Bybit said an AI-powered monitoring system blocked more than $300 million in suspected fraudulent withdrawals in Q4 2025, while flagging roughly $500 million in suspicious transactions overall. The company is positioning this as a shift from “detect after the fact” to “stop it before funds leave,” which is the difference between incident response and loss prevention. It also fits the broader direction exchanges are moving toward: real-time controls that act like a risk engine, not just a reporting dashboard.
Bybit described the program as a combined machine-learning and human-review operation aimed at interrupting flows to addresses linked to impersonation scams, mixers, and cross-chain bridges before withdrawals complete. That framing matters because it treats scam prevention as an execution-layer problem, not just a compliance-policy problem.
How the control system is designed to intervene
Bybit says the architecture runs as a three-tier risk framework that applies escalating actions based on anomaly scores and contextual signals. Low-risk alerts trigger automated checks and address blacklisting, medium-risk cases prompt real-time user verification, and high-risk detections lead to immediate withdrawal blocks and enforced cooling-off periods. This is the core design choice: intervene proportionally rather than blanket-freezing everything, so the system can act fast without turning the platform unusable for legitimate users.
The exchange also reported it identified 350 high-risk addresses and said around 8,000 users were protected from potential loss during the period. These numbers are useful as directional signals, but they don’t, on their own, prove effectiveness without error-rate visibility.
What the models look at and why human review still matters
Bybit said the detection layer combines behavioral pattern analysis with anomaly detection calibrated to catch large or unusual transfers, new recipient addresses, and withdrawals that route through mixers or cross-chain bridges. In practice, those are the common “breakpoints” where scams and laundering attempts become visible: sudden changes in behavior, unfamiliar destinations, and high-risk routing patterns.
The company says in-house models are supported by a dedicated risk control team and supplemented with external intelligence feeds from TRM Labs, Elliptic, and Chainalysis. That hybrid approach is important because pure automation tends to struggle at the edges—complex laundering paths and borderline legitimate behavior often look similar until you add context. Human adjudication and third-party intel help reduce the risk of both missed fraud and unnecessary user friction.
Bybit also contextualized the Q4 numbers against industry estimates of $17 billion in scam and fraud losses in 2025 and referenced its own February 2025 security incident, presenting this as a strategic response to both market-wide pressure and its internal risk history. The narrative is essentially: threat levels are rising, so the control surface has to move closer to the moment of execution.
The trade-off: asset safety versus user friction
Even if the system is working as intended, it creates a real operational tension. The stricter the intervention rules, the more you reduce fraud outflows—but the more you risk false positives that frustrate legitimate users and increase support burden. Bybit’s “automated triage + human escalation” design tries to balance that, but the company did not provide detailed false-positive rates or case-level outcomes in the announcement you shared.
That missing detail is the key diligence gap for institutions and regulators. Blocked value and flagged value are only half the story; error rates, appeal outcomes, and resolution time are what determine whether controls are both effective and sustainable. If exchanges begin standardizing on AI-led withdrawal controls, disclosure quality will become a competitive and supervisory differentiator.
Regulators and counterparties will increasingly expect not just that controls exist, but that detection performance and error-handling processes are measurable, auditable, and consistently applied. Over time, the exchanges that can prove both strong prevention and manageable friction will set the benchmark for “institutional-grade” platform operations.