platform does not hold a US license and does not serve US users. The regulatory shape:
- United States. Not served. Signup is geo-blocked from US IPs. Existing US accounts forcibly offboarded years ago.
- United Kingdom. Retail derivatives access restricted under FCA rules. Spot trading available with KYC.
- European Union. Available with country-by-country variations under MiCA. Several derivatives features restricted at retail tier.
- Canada. Restricted in Ontario, available in some provinces with restrictions.
- Russia. Available; one of the few major CEXs still accessible to Russian users in 2026 (covered in the Russia section below).
- Hong Kong, Japan, Taiwan, Thailand. Varying degrees of restrictions; check current availability before depositing.
Forward-looking regulatory risk: the geographic footprint will likely continue to narrow as MiCA compliance and similar regimes spread. A user whose country is marginal today may see access tighten without notice. The compliance posture has hardened materially in 2024-2026, especially after the February 2025 exploit accelerated investment in this area.
KYC posture in 2026
The February 2025 exploit accelerated KYC tightening across the platform. As of 2026, Bybit requires verification for essentially every account function beyond viewing.
| Tier | What it requires | What it unlocks |
|---|---|---|
| Unverified | Email or wallet only | Market viewing, leaderboards, no deposits |
| Lite verification | Name, country, date of birth, government ID upload | Spot trading, deposits, low withdrawal cap |
| Standard verification | Liveness selfie, address proof | Full spot and futures, copy trading, higher withdrawal cap |
| Pro verification | Source of funds, enhanced due diligence | OTC desk, institutional features, highest withdrawal limits |
The unverified tier is effectively read-only for new accounts in 2026. The email-only era of meaningful trading on Bybit ended in 2025. For practical purposes, assume Standard verification is required for any retail trading workflow.
For users in Russia
Context for Russian-speaking users specifically. Bybit in 2026 remains accessible to Russian users from a real IP in most cases. Unlike Binance, which exited Russia through the CommEX sale in 2023, and KuCoin, which shows a soft-block banner on some Russian IPs, Bybit traditionally accepts Russian users more easily. This is not a guarantee for tomorrow, but at publication time Bybit is one of the few major CEXs where a Russian trader can complete KYC and trade without significant friction.
Practical recommendations for a new account from Russia:
- Do not use VPN. Bybit detects commercial VPNs, and caught accounts go to withdrawal-only mode.
- Complete Standard verification immediately. Post-2025, the platform gates most functions until full verification.
- Deposit USDT via Tron. Cheapest route, minimal fees.
- Check futures access. Sometimes some derivative products are restricted for individual jurisdictions even after KYC.
- Do not park large amounts. Custody risk is the same as any CEX, plus geo-risk that regulatory policy for Russia could tighten without announcement.
For broader context on crypto exchange choice for Russian-speaking users see the Russia section in KuCoin vs Binance.
User-side security failures
This is the realistic largest source of user fund loss across all CEXs, not specific to Bybit. The pattern repeats:
- Phished credentials. Fake Bybit login domains, fake support chats on Telegram. User logs in, attacker captures the session, withdrawals follow.
- SIM swap on recovery phone. Attacker takes over the mobile number, intercepts SMS 2FA, resets the account.
- Weak 2FA. SMS 2FA is the weakest layer. Authenticator app 2FA is better. Hardware-key 2FA is the only option that is phishing-immune.
- Reused passwords. Credentials leaked in a prior breach, attacker tries on Bybit, gets in.
- Compromised email recovery. The email behind the account is the master credential. Loss of email control means loss of account.
None of these are Bybit failures; they are user-side failures affecting every exchange. Mitigations are the same:
- Use a dedicated email for crypto accounts locked down with hardware-key 2FA
- Use hardware-key 2FA on Bybit itself (not SMS)
- Never reuse passwords across crypto accounts
- Verify the URL before entering credentials; bookmark the real Bybit login
- Treat unsolicited “Bybit Support” DMs on Telegram or Discord as 100 percent scam
Leverage liquidation: the dominant risk vector
This deserves its own section because it kills more Bybit users than every other risk combined. Bybit’s strongest products are perpetual futures with up to 200x leverage on majors and options on BTC/ETH. The leverage ceiling is a feature for advanced users running specific strategies; it is a destruction mechanism for users without position-sizing discipline.
At 100x leverage on a perpetual, a 1 percent adverse price move liquidates the position. Volatility regimes that move 2-5 percent in a few minutes are common in crypto. The realistic outcome of “I will use small leverage” for inexperienced users is usually 5-10x escalating to 50-100x within weeks as initial wins build confidence. Then a single adverse move wipes the account.
This is not a Bybit-specific risk. It is a category risk for any platform offering high-leverage derivatives. Bybit is well-engineered, the liquidation engine works, the user experience is clean. The danger is that the platform makes high-leverage trading frictionless, and frictionless high-leverage trading is a wealth-destruction mechanism for most retail users.
Mitigation: if you trade futures, cap your leverage at 5x for majors and 3x for everything else. Use isolated margin so a single position cannot drag the full account. Set hard stop-losses before entering. Treat any session where you increase position size after a win as the moment of maximum danger.
How Bybit compares on safety
| Risk dimension | Bybit | Binance | Coinbase |
|---|---|---|---|
| Operator failure / custody collapse | None to date | None to date | None to date, US public company protections |
| Hot wallet incident history | Feb 2025 ($1.5B, recovered, no user loss) | 2019 ($40M, SAFU covered) | None |
| Regulatory status | Dubai-operated, no US license | Nov 2023 DOJ settlement, broad coverage | US-licensed, public company |
| Proof of reserves | Monthly Merkle-tree, third-party audit component | Merkle-tree published | Quarterly auditor reports |
| Insurance fund | Yes, expanded post-Feb 2025 | SAFU ~$1B | No explicit fund, balance sheet backed |
| Withdrawal suspension history | None | None | None |
| Max leverage offered | 200x on majors | 125x on majors | Spot only, no leverage |
All three platforms carry real risk. Risk shapes differ. Coinbase trades the highest regulatory clarity for lower product breadth and higher fees. Binance trades the broadest product surface for the largest regulatory event in recent record. Bybit trades the deepest derivatives surface (and the highest leverage ceiling) for the largest single-exchange exploit in recent record (recovered cleanly).
What kills Bybit users (and what doesn’t)
Things we have seen actually lose people money on Bybit:
- High-leverage futures positions during volatile windows
- Single-concentrated position with no stop-loss
- Phishing via fake Bybit Discord links and X DMs
- Email compromise on the address behind the account
- Locking funds in structured products without reading the payoff curves
- Country restriction surprises locking the official frontend before withdrawal
What does not kill Bybit users despite marketing fear:
- Platform-level theft. None since the February 2025 incident, and that one ended in full user recovery.
- Operator failure. Has not happened.
- Platform-level withdrawal suspension. Not in the record, including during the February 2025 incident.
- A repeat of the February 2025 hack in the same way. Architecture changes specifically targeted this vector.
Habits that prevent most of the above
- Treat the email behind the account as the master credential. Separate address, hardware-key 2FA, password manager.
- Use hardware-key 2FA on Bybit itself. Not SMS.
- Cap leverage at 5x for majors and 3x for everything else. Use isolated margin.
- Set hard stop-losses before entering any leveraged position. No exceptions.
- Withdraw to self-custody between trading sessions if the allocation is material. USDT in your wallet is safer than USDT on a CEX you log into rarely.
- Read the payoff curve before allocating to any structured product. “Yield enhanced” usually means “option payoff structure dressed up as savings.”
- Do not access Bybit from a blocked country via VPN. Detection works. Caught accounts go to withdrawal-only or freeze.
Verdict
In 2026, Bybit is safer than typical mid-tier centralized crypto exchanges on the dimensions that historically killed user funds (no operator failure, no custody theft of balances, no withdrawal suspension) and less forgiving on the dimensions where the user is responsible for their own safety (leverage discipline, key and email hygiene, derivatives product understanding). Used with discipline, it is a credible operational venue for active trading. Used carelessly, it offers no more safety net than any other CEX.
The February 2025 exploit was the largest single-exchange security event on record. The response demonstrated incident-response capability at a level few peers can claim. The recovery was complete, user funds were not lost, withdrawals never suspended. The forward-looking risk profile is comparable to Binance and ahead of smaller crypto-native exchanges, with the regulatory dimension being the dominant remaining uncertainty.
If you want a single decision rule: treat the platform as a trading venue, never as a custody venue. Hold on the platform only what is actively allocated to open positions or short-duration yield products. Withdraw the rest to self-custody. Cap leverage at 5x. Use hardware-key 2FA. The same rule applies to Binance, OKX, KuCoin and every other CEX; it is not a Bybit-specific warning, but the February 2025 exploit makes it especially relevant.
Open Bybit if the safety story fits your use case: Register on Bybit. See the affiliate disclosure for full detail.
Read next
- Bybit review. Full feature breakdown and scoring.
- Bybit vs Binance. Head-to-head on safety, fees, products.
- BingX vs Bybit. Adjacent comparison with security context.
- Is KuCoin safe. Sibling safety analysis on a different exchange.
- Methodology. How we evaluate platforms.
- Risk disclaimer.
Frequently asked questions
Was Bybit hacked?
Yes, once at major scale and recently. On February 21, 2025 attackers drained approximately $1.5 billion from one of Bybit's ETH hot wallets, the largest single-exchange exploit on record. Public attribution from chain-analytics firms (Elliptic, TRM Labs, Chainalysis) pointed to North Korean threat actor activity, specifically operations associated with Lazarus Group. Bybit absorbed the loss through its insurance fund, treasury liquidity, and direct loans from third-party partners. No user lost funds. Withdrawals remained operational at the platform level throughout the incident. Full reserve coverage was restored within 7 days.
Can Bybit take my money?
In principle yes, since Bybit is a centralized custodial exchange. Funds deposited to Bybit are held in its hot and cold wallet infrastructure under platform control until you withdraw. The platform survived two major stress events (the 2025 exploit and ongoing regulatory pressure across 2024-2026) without freezing user balances or suspending withdrawals at the platform level. Long-term holdings should still be moved to self-custody via a hardware wallet. Custody risk on any CEX is non-zero regardless of operating history.
What's the biggest real risk on Bybit?
Two things in order. First, the custody risk shape that applies to every centralized exchange: hot wallet exploits, operational reserve adequacy, regulatory pressure causing geographic restrictions. Bybit's incident-response record on the February 2025 event was textbook, but the underlying risk shape remains. Second, leverage risk on the derivatives products: futures liquidation can wipe an account in minutes. The platform's strongest products (perpetuals with up to 200x leverage, options) carry the most user-side risk. Operator failure has not happened, hack recovery worked, regulatory action did not freeze balances. What kills users is concentration in a single high-leverage position, not Bybit-level events.
Is Bybit safer than Binance or Coinbase?
Different histories, comparable forward-looking risk profile versus Binance; Coinbase is in a different bracket. Binance is larger and more regulated post-DOJ settlement. Bybit had the largest single-exchange exploit in history (Feb 2025) but recovered cleanly with no user loss. Coinbase is publicly listed in the US with disclosed financials and a different risk shape (regulatory and operational rather than unscrutinized exchange risk). For US users, the right answer is Coinbase or Kraken; Bybit does not serve US users at all. For non-US users, Bybit's raw operational safety is comparable to Binance and ahead of smaller exchanges, with the recent exploit response actually strengthening rather than weakening confidence in incident handling.
Is Bybit regulated?
Partially and unevenly. Bybit operates from Dubai with regional sub-entities across multiple jurisdictions. The platform does not hold a US license and does not serve US users. After the February 2025 exploit, Bybit accelerated compliance investments: mandatory KYC across essentially all account functions, tightened country availability, and expanded transaction monitoring. The platform retains less regulatory clarity than Coinbase or Kraken (US-licensed venues) but more than several smaller crypto-native exchanges. Regulatory pressure is the dominant forward-looking risk vector, not custody failure.
Does Bybit have proof of reserves?
Yes. Bybit publishes Merkle-tree proof of reserves on a regular cadence, covering main wallet balances against user liabilities. The methodology is the same as most major centralized exchanges adopted in the 2022-2023 post-FTX trust reset cycle. After the February 2025 exploit, Bybit increased the publication cadence and added independent third-party audit components. Proof of reserves verifies what the exchange holds at the snapshot moment; it does not verify off-chain liabilities or hidden encumbrances. Treat it as a meaningful but partial trust signal.
Should I hold large amounts on Bybit?
Not as long-term storage. Bybit works as a trading platform and yield product surface; both legitimate uses involve funds being on the platform during active use. For position-style holdings, withdraw to self-custody (hardware wallet for cold storage, software wallet for active DeFi). The general rule applies to every CEX: keep only what is actively allocated to open positions or short-duration yield products on the platform. The February 2025 incident, despite ending in full user recovery, is a reminder that custody risk is real and material.
What about the February 2025 hack specifically?
The defining recent event in Bybit's history. Attackers drained ~$1.5B from a single ETH hot wallet via what public post-mortems describe as a sophisticated infrastructure compromise. Lazarus Group attribution from multiple chain-analytics sources. Bybit response: public acknowledgment within hours, withdrawals continued operating, bridge financing within 7 days from insurance fund + treasury + third-party partner loans, full wallet rebalance to fully collateralized position against user liabilities. No user lost funds. Post-incident changes shipped through 2025-2026: tighter hot wallet limits, expanded multi-signature requirements, increased proof-of-reserves cadence, mandatory KYC tightening across the platform.