Bybit Hack 1-Year Later: Can You Finally Deduct Your Stolen Crypto? (2026 Tax Guide)
A year ago today — February 21, 2025 — North Korea's Lazarus Group executed the largest cryptocurrency heist in history. In a single afternoon, approximately $1.5 billion in Ethereum vanished from Bybit's cold storage wallets. By the time Bybit CEO Ben Zhou confirmed the breach on X, the stolen ETH was already being laundered through mixers and peer-to-peer vendors across three continents.
Last week, a client walked into my office with a Bybit account statement, a police report, and a question I have heard from dozens of investors over the past twelve months: "I lost everything. Can I at least get a tax deduction?"
The answer in 2025 was complicated. The answer in 2026 is still complicated — but for different reasons. On July 4, 2025, President Trump signed the One Big Beautiful Bill Act (OBBBA), which permanently changed the rules for casualty and theft loss deductions. Some doors that were about to reopen under the TCJA sunset slammed shut again. But one critical door stayed wide open — and most crypto investors do not know it exists.
This guide breaks down exactly what changed, who qualifies for a deduction, which IRS form to use, and the evidence you need to survive an audit. Whether you lost crypto in the Bybit hack, a DeFi exploit, a rug pull, or a phishing attack, the framework is the same.
Table of Contents
- Quick Facts: Bybit Hack by the Numbers
- What OBBBA Changed — and What It Didn't
- 3 Deduction Paths for Stolen or Worthless Crypto
- Bybit Victims: Your 6-Step Tax Action Plan
- IRS CCM 202511015: What the IRS Actually Said
- Evidence Checklist: 7 Documents You Must Have
- What You Cannot Deduct (Don't Make These Mistakes)
- Software Comparison: Theft & Loss Tracking
- FAQ
- Related Guides
Quick Facts: Bybit Hack by the Numbers
Bybit Hack — February 21, 2025
| Metric | Detail |
|---|---|
| Amount Stolen | ≈ $1.5 billion in ETH (Elliptic) |
| Attacker | Lazarus Group (North Korea) — confirmed by FBI |
| Recovery Status | 88.87% traceable; ≈ 28% "gone dark" via mixers (CoinDesk) |
| Exchange Response | Reserves replenished within 72 hours via emergency loans + whale deposits (CNBC) |
| 2025 Total Crypto Theft | $3.4 billion — Bybit alone was 44% of total (Chainalysis) |
| Relevant Tax Law | IRC §165(c)(2), Form 4684 Section B, OBBBA §165(h) |
| IRS Guidance | CCM 202511015 (March 2025) |
What OBBBA Changed — and What It Didn't
To understand who can deduct stolen crypto in 2026, you need to understand the legal timeline. From 2018 through 2025, the Tax Cuts and Jobs Act (TCJA) restricted personal casualty and theft loss deductions to losses arising from federally declared disasters only. Crypto theft did not qualify — period. Many investors expected this restriction to expire on December 31, 2025, reopening the door for all theft losses.
That did not happen. The One Big Beautiful Bill Act, signed into law on July 4, 2025, made the personal casualty and theft loss limitation permanent. Starting with tax years beginning after December 31, 2025, personal casualty losses are deductible only if they result from a federally or state-declared disaster. OBBBA expanded the definition to include state-declared disasters, but the core restriction remains.
Here is the critical exception that most articles miss: theft losses from transactions entered into for profit were never restricted by the TCJA or OBBBA. They remain fully deductible under IRC §165(c)(2). If you bought cryptocurrency as an investment — which covers the vast majority of retail holders — your theft loss is deductible regardless of whether a disaster was declared. The 2025 Form 4684 instructions explicitly confirm this: "Theft losses incurred in a transaction entered into for profit may still be deductible."
| Loss Type | 2018–2025 (TCJA) | 2026+ (OBBBA) | Deductible? |
|---|---|---|---|
| Personal theft (romance scam, personal phishing) | Non-deductible (unless federal disaster) | Non-deductible (unless federal/state disaster) | NO |
| Profit-motivated theft (exchange hack, investment scam) | Deductible under §165(c)(2) | Deductible under §165(c)(2) | YES |
| Business theft (trade or business) | Deductible under §165(c)(1) | Deductible under §165(c)(1) | YES |
| Worthless/abandoned crypto (investment) | Miscellaneous itemized — suspended | Abandonment via Form 4797 if proven worthless | YES (if proven) |
3 Deduction Paths for Stolen or Worthless Crypto
Not all crypto losses follow the same tax path. The IRS treats stolen crypto, sold-at-a-loss crypto, and worthless crypto under three entirely different code sections with different forms, different caps, and different outcomes. Choosing the wrong path means either leaving money on the table or triggering an audit.
Path 1: Theft Loss — Form 4684, Section B
This is the primary path for Bybit hack victims, exchange hack victims, and investors who lost crypto to fraud schemes where a profit motive existed. Under IRC §165(c)(2), your theft loss deduction equals your adjusted cost basis in the stolen assets minus any reimbursement received or expected. The loss is classified as an ordinary loss — not a capital loss — which means there is no $3,000 annual cap against ordinary income. If you lost $50,000 in cost basis, you deduct $50,000 in the year of discovery (the year you determine no recovery is possible).
You report the loss on Form 4684, Section B (Business and Income-Producing Property), Part I. The deductible amount flows to Schedule A, line 16 as "Other itemized deductions." This means you must itemize your deductions to benefit — if the standard deduction exceeds your total itemized deductions, the theft loss effectively provides no tax benefit.
Path 2: Capital Loss — Form 8949 + Schedule D
If you still have access to your crypto but it has crashed in value, you cannot claim a theft loss. Instead, you must actually sell or exchange the asset to generate a capital loss. This is the standard tax-loss harvesting path that applies to market downturns like the current Bitcoin decline below $67,000. You sell the depreciated crypto, report the loss on Form 8949, and the totals flow to Schedule D. Capital losses offset capital gains dollar-for-dollar, with up to $3,000 per year deductible against ordinary income. Unused losses carry forward indefinitely.
This path is also available for stolen crypto if you want to avoid the complexity of the theft loss path. For example, if a small amount of crypto was stolen and the itemization requirement of Form 4684 does not benefit you, you could instead sell a negligible claim or token for $0 on an exchange that still supports it, and report the result as a capital loss on Form 8949. However, this converts what would be an unlimited ordinary loss into a capped capital loss — so the math only favors this approach for small amounts.
Path 3: Abandonment — Form 4797, Line 10
This path applies to crypto that is completely worthless — rug-pulled tokens, coins on abandoned blockchains, or assets permanently locked in wallets with lost private keys. Under Reg. 1.165-2, you can claim an abandonment loss if all four conditions are met: you invested with profit motive, the crypto lost its value, it is non-depreciable property, and you permanently discarded it (such as sending tokens to a burn address). The loss is reported on Form 4797, line 10 as an ordinary loss — no $3,000 cap.
The critical requirement is complete worthlessness. If the token still trades on any exchange — even at $0.0001 — it is not worthless in the eyes of the IRS. You must document that zero market value exists and that you took an affirmative act of abandonment.
| Factor | Theft Loss (4684) | Capital Loss (8949) | Abandonment (4797) |
|---|---|---|---|
| Trigger | Criminal taking of property | Sale or exchange at a loss | Complete worthlessness + affirmative discard |
| Loss Type | Ordinary | Capital | Ordinary |
| Annual Cap vs. Ordinary Income | None | $3,000 | None |
| Deduction = | Adjusted basis − recovery | Proceeds − adjusted basis | Adjusted basis (full) |
| Requires Itemization? | Yes (Sch. A) | No (Sch. D) | No (Form 4797 → Sch. 1) |
| Requires Proof of Crime? | Yes | No | No |
| Requires Proof of Worthlessness? | No | No | Yes |
| Best For | Exchange hacks, scams | Market losses, small thefts | Rug pulls, lost keys, dead chains |
Bybit Victims: Your 6-Step Tax Action Plan
If you had assets on Bybit at the time of the February 21, 2025 hack, this section applies directly to you. Even if Bybit replenished its reserves and your account balance was restored, the tax treatment depends on what actually happened to your specific holdings.
IRS CCM 202511015: What the IRS Actually Said
In March 2025, the IRS Office of Chief Counsel issued Chief Counsel Advice Memorandum 202511015, analyzing five fact patterns involving crypto theft and scam losses. While Chief Counsel Advice is not binding legal authority (unlike Revenue Rulings or Treasury Regulations), it signals the IRS's likely audit position and is the closest thing to official guidance we have for crypto theft losses.
What qualified as deductible theft loss:
Three of the five fact patterns involved "pig butchering" investment scams — schemes where the taxpayer believed they were investing in a legitimate cryptocurrency platform promising returns. The IRS concluded these qualified as theft losses under IRC §165(c)(2) because all three conditions were met: the scammers committed criminal fraud under state law, the taxpayers transferred funds with profit motive (not personal reasons), and the losses were fixed with no reasonable prospect of recovery. This is directly analogous to exchange hack losses where an investor held crypto for investment returns.
What did NOT qualify:
Two patterns involved personal scams — a romance scheme and a kidnapping extortion scheme. The IRS ruled these did not qualify under the profit-motivated exception because the taxpayers were not engaged in profit-seeking activity when they sent the funds. Under OBBBA, these personal theft losses remain permanently non-deductible (unless connected to a declared disaster, which a scam is not).
What this means for Bybit victims:
If you held crypto on Bybit as an investment — which covers virtually all retail users on the platform — your loss falls squarely into the deductible category confirmed by CCM 202511015. The Lazarus Group committed criminal fraud, you held the assets for profit, and recovery prospects are minimal. The memo reinforces that the profit-motive exception under §165(c)(2) remains fully intact under OBBBA.
Evidence Checklist: 7 Documents You Must Have
The burden of proof lies entirely with the taxpayer. Without contemporaneous documentation, the IRS will deny your theft loss claim at examination. For the Bybit hack specifically, here is the minimum evidence you need:
| # | Document | Why It Matters | Where to Get It |
|---|---|---|---|
| 1 | Police report or FBI IC3 filing | Proves criminal activity occurred under state/federal law | ic3.gov + local police |
| 2 | Blockchain transaction hashes | Proves your specific assets were transferred without authorization | Etherscan — search your wallet address |
| 3 | Exchange correspondence & freezing notices | Confirms the exchange acknowledged the breach and your affected status | Bybit support emails, in-app notifications, official announcements |
| 4 | Original purchase records (cost basis) | Establishes the deductible amount — IRS assumes $0 basis if you can't prove it | Purchase exchange (Coinbase, Kraken, etc.), bank statements, transfer records |
| 5 | Communication logs with platform | Documents your recovery attempts and the platform's response | Email, chat transcripts, support ticket history |
| 6 | Legal opinion letter (if loss > $100K) | Provides professional analysis that your claim qualifies under §165(c)(2) | Crypto-experienced tax attorney |
| 7 | Form 4684 Section B (completed) | The actual IRS form reporting the loss | IRS.gov Form 4684 |
What You Cannot Deduct (Don't Make These Mistakes)
Understanding what is not deductible is as important as knowing what is. Filing an improper deduction for crypto losses does not just result in a denied claim — it can trigger penalties up to 75% of the underpayment if the IRS classifies it as fraud. Here are the most common mistakes:
Mistake 1: Deducting unrealized losses on crypto you still hold
If your portfolio dropped from $100,000 to $20,000 but you did not sell, you have no deductible loss. The IRS requires a realization event — a sale, exchange, abandonment, or theft. Holding a depreciated asset is not a tax event. You must sell to generate a capital loss or prove worthlessness for an abandonment loss.
Mistake 2: Claiming personal theft losses in 2026
If you sent crypto to a romance scammer, fell for a fake giveaway, or were phished while holding tokens for personal use (not investment), the loss is permanently non-deductible under OBBBA's §165(h) unless connected to a declared disaster. No amount of documentation changes this — the law requires profit motive.
Mistake 3: Double-dipping on reimbursed losses
If Bybit restored your account balance after the hack, your loss has been reimbursed. You cannot claim a theft loss for assets that were replaced. The deduction is reduced dollar-for-dollar by any reimbursement received or reasonably expected. If you deduct the loss and later receive reimbursement, you must include the recovery in income in the year received.
Mistake 4: Claiming worthlessness too early
With abandonment losses returning for crypto, some investors rush to claim tokens as worthless when they still trade — even at fractions of a cent. The IRS strictly interprets "worthless" as zero residual market value. If even one exchange lists the token with a bid price, it is not worthless. Wait until no market exists, or sell the token for $0.01 and take the capital loss instead.
Mistake 5: Using the Ponzi safe harbor for exchange hacks
Rev. Proc. 2009-20 provides a streamlined deduction method for Ponzi scheme victims, but it requires the scheme's operator to be formally charged by indictment. The Bybit hack was a state-sponsored cyberattack, not a Ponzi scheme. Using the wrong safe harbor will result in a rejected filing. Use the standard theft loss rules under §165(c)(2) instead.
Software Comparison: Theft & Loss Tracking
Tracking stolen or worthless crypto for tax purposes requires software that can handle non-standard dispositions — not just sales and trades. Here is how the major crypto tax platforms compare for theft and loss scenarios, which is particularly relevant for Bybit hack victims needing to generate Form 4684 or classify assets as stolen within their portfolio tracking:
| Feature | CoinLedger | Koinly | CoinTracker |
|---|---|---|---|
| Mark asset as "Stolen" | Yes — manual tag | Yes — "Lost/Stolen" label | Yes — custom classification |
| Mark asset as "Lost" (keys) | Yes | Yes | Yes |
| Mark asset as "Worthless" | Manual (set proceeds to $0) | Yes — send to null address | Manual (edit proceeds to $0) |
| Auto-generates Form 4684 | No — manual filing | No — manual filing | No — manual filing |
| Generates Form 8949 | Yes | Yes | Yes |
| Bybit integration | Yes (API + CSV) | Yes (API + CSV) | Yes (API + CSV) |
| Cost basis tracking across exchanges | Yes — universal, per-wallet, specific ID | Yes — FIFO, LIFO, HIFO, ACB | Yes — FIFO, LIFO, HIFO, spec ID |
| Pricing (basic tier) | From $49/year | From $49/year | From $59/year |
