Your Crypto Is Not Yours on a CEX: What the Bybit Hack Revealed About Custody Risk

On February 21 2025, Bybit lost approximately 1.5 billion dollars in the largest cryptocurrency theft ever recorded. Unlike most exchange breaches you hear about, no user password was leaked and no individual account was targeted. The attackers went straight for the infrastructure holding funds on behalf of everyone.

For most traders, the coverage stopped at the headline. State-sponsored hackers, sophisticated malware, record-breaking losses. All true. But the deeper story is structural, and it applies to every active trader with funds sitting on a centralised exchange right now.

This article breaks down what actually happened, what it reveals about custody risk, and how non-custodial interfaces like velto change the equation for traders who want to stay in control of their assets.

What actually happened at Bybit

On the morning of February 21, Bybit initiated what appeared to be a routine transfer of Ethereum from a cold wallet to a warm wallet. This kind of transfer happens regularly at exchanges: it is operational, expected, and in this case, exactly what the attackers were waiting for.

To execute transfers of this size securely, Bybit used a multi-signature process through Safe, a third-party wallet platform. Multiple Bybit employees needed to review and sign the transaction before it could go through. The interface they saw showed a legitimate transfer with the correct destination address. What they were actually signing was different.

Weeks earlier, attackers linked to North Korea's Lazarus Group had compromised a developer's workstation at Safe, and using that access, they injected malicious JavaScript into the signing interface at the precise moment Bybit's transaction was being processed. While the UI looked normal, the underlying instructions were redirecting approximately 401,000 ETH to addresses controlled by the attackers.

Two minutes after the transaction was confirmed, the malicious code was removed. By the time anyone understood what had happened, the funds were already moving through a web of intermediary wallets.

The attackers never touched a single user's private key. They found a way into the infrastructure sitting between Bybit and its own funds, and that was enough.

The real story behind the numbers

The coverage after the hack focused almost entirely on the sophistication of the attack. State-sponsored actors, supply chain compromise, manipulated interfaces… All of that is accurate, but it framed the incident as an exceptional event rather than a structural one, and that framing can let a very important point slip by.

Bybit was holding 1.5 billion dollars of user funds at the moment of the attack, and that concentration of assets in a single entity is the basic operating model of every centralised exchange. Users deposit funds, the exchange holds them, and in return they get a liquid and accessible trading environment. The arrangement is convenient by design, and the trade-off that comes with it only becomes visible in moments like this one.

When an exchange holds your funds, everything standing between you and those assets becomes part of your risk profile, including their infrastructure, their third-party dependencies, and the operational choices of every platform they rely on to function.

The attackers did not need to find a flaw in Bybit's own systems. They found a weakness in a third-party wallet provider Bybit depended on, compromised a developer's machine weeks in advance, and waited for a routine transaction to make their move. The sophistication of the method made headlines, but the reason it was possible is the part worth sitting with. 

When someone else holds your funds, the risks they carry become yours.

Same issue, different exchange

To understand why this goes beyond one exchange or one attack, it helps to look at what has happened before. The history of centralised exchanges is punctuated by incidents that follow the same structural logic, even when the methods and circumstances are completely different.

Mt. Gox collapsed in 2014 after approximately 850,000 Bitcoin were lost through a combination of theft and mismanagement, wiping out users who had no warning and no recourse.

FTX imploded in 2022 when it emerged that user funds had been used to cover the losses of its sister trading firm, leaving customers unable to withdraw assets they believed were safely held on the platform. 

WazirX lost 235 million dollars in 2024 through a remarkably similar attack vector to Bybit, a manipulated multisig interface that tricked signers into approving a malicious transaction.

The specific trigger varies. It can be a sophisticated state-sponsored attack, a fraudulent business model, a regulatory intervention, or simply an exchange facing liquidity pressure during a volatile market.

But the dynamic underneath stays the same: centralised custody creates a single point of control, and a single point of control creates a single point of failure. Every trader with funds on a CEX is exposed to that dynamic, regardless of how strong their exchange's security posture appears to be.

What self-custody actually changes

When your assets are in your own wallet, they are not part of anyone else's infrastructure. A hack targeting an exchange does not touch them. An insolvency does not freeze them. A regulatory intervention against a platform does not affect your ability to access or move them. Your exposure is limited to your own wallet and what you choose to do with it.

This is the structural shift self-custody creates. The attack surface shrinks from an entire exchange's operational stack to a single wallet that only you control.

In practice, this means trading looks different. Instead of depositing funds with a platform and trading from an account balance, you connect your wallet to an interface, build a transaction, and sign it. Your assets move only at the moment of execution, and only because you authorised it. Between trades, they sit in your wallet, untouched by any third party.

This is where non-custodial interfaces like Velto fit into the picture for active traders, connecting you to multiple DeFi protocols from one interface and giving you access to advanced order types, multi-chain trading workflows, and full fee visibility before you sign, without Velto ever taking custody of your funds.

The experience is designed to feel familiar to serious traders, while using a custody model that keeps your assets in your own wallet.

Is the self-custody trade-off worth it? 

Self-custody is a meaningful shift in how you relate to your assets, and it comes with responsibilities that are worth stating plainly before you commit to it.

The most significant one is key management, which essentially means: If you lose your seed phrase, your funds are gone. There is no support team to contact, no recovery process to initiate, and no exchange to file a claim with. The security of your wallet rests entirely with you, and that requires a level of diligence that goes beyond storing a screenshot in your photos app.

User error carries real weight too. A transaction sent to the wrong address, an approval signed without reading it carefully, an interaction with a contract that turned out to be malicious. In a self-custody setup, all of that lands with you, and being aware of it before you encounter it is part of the deal. On-chain actions are final, and the responsibility of getting them right sits with you as the person signing.

Gas fees are another particularity worth noting, as they add a cost layer that does not exist on a CEX. Every on-chain transaction requires network fees that fluctuate with demand, and during busy periods those costs can affect the economics of smaller position sizes.

So if you are considering moving into self-custody, do it with a clear understanding of what you are taking on. The traders who manage it well are the ones who treat their seed phrase with the same seriousness they treat their trading capital, use interfaces that surface transaction details clearly before they confirm, and understand that the control they gain comes with the accountability that goes with it.

What to take away if you trade on a CEX today

The Bybit hack is not an argument for abandoning centralised exchanges entirely. For many traders, a CEX remains a practical and reasonable choice for certain types of activity, and that is a legitimate position to hold.

What it is an argument for is clarity about what you are agreeing to when you deposit funds with one. Your assets are held by a third party, and that third party carries risks you cannot fully control or monitor. Most of the time, that arrangement works without issue. But the history of crypto exchanges shows clearly that when it does not work, the consequences for users can be severe and sudden.

The practical takeaway would not necessarily be to move everything on-chain overnight, but to be deliberate about where your funds sit and why. Which assets do you need on a CEX for liquidity or speed, and which could sit in your own wallet between trades? How much exposure are you comfortable carrying with any single platform? These are questions worth having answers to before an event like Bybit forces the conversation.

For traders who are ready to explore what trading on-chain actually looks like today, trying a non-custodial interface like velto can be a natural first step to this transition. One interface, multiple protocols, full custody throughout.

Disclaimer:

This article is for informational purposes only and does not constitute financial or investment advice. Trading digital assets, including through non-custodial interfaces, involves significant risk. Smart contract interactions are irreversible, and lost private keys cannot be recovered. Always do your own research before making any trading decisions.

FAQ

Did Bybit users lose their funds in the hack?

In this specific case, Bybit said customer assets remained fully backed and that losses would be covered through internal funds and emergency liquidity support, while withdrawals stayed open and the exchange said it remained solvent. That outcome reflected Bybit’s scale and financial position at the time of the attack, not a general protection users should assume. A smaller exchange facing a similar event might not have the resources to absorb a loss of that size, and crypto exchange history shows that user recovery is far from guaranteed when custodians fail.

Is a cold wallet on an exchange the same as a self-custody cold wallet?

The terminology is the same but the arrangement is fundamentally different. A cold wallet on an exchange is an offline wallet controlled by the exchange, used to store user funds away from internet-connected systems. You have no direct access to it and no control over the keys. A self-custody cold wallet is a hardware device you own and control, where the private keys never leave the device. In the Bybit hack, the targeted wallet was an exchange cold wallet. The funds stored there belonged to users, but the keys and the infrastructure surrounding them belonged to Bybit. That distinction is exactly what the article is about.

What is counterparty risk in crypto?

Counterparty risk is the risk that the other party in an arrangement fails to meet their obligations. In crypto, when you deposit funds with a centralised exchange, you are taking on counterparty risk. You are trusting the exchange to hold your assets securely, process your withdrawals, and remain solvent. If the exchange is hacked, freezes withdrawals, faces regulatory action, or becomes insolvent, your ability to access your funds depends entirely on how that situation resolves. Self-custody eliminates this specific risk because there is no third party holding your assets. The trade-off is that the responsibility of securing them transfers entirely to you.

Can a non-custodial interface be hacked the same way Bybit was?

The attack vector is different, which matters. The Bybit hack worked because the exchange held user funds, meaning a successful compromise of their infrastructure gave attackers direct access to those funds. With a non-custodial interface, the funds stay in your own wallet throughout. An attacker compromising the interface itself does not gain access to your assets, because the interface never holds them. The risk in a non-custodial setup sits elsewhere, primarily in what you sign. A compromised or malicious interface could attempt to trick you into signing a transaction that moves your funds. This is why transaction transparency before signing matters, and why using interfaces that surface what you are authorising clearly is an important part of trading on-chain safely.