Bybit Recovers Market Share to 7% After $1.4B Hack

Bybit Recovers Market Share to 7% Following $1.4B Exploit

Bybit has made a strong recovery following the catastrophic $1.4 billion hack it suffered in February 2025, regaining its market share to over 7%, according to a new report by crypto analytics firm Block Scholes. The comeback marks a return to pre-hack levels and highlights the platform’s resilience amid a broader trend of macroeconomic de-risking across the crypto sector.

The unprecedented attack on February 21 shook the entire crypto industry, becoming the largest exploit in its history. The hackers targeted various assets including liquid-staked Ether (stETH), Mantle Staked ETH (mETH), and other tokens held on the centralized exchange. In the days immediately following the breach, Bybit’s market share dropped to a post-hack low of 4%.

However, data from Block Scholes shows that the platform has since steadily recovered. “Since this initial decline, Bybit has steadily regained market share as it works to repair sentiment and as volumes return to the exchange,” the April 9 report stated. This recovery suggests that traders are regaining trust in the platform, largely due to Bybit’s enhanced security protocols and improved liquidity options for retail users.

Bybit’s spot volume market share as a proportion of the market share of the top 20 CEXs. Source: Block Scholes

Interestingly, analysts note that Bybit’s volume drop wasn’t solely due to the hack. The exploit occurred during a period of wider macro de-risking, which had already begun affecting trading volumes across exchanges before the breach.

According to Cointelegraph, it took the attackers just 10 days to launder the stolen funds through the decentralized cross-chain protocol THORChain. Despite this, blockchain forensics firms were able to trace 89% of the stolen assets, offering a glimmer of hope for recovery.

Security firms, including Arkham Intelligence, have pointed the finger at North Korea’s Lazarus Group as the likely perpetrators of the attack. Their suspicions stem from recognizable laundering tactics and patterns of behavior. Notably, there had been a lull in Lazarus-linked activity after July 1, 2024 — a period coinciding with a reallocation of North Korean military and cyber resources, allegedly to support Russia in its war in Ukraine.

Source: Ben Zhou

Eric Jardine, cybercrime research lead at Chainalysis, noted that the timing of the Bybit hack aligns with this strategic shift:

“So, we speculated in the report that there might have been additional things unseen in terms of resources reallocation from the DPRK, and then you roll forward into early February, and you have the Bybit hack.”

Despite Bybit’s robust infrastructure, the incident underscores the ongoing threat centralized exchanges face from increasingly sophisticated cybercriminal groups. Analysts have drawn comparisons between the Bybit breach and other recent attacks, including the $230 million WazirX exploit and the $58 million Radiant Capital hack, pointing to a concerning trend of coordinated, high-level threats.

North Korean hacking activity before and after July 1. Source: Chainalysis

Bybit’s ability to bounce back highlights not only the platform’s operational agility but also the crypto community’s willingness to return — as long as trust is restored and risk is mitigated.