Bybit disclosed details of a 2025 security programme that it says intercepted and recovered more than USD $300 million linked to suspected scam withdrawals in Q4 2025. During the same period, the exchange flagged USD $500 million in withdrawals and intervened in most of them. It also reported blocking more than 3 million credential-stuffing attempts across 2025.
The initiative centers on a Dynamic Risk-Based Protection System for withdrawals that sorts suspicious activity into three tiers and applies different interventions based on assessed risk. At the lowest tier, Early Warning, the exchange uses data-driven heuristics to identify patterns that may signal emerging risk, such as multiple withdrawals to a newly created wallet address. Responses include automated user surveys and blacklisting destinations it categorises as high risk.
The middle tier, Real-Time Alert, focuses on indicators such as compromised credentials and suspicious withdrawal destinations. Accounts can be flagged through credential-stuffing databases or links to addresses associated with suspect activity. In those cases, the exchange generates real-time alerts during the withdrawal process and prompts users to pause and reassess the transaction.
The highest tier, Immediate Blocking & Cooling-Off, blocks withdrawals in real time for wallet addresses linked to confirmed fraud schemes, including “pig butchering” investment scams. It also imposes a mandatory one-hour cooling-off period before funds can move, giving users additional time to verify the transaction.
Reported results include: Alongside the USD $300 million figure for Q4 2025, Bybit reported several other metrics for the year. It said more than 4,000 users were protected from potential losses and that 8,000 users were “shielded” from fraudulent withdrawals. It also reported identifying 350 high-risk investment fraud addresses using in-house AI detection methods, and labelling and tagging 950 suspicious addresses through a mix of automated and manual processes.
Bybit said it froze USD $4.32 million in assets across 335 fraud cases, linking the actions to cross-chain forensic investigations that track activity across multiple blockchains. Bybit attributed part of the programme to collaboration with external analytics firms and a centralised internal mechanism that aggregates intelligence, which it calls its Standardised Intelligence Hub. According to Bybit, the hub integrates risk-transaction identification inputs from blockchain analytics firms, including TRM, Elliptic and Chainalysis.
It said this supports real-time monitoring of cryptocurrency deposits and withdrawals. The exchange also described using cross-chain tracing across bridges and mixers. Bybit said it traces activity across these services to follow illicit fund movements.
Operationally, the approach reflects a wider shift in the crypto sector towards more automated, risk-scored controls around account access and withdrawals. Credential stuffing and social engineering remain recurring threats, often targeting exchanges and retail users during periods of heightened market activity. David Zong, Head of Group Risk Control at Bybit, said the exchange aimed to make risk controls more visible to users and more actionable across the industry.
“Our mission in 2025 was to transform risk control from a ‘silent shield’ into an active, intelligent guardian,” Zong said. “By integrating AI-driven on-chain monitoring with real-time intelligence from industry partners like TRM, Elliptic and Chainalysis, we not only protect Bybit users, but also help map the DNA of fraudulent networks. We are sharing these standardized monitoring clues across the ecosystem because a safer industry for one is a safer industry for all.”
Bybit also framed the programme against rising expectations for stronger controls as digital asset use grows in markets such as India. Exchanges face increasing scrutiny over how they detect compromised accounts, stop scam-related outflows and coordinate with external intelligence providers. Bybit said it will continue enhancing its AI-based detection models and expanding partnerships with global intelligence networks.
Leave a Reply