Bybit recovers 7% of market share after a $1.4B hack by Lazarus Group, regaining investor confidence with new security measures and boosted liquidity.
Bybit, one of the world’s largest crypto exchanges, has bounced back to its pre-hack performance. Recent data shows the exchange has regained its 7% market share after what CEO Ben Zhou called the worst hack in history earlier this year.
Bybit Recovers After February’s Security Breach
In February 2025, Bybit’s Ethereum cold wallet was hacked. Hackers managed to steal over $1.4 billion worth of digital assets. The funds included staked Ether (stETH) and Mantle Staked ETH (mETH).
The breach raised serious concerns about the vulnerability of centralized exchanges, even those with advanced security protocols.
Following the hack, Bybit’s share of the crypto spot market dropped sharply to around 4%. Despite the initial fall, a recent report from analytics company Block Scholes shows that the world’s second-largest cryptocurrency exchange is gradually reclaiming its market position.
As of April 9, the exchange’s market share stood at about 7%, matching its position before the exploit. Data from CoinMarketCap pegs the average Bybit liquidity score at 713, with a $4.29 billion volume in 24 hours. This volume compares with Binance’s $26.79 billion.
The recovery is linked to renewed positive sentiment among market participants and a rebound in trading volumes.
After the breach, Bybit partnered with Zodia Custody to boost its security. The move is expected to improve liquidity options for retail users and may have played a key role in restoring investor confidence.
Analysts pointed out that the decline in market activity coincided with crypto investors scaling back due to broader macroeconomic concerns. This de-risking behavior had started even before the hack.
This suggests that not all of Bybit’s initial market decline directly resulted from the incident.
Lazarus Group Indicted, Most Funds Traced
Further investigations by the United States Federal Bureau of Investigation (FBI) confirmed that North Korean Lazarus Group hackers were behind the theft.
Prominent blockchain firms, including Arkham Intelligence, tracked the attackers as they laundered the stolen funds using THORChain, a decentralized cross-chain protocol. The hackers took 10 days to launder the money through various transactions.
Still, their efforts were insufficient, as blockchain analysis revealed that nearly 89% of the stolen assets remained traceable. Some security experts noted that the incident is proof of the growing effectiveness of tracking tools, even when hackers attempt to hide behind decentralized privacy networks.
Eric Jardine, a cybercrime researcher at Chainalysis, observed a significant drop in North Korea’s hacking activity after July 1, 2024. He linked this decline to a resource shift following a summit between Russia and North Korea, which may have led to the reassignment of personnel to support military efforts in Ukraine.
Analysts believe this development gave the Lazarus Group time to regroup and plan the Bybit attack.
next