Bybit explicitly bans US residents from its platform, including all California users. Creating or using a Bybit account from California violates the platform's Terms of Service. You will have zero legal recourse under US or California law if funds are lost or access is denied. Do not use Bybit. See our recommended alternatives below.
Executive Summary
Bybit is one of the largest cryptocurrency derivatives and spot exchanges in the world by trading volume, consistently ranking among the top five globally. Founded in 2018 and headquartered in Dubai, UAE, the platform serves tens of millions of users across more than 160 countries. It is known for its advanced perpetual futures trading, deep liquidity, and a polished trading terminal that rivals any professional platform.
For California residents, however, none of that matters. Bybit does not accept US residents. The platform enforces geo-blocking and IP detection to prevent American users from registering or trading. Attempting to access Bybit via a VPN or proxy is a direct violation of its Terms of Service and, depending on the method used, may raise additional legal concerns under US financial regulations. There is no gray area here: if you live in California, Bybit is not a legal or safe option for you.
This review covers Bybit's global platform in detail — its fee structure, security history (including the catastrophic February 2025 hack), and technical capabilities — so you can understand what you are missing and why the legal alternatives available to California residents are worth your attention instead.
Regulatory Compliance for California Residents
Bybit holds no US financial licenses. It is not registered with FinCEN as a Money Services Business, holds no BitLicense from the New York Department of Financial Services, and has made no application for a California DFAL (Digital Financial Assets Law) license. The platform does not comply with US Bank Secrecy Act requirements, does not file Suspicious Activity Reports, and does not perform OFAC screening to the standard required of US-facing exchanges.
In 2023, Bybit issued explicit notices to US users requiring them to close accounts and withdraw funds. The company has since implemented IP-based and document-based blocking that prevents US residents from completing KYC. Attempting to circumvent these restrictions using a VPN to establish a Bybit account constitutes wire fraud exposure and a ToS violation simultaneously — meaning that if your account is suspended or your funds are frozen, you have no legal standing to pursue recovery under US consumer protection law, CFPB jurisdiction, or California's Department of Financial Protection and Innovation (DFPI) oversight.
The DFPI has not taken action against Bybit specifically, but this is only because the platform does not operate in California at all. Any California resident who loses funds on Bybit has no regulator to complain to and no court with clear jurisdiction to adjudicate their claim against a Dubai-registered entity that was never supposed to serve them.
In February 2025, Bybit suffered the largest cryptocurrency exchange hack in history. North Korea's Lazarus Group stole approximately $1.46 billion in Ethereum from Bybit's cold storage. The attack exploited a sophisticated manipulation of the Safe{Wallet} multi-signature wallet interface — attackers compromised the front-end signing environment used by Bybit's operations team, causing signatories to unknowingly approve a malicious transaction that drained the cold wallet. Bybit responded quickly, sourced emergency funds through bridge loans and institutional partners, and compensated affected users. However, the event permanently altered the risk calculus for any institution or individual considering Bybit — and underscored why California users should only hold assets on regulated, insured domestic exchanges.
Security Infrastructure
Prior to February 2025, Bybit was widely regarded as having industry-leading security. The platform used Multi-Party Computation (MPC) cold storage, meaning that private keys were never held in a single location and required threshold signatures from geographically distributed key shards before any withdrawal could be authorized. Bybit maintained a proof-of-reserves system and published regular attestations from third-party auditors confirming that user assets were fully backed.
The February 2025 Lazarus Group hack exposed the limits of even sophisticated MPC architectures when the attack vector is the human interface layer rather than the cryptographic layer. Lazarus operatives compromised the Safe{Wallet} web application used by Bybit's operations team to interact with their Gnosis Safe multi-sig cold wallet. By poisoning the JavaScript served to Bybit's signing terminals, attackers caused the legitimate key holders to see a normal-looking transaction while actually signing a malicious payload that transferred ownership of the entire cold wallet to an attacker-controlled address. The theft totaled approximately 401,000 ETH — worth roughly $1.46 billion at the time — making it the largest single theft in the history of cryptocurrency.
Bybit's response was swift by industry standards. The CEO Ben Zhou communicated transparently within hours. The exchange secured $400 million in emergency bridge loans from institutional partners, obtained additional ETH through OTC purchases and exchange borrowing, and maintained 1:1 solvency within days. All affected users were compensated. Bybit also published a detailed post-mortem and partnered with blockchain analytics firms to trace and freeze stolen assets, resulting in some recovery.
Nevertheless, the hack demonstrated that no offshore exchange — regardless of its technical reputation — is immune to nation-state-level attacks. For California users considering overseas platforms: domestic regulated exchanges like Coinbase carry FDIC-insured USD balances, mandatory proof-of-reserves audits under DFAL, and clear legal recourse if security failures occur.
Fee Microstructure
Bybit's fees are competitive globally, particularly for derivatives traders. The table below compares global rates for context — note that Bybit's rates are academic for California residents who cannot legally use the platform.
| Exchange | Spot Maker | Spot Taker | Perp Maker | Perp Taker | CA Available? |
|---|---|---|---|---|---|
| Bybit | 0.10% | 0.10% | 0.02% | 0.055% | No |
| Binance.US | 0.10% | 0.10% | N/A | N/A | Limited |
| CEX.IO | 0.10% | 0.25% | N/A | N/A | Yes |
| Kraken | 0.16% | 0.26% | 0.02% | 0.05% | Yes |
| Coinbase Advanced | 0.06% | 0.18% | N/A | N/A | Yes |
Bybit's perpetuals fees — 0.02% maker / 0.055% taker — are among the lowest in the derivatives market globally. Its spot fees are standard at 0.10% both ways, with volume-based tiering available for institutional accounts. The platform also runs a native BIT token discount scheme. Again, these rates are purely informational for California readers: you cannot access them legally.
Asset Depth and Liquidity
Globally, Bybit consistently ranks in the top three to five exchanges by 24-hour spot and derivatives volume. As of 2026, the platform lists over 500 spot trading pairs and supports hundreds of perpetual futures contracts with tight spreads and deep order books. BTC/USDT and ETH/USDT order books on Bybit regularly show millions of dollars of depth within 0.1% of the mid-price, making it suitable for institutional-sized trades with minimal slippage.
The platform's matching engine processes millions of orders per second with sub-millisecond latency, and the derivatives book in particular benefits from market-maker agreements with major algorithmic trading firms. For altcoin trading, Bybit offers early listings of new tokens and a robust launchpad program that gives users access to token sales before open market listing. Liquidity in long-tail altcoin pairs varies, as it does on all major exchanges.
For comparison, Coinbase Advanced and Kraken — both fully compliant with California law — offer deep liquidity in the top 50–100 assets. CEX.IO covers 200+ pairs with strong USD on/off-ramp infrastructure. While these platforms may not match Bybit's raw altcoin breadth globally, they offer the legal protections and regulatory standing that offshore platforms cannot.
Platform UX and API
Bybit's trading terminal is considered one of the most polished in the industry. The web interface supports customizable chart layouts, multi-order types (limit, market, conditional, TP/SL), and an integrated TradingView charting suite. The mobile application mirrors the full feature set of the desktop experience with minimal compromise.
Advanced features include a grid trading bot, an AI-assisted DCA bot, and a spot-margin lending interface. Bybit's API ecosystem is extensive: the platform supports both REST and WebSocket APIs, offers a FIX API for institutional clients requiring ultra-low-latency order routing, and provides comprehensive Python and JavaScript SDKs with active community documentation.
The platform also runs Bybit Earn, a yield-generation product suite covering flexible savings, fixed-term staking, and liquidity mining. These features, while compelling for global users, are inaccessible to California residents and are noted here only for completeness.
Customer Support
Bybit offers 24/7 live chat support for verified global users, a comprehensive help center, and a responsive social media support presence. Response times for live chat are generally fast by industry standards. However, none of this is relevant for California residents: if you somehow access Bybit in violation of its ToS and encounter a problem — account freeze, withdrawal block, or a dispute — you have no support escalation path with US consumer protection implications. Bybit's support team is not bound by CFPB requirements or California's DFPI complaint resolution procedures. Your dispute would be governed, if at all, by the terms of a platform that told you not to be there in the first place.
Global Strengths
- Top 5 exchange by global volume
- 500+ spot and derivatives markets
- Industry-leading 0.02% perpetuals maker fee
- Sub-millisecond matching engine
- FIX API for institutional trading
- Grid and DCA trading bots
- Compensated users fully after 2025 hack
Critical Drawbacks
- Explicitly banned for US and California residents
- No US licenses or regulatory compliance
- Suffered $1.46B hack — largest in crypto history
- VPN access = ToS violation, zero legal recourse
- No DFPI oversight, no CFPB protection
- Dubai-registered — difficult to pursue legally
- No FDIC insurance on USD balances
Verdict: Not Recommended for California Residents
Bybit is a technically impressive exchange with world-class derivatives infrastructure and genuine global liquidity. If you lived outside the United States, it might be a compelling choice. But you do not. You live in California — a jurisdiction where Bybit is explicitly banned, unregulated, and unprotected.
The February 2025 Lazarus Group hack, which resulted in $1.46 billion in ETH being stolen from Bybit's cold storage, is not merely a historical footnote. It is a present-day reminder that even the most sophisticated offshore platforms operate in a fundamentally different risk environment than domestically regulated exchanges. Bybit compensated its users after the hack, but they were not required to — and next time, under different circumstances, they may not.
California residents have strong alternatives. CEX.IO is fully licensed under California's DFAL framework, carries 200+ assets, and has a strong institutional track record. Kraken is a San Francisco-founded exchange with deep liquidity and regulatory standing across all 50 states. Coinbase remains the most regulated and FDIC-insured option for USD balances. Use one of these — not Bybit.