Bybit is mostly a decision about trading workflow, not brand loyalty. If you want one account for spot, perpetuals, options, and related tools, it can make sense. If you want anonymous access, long-term storage, or a platform that removes exchange risk, it is the wrong tool. The February 2025 hack and recovery matter because they show both sides of Bybit clearly: real operational depth, and real custodial risk that still exists after the fix. This review is for readers deciding whether Bybit fits how they actually trade in 2026.
This content is for educational purposes only and should not be considered financial or investment advice.
This article may contain affiliate links. Snout0x may earn a commission at no additional cost to you.
Exchange resilience is proven by breach recovery, not by security promises.
Quick Answer
Key Takeaways
- Bybit is a trading venue first: the strongest use case is active spot and derivatives trading, not long-term coin storage.
- Costs look reasonable at the base tier: spot starts at 0.1%, derivatives at 0.02% maker / 0.055% taker, but funding, spread, and withdrawal costs still matter.
- The February 2025 hack is part of the review, not a footnote: Bybit covered the loss and upgraded its security stack, but that does not erase counterparty risk.
- Access is jurisdiction-sensitive: KYC is required, and product availability can differ by country, entity, and account status.
- Best fit: supported-jurisdiction traders who want one CEX account for spot plus derivatives. Poor fit: passive holders, restricted users, and anyone who wants self-custody-level control.
Check the boring parts before you fund the account: jurisdiction, KYC status, product access, withdrawal path, and whether you are about to use leverage you do not fully understand.
The operational danger is not just hacks. It is getting stuck between compliance checks, open positions, and coins you should have withdrawn earlier.
What Is Bybit?
Bybit is a centralized exchange built around active trading. It started in derivatives and still makes the most sense for users who want spot, perpetuals, options, and related trading tools under one login. It also offers copy trading, bots, P2P access, and earn-style products, but those extras should be treated as optional layers, not the reason to ignore the core custody risk of leaving funds on a CEX.
Bybit’s Unified Trading Account (UTA) is one of the main reasons traders choose it. Instead of moving funds between separate spot, futures, and options wallets, the account can pool collateral in one place. That is useful if you actively manage several positions. It is less useful if you just buy and hold a few coins, because the convenience is tied to margin efficiency, not to safer custody.
Bybit lists a large menu of products and trading pairs, but the decision value is simpler than the product catalog suggests. On big pairs, the exchange is built to serve active flow. On smaller altcoins, spreads, liquidity, and product access can look very different. European users may interact through Bybit EU under MiCAR-related licensing, while other users should verify which local entity, rules, and product set actually apply before funding the account.
The February 2025 Hack: What Happened
On February 21, 2025, North Korea’s Lazarus Group executed a supply chain attack against Bybit’s cold wallet infrastructure. The attackers compromised Safe Wallet’s frontend code, which altered transaction signing data during the multisig approval process. The signers saw legitimate-looking transactions on their screens but were actually approving transfers to attacker-controlled addresses. Approximately 400,000 ETH, worth $1.46 to $1.5 billion, was drained in a single session.
The attack did not exploit Bybit’s core infrastructure directly. It targeted the third-party interface used to display and approve multisig transactions. The vulnerability sat in the trust boundary between signing software and the humans reviewing it. What the signers saw on screen did not match what the blockchain received. This is the same class of problem that on-device verification on hardware wallets is designed to solve: the display layer and the signing layer were not independently verified.
Bybit’s response was unusually fast. The exchange said user withdrawals continued during the incident and that it sourced replacement ETH through OTC deals and bridge financing, replenishing the loss within 72 hours. No user losses were reported from the event itself. That recovery matters, but it should be read as evidence of operational backstop capacity, not as proof that exchange custody risk is solved.
The hack is the most important data point in evaluating Bybit today. It revealed a genuine weakness in multisig signing workflows, but the recovery demonstrated operational depth and capital reserves that most exchanges do not have. Both facts should carry weight when deciding whether to hold funds on an exchange.
Bybit Trading Features
Derivatives remain the reason most serious users look at Bybit. Perpetual futures are the center of the platform, and options are there for traders who already know why they need them. If your job is short-term execution, hedging, or managing leveraged exposure from one account, Bybit is built for that workflow. If your job is simply to buy BTC and withdraw it, much of the platform is extra complexity you do not need.
Copy trading is useful mainly for users who want exposure to someone else’s system without placing every trade by hand. That convenience comes with a blunt tradeoff: copied positions are still your risk. Drawdown, leverage, slippage, and liquidation do not become safer because another trader opened the position first. The same caution applies to bots and AI suggestions. They can reduce clicking, but they do not reduce the need to understand what happens when a trade goes wrong.
The interface can work for a beginner buying spot, but the platform feels more natural once you already understand order types, collateral, and liquidation math. Traders moving from other large CEX terminals will adjust quickly. Beginners can use it, but they should stay on spot first and treat the derivatives side as separate homework, not as a feature to test casually. For a direct platform comparison, see Binance vs Bybit 2026.
Bybit Fee Structure
Bybit uses a tiered fee structure based on 30-day trading volume and asset holdings:
- Spot trading: 0.1% maker and taker at base tier.
- Derivatives: 0.02% maker, 0.055% taker at base tier.
- Options: 0.02% maker and taker.
VIP tiers can reduce costs for larger traders, and maker-heavy flow may qualify for better pricing or rebates. That matters if you trade often. It matters far less for casual users, who usually lose more from spread, bad entries, funding, or overtrading than from a small headline fee difference. Promotional discounts and coupons change over time, so they should not be the main reason you choose an exchange.
For buyer intent, the key point is simple: Bybit’s spot pricing is normal for a large CEX, while its derivatives pricing is one reason active futures traders keep it on the shortlist. That does not make it automatically cheaper in practice. Real cost depends on how often you trade, whether you cross the spread, what funding does to your position, and whether your style fits the order book.
Perpetual futures also carry funding rates, which are separate from trading fees and can become the bigger cost if you hold positions through stressed markets. Withdrawal fees vary by asset and network conditions, and fiat rails can differ by region and payment method. Crypto deposits are generally free on the exchange side, but the more important question is operational: how easily can you get funds out when you want to reduce exchange exposure?
Security Architecture After the Breach
Following the February 2025 hack, Bybit said it implemented more than 50 security upgrades. The useful question for a buyer is not whether that sounds impressive. It is whether the changes reduce the specific failure that happened and whether you still understand the remaining exchange risk.
- Cold storage: majority of user funds stored in multisig cold wallets with revised signing workflows that no longer depend on a single frontend interface for transaction verification.
- Trusted Execution Environments (TEE): sensitive operations run inside hardware-protected enclaves that isolate signing logic from the broader operating system, reducing the attack surface for frontend compromises.
- Threshold Signature Schemes (TSS): distributed signing that splits key material across multiple parties so that no single compromised device can authorize a transaction alone.
- Real-time AI monitoring: anomaly detection on high-value transactions designed to flag unusual patterns before funds leave the platform.
- User-level protections: mandatory 2FA, anti-phishing codes, address whitelisting, session monitoring, and one-click account freeze.
Bybit also publishes Proof of Reserves materials and account-verification tools for major assets. The exact assurance level can change depending on the report, methodology, and whether outside reviewers are involved, so users should check the current documentation directly. Even a well-presented reserves report does not turn a CEX into a trustless system. For users who care about exchange custody risk, proof of reserves is a positive transparency signal, not a reason to treat long-term balances on Bybit as safe by default.
Regulation and Geographic Restrictions
Bybit operates through regulated entities in some jurisdictions, including Bybit EU in Europe and a licensed presence in the UAE. The practical point for users is that policy, product set, and legal protections can differ depending on which Bybit entity serves your account. KYC verification is a core part of account access, not an optional extra.
Regional availability can change, and product access can differ even inside supported regions. Bybit has been restricted in the United States, United Kingdom, Canada, Singapore, mainland China, and other jurisdictions, and users should confirm the current rules directly before depositing. Trying to work around restrictions with a VPN is an account-control risk, not a clever setup. Exchanges can request renewed verification, restrict products, or freeze access when compliance checks fail.
For users inside a regulated Bybit entity, the framework around segregation, disclosures, and dispute handling may be stronger than it is for offshore users. That still does not make the account equivalent to self-custody or to a bank deposit. For users outside those regulated lanes, the practical fallback is thinner. Before funding size, know which entity holds your account, what products you can actually access, and what your withdrawal options look like if policy changes later.
Security on a centralized exchange is not just about cold wallets and audits. It is also about whether your account stays usable when jurisdiction, verification, or compliance rules change.
If you need guaranteed control over timing and withdrawal, keep less on the exchange and move faster to self-custody.
Who Should Use Bybit (and Who Should Not)
You want a centralized venue for active spot and derivatives trading, you understand leverage, and you are prepared to withdraw after the trade window ends.
You need self-custody-level control, you are in a restricted jurisdiction, or you are still learning basics and might drift into leverage before you understand liquidation.
Bybit is a strong fit for:
- Active spot and derivatives traders who want one account for execution, collateral sharing, and switching between products without moving funds around internally.
- Experienced futures users who already understand funding, liquidation levels, and why low headline fees do not matter if the position model is sloppy.
- Self-directed traders who want a full CEX terminal and will use Bybit as a venue, not as a long-term storage layer.
- Copy-trading-curious users with a small-risk mindset who understand that following another trader does not outsource the downside.
Bybit is not the right choice for:
- US, UK, or Canadian users who cannot legally access the platform. VPN workarounds create real account-freeze risk.
- Passive holders who plan to leave meaningful balances on the exchange. No CEX is a substitute for self-custody once the trade is done.
- Beginners unfamiliar with leverage who have not yet learned how margin calls, liquidation prices, and funding rates work. Starting with leveraged derivatives before understanding these mechanics is an expensive shortcut.
- Users who care most about control and withdrawal certainty rather than product range. A centralized exchange always sits between you and your coins until you withdraw.
Bybit Review Verdict: Is It Worth Using in 2026?
Bybit is worth using in 2026 if your main job is active trading on a centralized venue and you are in a supported jurisdiction. That is the core answer. The strongest case for it is not that it is perfect. It is that it combines a broad trading stack, decent fee economics for active users, and a workflow that suits people who move between spot and derivatives often.
The 2025 hack still matters. It proved Bybit could absorb a major operational shock and keep users whole. It also proved that even a large exchange with serious infrastructure can fail at a critical trust boundary. That is why this review lands in the middle, not at either extreme. Bybit looks credible as a trading venue. It does not get promoted here as a place to park coins and forget them.
If you trade derivatives actively and operate from a supported jurisdiction, Bybit is reasonable to consider. If you are mainly buying spot, testing copy trading out of curiosity, or holding for months, be stricter. Keep size smaller, watch withdrawal and compliance realities, and move funds off the platform when the job is done. The history of exchange failures and the limits of keeping crypto on exchange do not disappear because one exchange handled a crisis well.
Sources
- Bybit Help Center: Trading Fee Structure
- Bybit Help Center: Service Restricted Countries
- Bybit Help Center: How to Verify the Assets in Your Account
- Bybit Hit with $1.46 Billion Loss in Largest Crypto Hack (SecureWorld)
Frequently Asked Questions
Is Bybit safe after the 2025 hack?
Bybit says it implemented more than 50 security upgrades after the February 2025 breach, including revised multisig workflows and stronger signing controls. It also restored the loss quickly without passing it to users. That makes the platform look more resilient than it did before the hack, but it does not remove future exchange risk. If you are holding for the long term, self-custody is still the safer default than leaving funds on any exchange.
What are Bybit’s fees?
Base tier pricing is 0.1% for spot trading, 0.02% maker and 0.055% taker for derivatives, and 0.02% for options. VIP tiers can reduce those rates, but your real cost also depends on spread, funding, and how often you trade. Promotional discounts come and go, so they should not be treated as a permanent edge.
Can I use Bybit in the US?
Not for most users. Bybit has been restricted in the United States and several other jurisdictions, and users should confirm the current policy directly before opening or funding an account. Using a VPN to bypass restrictions adds real account-freeze and compliance risk.
Is Bybit good for beginners?
Only in a limited sense. Bybit can work for a beginner who stays on spot and keeps size small, but the platform is built around more advanced trading behavior. Beginners who are not comfortable with leverage, margin calls, and funding rates should treat the derivatives side as off-limits until they understand how liquidation works.
Does Bybit have proof of reserves?
Yes. Bybit publishes Proof of Reserves materials for major assets and offers account-verification tools. That improves transparency, but it is not the same as eliminating counterparty risk or giving users a full live audit of liabilities. Treat it as one useful signal, and check the current methodology rather than assuming every report provides the same level of assurance.
