The second-largest crypto exchange by volume says its internal controls caught a batch-transaction exploit modelled on the techniques that took down Mt. Gox, preventing what would have been one of the largest attempted thefts from a centralised venue.
Bybit said on 8 April that its risk control team had detected and neutralised a coordinated series of fake-deposit attacks across multiple blockchain networks, preventing would-be losses of more than 1 billion DOT. No user funds were credited and no customers were affected, according to the exchange. The figure is notional. It reflects the size of the deposit credits attackers tried to manufacture, not a confirmed haul, but the method behind the attempt is what matters. It is a modern revival of one of the oldest exchange exploits in crypto.
The technique hinges on batch transactions: bundles in which multiple transfers are submitted as a single operation. Some blockchain virtual machines allow a batch to be partially successful, with individual sub-transfers either completing or failing independently. Attackers crafted bundles in which small transfers succeeded and a large transfer deliberately failed, then tried to trick Bybit's deposit systems — which check overall transaction status rather than each atomic step — into crediting the entire batch as complete. The on-chain reality was that no tokens had actually moved into Bybit's custody. A naïve deposit processor would not have noticed.
This is the same class of exploit that drained Mt. Gox between 2011 and 2014. Transaction malleability on the early Bitcoin network let attackers rewrite transaction IDs after broadcast, letting them claim that withdrawals had failed when the underlying coins had in fact moved. Mt. Gox never saw the difference. Roughly 850,000 BTC disappeared, the exchange collapsed, and it is still, twelve years later, working through the last of its creditor repayments. Every centralised venue that has come after it inherits the lesson, in theory.
Bybit has particular reason to be cautious. It is still recovering from the February 2025 hack in which Lazarus Group attackers drained $1.4 billion, the largest single theft in crypto history. The breach was not at the deposit layer; it targeted a cold wallet interface during a manual signing flow. But it forced the exchange to rebuild almost every piece of its operational security from the ground up. CEO Ben Zhou subsequently wrote publicly about the structural reasons exchanges are exposed to this kind of attack, arguing that the industry had under-invested in defence-in-depth. The April detection suggests the rebuild is functioning — or at least that the deposit-side layer is.
What Bybit describes is a system that decomposes every inbound transaction into its atomic operations and validates each one independently, whether the attacker is using batch calls, relayed transactions, multi-instruction flows or ownership-manipulation tricks. That is a more expensive way to run a deposit processor than the naive approach. It is also the only way to reliably catch these exploits. Attackers only need to find one system that skips the check. Exchanges need to catch all of them, all the time, across every chain they list.
The wider industry is watching because fake-deposit attacks scale. They do not require a smart contract bug or a social-engineering breakthrough. They exploit an architectural assumption that was reasonable in 2016 and has become dangerous now that every major chain supports complex transaction semantics. Solana's durable nonces turned out to be the opening attackers used to drain Drift Protocol of $285 million on 1 April. Batch calls on EVM chains are the next obvious vector, and account abstraction wallets that bundle user operations through 4337 relayers add yet another layer where a sloppy integration could be manipulated. Bybit's disclosure does not name the chains it caught the attacks on, which is probably deliberate. Other exchanges should assume they are exposed to the same technique regardless.
None of this guarantees the next attempt will be caught. Risk control is asymmetric: a single missed bundle could be catastrophic. Bybit disclosing a near-miss rather than burying it is a meaningful signal. In a sector where breaches still usually get disclosed via angry Twitter threads from affected users, an exchange walking through its defence rather than its apology is unusual, and at this point overdue.
