A case study post-hack

‍

The hack amidst a broader macroeconomic de-risking

On Feb 21, 2025, Bybit, the world's second-largest cryptocurrency exchange by trading volume, suffered a major security incident that involved an exploit of one of its Ethereum cold wallets. In this report, we’ll provide a guided explanation of the immediate market impact of the security incident and subsequent recovery. Our analysis is primarily focused on the return of spot liquidity on Bybit’s exchange through technical improvements, such as RPI orders. Additionally, we’ll utilize trade volume, bid-ask spreads and order book depth metrics against data from other exchanges to show that normal trading activity on Bybit has resumed with a sharp turnaround following the hack. Much of this data is provided exclusively to Block Scholes by Bybit’s data analytics team, and is reported as presented.

However, the sell-off that followed the hack was not unique to crypto, as Bybit’s $1.5B security exploit was followed by a significant de-risking across crypto assets. Rather, global risk-on

assets experienced a sell-off in late February and into March. While this sell-off deepened following the event, its start predated it through a raft of macro events: the launch of DeepSeek’s LLM, an executive order announcing 25% tariffs on Canadian and Mexican imports and then a directive for reciprocal tariffs.

Since then, US president Donald Trump’s continually shifting and protectionist trade policy has dominated risk appetite, with BTC’s price falling more than 20% from its inauguration high.

While a security breach of this magnitude on one of the largest crypto exchanges undoubtedly contributed to the crypto sentiment, Bybit’s hack also aligned with other crypto-specific drivers, as a 90% decline in the value of Trump family meme coins and a similar crash in the LIBRA token (linked to the President of Argentina, Javier Milei) helped sour sentiment. As Figure 1 above confirms, BTC’s sell-off cannot be attributed exclusively to the hack, and began before it. We also find that, relative to previous major crypto hacks, BTC’s spot price has subsequently dropped further, which too reflects some broader macro uncertainties.

Spot trading volumes 

Spot trading volume — the total dollar value of tokens that change hands over any period — is a rough proxy of the liquidity available to a trader. The more tokens exchanged, the less likely it is that a trader’s order will meaningfully move the market price, and the more likely it is that the trader is able to trade in greater size. This metric can help us identify whether there was a material shift in market sentiment following the hack.

‍

On the date it occurred, there was a notable spike in the hourly trade volume of all USDT spot pairs away from the mean. However, that spike was short-lived, and didn’t materialize into a prolonged period of higher market activity. Additionally, it was also not the largest jump up in trade volumes so far this year: on Feb 1, 2025, crypto markets turned red as the US president signed an executive order to implement tariffs on China, Mexico and Canada. That period marked significantly higher hourly trade volumes than after the Bybit hack.

‍

In general, as highlighted by the charts below, both Bitcoin and altcoin trading volumes have recovered somewhat from the immediate drop in activity in the days that followed the hack. However, neither has fully returned to the more exuberant levels of trading that marked the beginning of the year, which can partly be explained by lower trading activity across crypto markets, as opposed to a Bybit-specific factor.

‍

As the chart above shows, the daily spot trading volume across the top 20 centralized exchanges (CEXs) has been markedly lower since mid-February, and is far below the highs seen in late January.

‍

‍

Relative to the fall in trade volumes across crypto asset spot markets, Bybit’s drop was less severe, and its share has been regrowing since the hack.

‍

Bid-ask spread remains tight

A good way to assess market conditions is by examining the bid-ask spread, which measures the difference between the lowest ask price (sell side) and the highest bid price (buy side). A tighter spread generally indicates higher liquidity and lower execution risk, as orders are filled quicker with less price slippage.

‍

The chart below breaks down the bid-ask spreads across several USDT spot pairs. It’s evident that among the selected tokens, meme coins such as PEPE and TRUMP exhibited the highest spreads. This is to be expected, as such markets typically have lower liquidity unless driven by news events that temporarily increase trading activity. Their order book depth data displays similar patterns. For example, among PEPE, TRUMP, SOL and XRP, we see a period of elevated spreads in the last week of February 2025, followed by a brief return of liquidity starting Mar 3, 2025.

‍

The dotted line marks the Bybit hack on Feb 21, 2025. However, only PEPE and TRUMP experienced a noticeable change in order book depth, and that with a delayed response. Major markets BTC and ETH both exhibited the lowest spreads, virtually unchanged following the hack. BTC’s spread in particular was negligible across the entire period shown in the graph below. This is expected, given that BTC is one of the most actively traded cryptocurrencies, with the deepest order books and highest liquidity. Its high volume of participants and trading activity contributes to consistently tight bid-ask spreads, enabling efficient price discovery and minimal transaction costs.

‍

ETHUSDT’s market showed slight fluctuations in its spread, although it remained low, staying below 0.001% throughout the entire period. Notably, the incident indicated by the dotted line appears to have had no distinguishable impact on ETH's spread. In fact, the spread narrowed to its lowest levels for the month in the week following the event.

‍

Dogecoin (DOGE) was a clear standout — unlike the other meme coins considered (although we note that DOGE is a top 10 cryptocurrency with a market cap exceeding $23B), it exhibited a much tighter spread that ranged between 0.001% and 0.003% for most of the past month. On average, this spread was comparable to those of SOL and XRP, which actually displayed slightly wider spreads during most of the post-event period.

‍

Order book depth: How much liquidity is available within 10 basis points of the mid-price?

While bid-ask spread alone tells us much about the available liquidity in a market, it cannot be used as a standalone metric to assess market and trading conditions. This is because some assets may exhibit tight spreads, yet have low depth, leading to market slippage and execution risk. In such cases, larger trades can significantly move the market by wiping out multiple levels of the order book, causing traders to receive worse prices for larger orders.

‍

Below, we examine the volume of orders within 5 and 10 basis points (bps) of the mid-price. Given that one basis point is equivalent to 0.01%, a 5 bps move away from a mid-price of $90K would be $45 in each direction, and 10 bps would be $90. A high volume of buy or sell orders at prices within these levels indicates that a trader can execute a trade of higher volume without incurring significant slippage in execution price. The charts below measure the size of all orders within these distances from the mid-price on the median timestamp on each day.

Immediately after the hacking incident, indicated by the dotted line on each chart, around $4M of order book depth was removed from BTCUSDT’s order book. The proportional distance from the mid-price between 0–5 bps and 5–10 bps remained at similar levels before and after the drop. Ethereum’s USDT order book shows a similar pattern, but with a greater impact. Immediately after the incident, liquidity at these depth levels fell nearly threefold, from $5M to under $2M. Additionally, the proportion of order book depth within the 5 bps distance from the midpoint declined even further than that, within 5–10 bps.

However, the recovery of both Bitcoin and Ethereum’s order book depth was remarkably swift, returning to similar levels within a week. This can be attributed to Bybit’s introduction of the Retail Price Improvement (RPI) order.

Liquidity enhancement: Impact of RPI orders

On Feb 17, 2025, Bybit introduced Retail Price Improvement (RPI) orders, a specialized liquidity tool aimed at enhancing liquidity exclusively for retail traders. RPI orders function as a unique subset of maker orders, placed by institutional liquidity providers or designated market makers, that are accessible exclusively by retail traders who are executing trades manually via Bybit’s user interface (UI).

RPI orders are designed to exclude institutional and algorithmic traders from matching with this liquidity through API channels. However, both standard (non-RPI) and RPI orders are made available to retail traders — specifically, those taking liquidity from prices on-screen via Bybit’s website UI.

As a result, the distinct advantage of RPI orders for on-screen liquidity takers lies in the super set of matchable orders compared to those for API liquidity takers. The result is a strictly deeper pool of liquidity, greater depth of order books and tighter bid-ask spreads available to those manually taking liquidity on-screen. While both kinds of orders are visible within public order book data, RPI orders cannot be distinguished from standard orders within the order book with explicit labels. Instead, their impact lies in their overall depth and pricing efficiency.

The RPI Order type went live on Bybit on Feb 20, 2025, just days before the hacking incident, and quickly gained popularity throughout the month. It acted as a positive counterbalance to the reduced non-RPI order book depth following the event. 

In the larger market-cap markets seen below — including BTC, ETH, SOL and DOG — RPI orders account for a significant proportion of all orders. These are the same markets we saw above with markedly lower bid-ask spreads. Across these markets, RPI orders are primarily concentrated at the 5–10 bps level, positioning up to 30% of the order book depth within 10 bps and thus enhancing liquidity. This is in contrast to the slightly lower, yet still meaningful, share of RPI orders positioned within 5 bps of the mid-price. 

‍

‍

Among these larger markets, XRP is an exception, with significantly higher RPI order participation. By the end of March, RPI orders accounted for over 50% of the order book depth at 5–10 bps from the mid-price, and around 30% within 5 bps. This new order type has substantially increased order depth, leading to greater liquidity for retail trading and, as a result, more favorable market conditions.

In comparison, the TRUMPUSDT market shown below is a smaller market, and has a lower proportion of RPI orders within the 10 bps range. 

PEPE also has a reduced RPI participation within the 10 bps range, and the majority of the liquidity comes from RPI orders in this range. 

3-stall liquidity

Below, we show the impact of the introduction of RPI orders on the order books from a different perspective: 3-stall liquidity. This refers to the three levels on either side of the order book (bids and asks). Through this lens, we can see how significant the proportion of RPI orders are, and the growth in adoption of these orders since their introduction on Feb 20, 2025. Standard non-RPI orders subsequently make up only a fraction of orders across all markets. For the retail trader, this translates to an immediate boost in liquidity. 

‍

‍

‍

Trading activity & volume

Bybit's market share as a proportion of the top 20 exchanges reached highs of nearly 15% in Q3 2024. This growth has been steady over the years, solidifying Bybit’s position as a top 10 CEX. With many factors influencing an exchange’s spot volume proportion over a given period — such as organic growth, overall crypto sentiment and regional rollouts or restrictions — we can observe that Bybit’s share of spot volume has varied over the past 12 months, attributable to natural fluctuations.

‍

Bybit’s sharp decline in proportional spot volume at the end of February 2025 — coinciding with the hack — stands out with an almost instantaneous drop, from approximately 11% to around 4%. This can be attributed to the targeted attack on Bybit’s cold wallet and reflects the exchange sentiment immediately afterward. However, this initial drop during the first week was the lowest point observed, and Bybit’s share has since begun to recover.

‍

Since this initial decline, Bybit has steadily regained market share as it works to repair sentiment and as volumes return to the exchange. The proportional share has increased to approximately 6–7%, representing a 3-point rise from the 4% low. This marks a strong and stable recovery in Bybit’s spot market and trading volumes, a factor that may also enhance the overall user trading experience.

‍

Breaking down trade volumes by instrument reveals an informative picture. In the immediate aftermath of the hacking event, the proportion of BTC traded dropped to below 20%, a stark contrast to the nearly 50% dominance observed prior. In isolation, this appears to represent a significant drop in Bybit’s volume, given that Bitcoin typically accounts for a large share of the platform’s trading activity. However, within a broader context, BTC trading volume as a proportion tends to remain range-bound, fluctuating between lows of approximately 20% and highs of 50%. Since the incident, these lows have occasionally dipped even further, reaching a six-month low of around 15% on Mar 22, 2025.

‍

‍

Surprisingly, despite the targeted nature of the ETH-related attack, the proportion of trading volume allocated to ETH has remained relatively stable both before and after the incident. There are moments when ETH’s share of volume is slimmer, such as in mid-January 2025, which are comparable to levels seen in March 2025.

‍

The most significant change in trading behavior has occurred in the Other category, which includes altcoins and meme coins spot pairs traded against USDT. This segment has gained a notable share of overall volume. Prior to the incident, the percentage of volume ranged between 20–30%. However, afterward this range increased significantly, with proportions reaching lows of 30% and peaking at nearly 60% on Mar 22, 2025, the same day BTC dominance hit its lowest point. Since these altcoins are often characterized by smaller market caps, trading them on larger CEXs such as Bybit offers improved liquidity in otherwise limited markets.

Conclusion

Despite occurring against a backdrop of macroeconomic uncertainty and a broad risk-off shift in global markets, the Bybit hack on Feb 21, 2025 marked a clear inflection point for the exchange’s spot liquidity and trading sentiment. While the hack triggered a sharp but brief disruption in volumes and order book depth — particularly in the BTC and ETH markets — bid-ask spreads across major tokens remained largely intact.

This resilience was reinforced by the broader trend of macro de-risking that began prior to the event, suggesting the market’s reaction wasn’t purely event-driven. Volumes fell in the days following the hack, but this mirrored a broader dip across CEXs.

Aided by the timely rollout of Retail Price Improvement (RPI) orders, Bybit stabilized liquidity conditions and began to rebuild its share of overall crypto spot trading. Bybit-supplied data show that the adoption of RPI orders has been especially impactful across high-volume markets, such as BTC, ETH and DOGE, offering retail traders deeper liquidity and narrower spreads while also encouraging participation post-incident. Metrics such as 3-stall liquidity and order book depth within 10 bps indicate a consistent recovery, particularly in larger-cap markets (where RPI participation is strongest), and Bybit’s spot market share among the top 20 CEXs has rebounded by three percentage points from its post-hack low.