Bybit’s $1.4 Billion Hack: Laundered in 10 Days, 77% Still Traceable

North Korea’s Lazarus Group Accused of Orchestrating the Attack

Bybit suffered the largest cryptocurrency hack in history on February 21, 2025, with over $1.4 billion in Ethereum (ETH) and other ERC-20 tokens stolen from the centralized exchange. Blockchain security analysts, including Arkham Intelligence, have attributed the attack to North Korea’s notorious state-backed hacking group, Lazarus. 

Within just 10 days, the hackers managed to launder the entirety of the stolen funds, leveraging decentralized protocols to obscure their trail. The scale of the operation, the laundering efficiency, and the devastating market impact have raised critical concerns about DeFi security and the increasing sophistication of state-sponsored cybercrime.

Blockchain analysis firm Lookonchain confirmed that 499,000 ETH, valued at approximately $1.04 billion at the time of the hack, was funneled through THORChain, a decentralized cross-chain swap platform that allowed the attackers to convert stolen ETH into other assets. THORChain became the primary laundering tool, facilitating 72% of the converted funds, amounting to roughly 361,255 ETH. 

Additional laundering was conducted through eXch, which processed 16% (79,655 ETH) of the stolen assets and refused to cooperate with investigators, and OKX’s Web3 wallet, which handled 8% (40,233 ETH). By the end of the laundering process, 83% of the stolen ETH had been converted into Bitcoin and distributed across nearly 7,000 wallets, making recovery efforts increasingly difficult.

Investigators tracking the stolen funds reported that 77% of the assets remain traceable, though only 3% have been successfully frozen by authorities and exchanges. The remaining 20%—approximately 79,655 ETH—has completely disappeared, making it untraceable. 

Bybit’s CEO, Ben Zhou, confirmed on March 4, 2025, that $280 million of the stolen funds had already “gone dark,” solidifying their irretrievability. Despite the magnitude of the loss, Bybit replaced the entire $1.4 billion in stolen ETH within three days of the attack, ensuring that user funds remained unaffected.

The laundering operation provided THORChain with an unprecedented surge in transaction volume, drawing widespread criticism from the crypto community. In the days following the hack, the platform generated $5.5 million in transaction fees and facilitated a staggering $5.4 billion in total swap volume. The protocol recorded its highest single-day trading volume, surpassing $1 billion in swaps in just 24 hours. 

However, THORChain’s decision not to block stolen funds led to backlash, with a core developer resigning in protest. Crypto analyst Yogi openly criticized the platform, stating that it had effectively enabled North Korea to launder $605 million, highlighting the ongoing debate over DeFi’s role in financial crime.

Bybit has launched an aggressive bounty program, offering up to $140 million for information leading to fund recovery. So far, the exchange has paid out $2.17 million to 11 bounty hunters, including prominent blockchain investigator ZachXBT. The rapid laundering process has also drawn attention from analytics firms such as Nansen and Arkham Intelligence. 

Nansen reported that the hackers had fully drained their wallets within 10 days, reducing their balance from $1.4 billion to just $1,429. Arkham observed the attackers executing transactions with military-like precision, moving funds at a rate of two to three transactions per minute in controlled 45-minute cycles, followed by 15-minute breaks. Analysts speculate that Lazarus may have either automated the process or assigned lower-level operatives to carry out manual transactions.

Ethereum’s price took a major hit during the laundering period, dropping 13% from $2,526 to $2,030 as the mass liquidation of stolen ETH created downward pressure on the market. This attack has reignited debates about DeFi governance and whether decentralized protocols should implement compliance measures such as address blacklisting to prevent large-scale money laundering. 

Some industry leaders argue that DeFi’s permissionless nature is a core principle that should remain untouched, while others advocate for security enhancements to prevent similar incidents. Michael Pearl, VP of Cyvers, suggested implementing off-chain transaction validation as a potential solution, claiming it could prevent 99% of crypto hacks and scams.

Bybit’s record-breaking hack has underscored the vulnerabilities of centralized exchanges and the challenges of tracking stolen funds in the DeFi ecosystem. As investigators continue their efforts to trace and recover assets, the incident raises fundamental questions about the balance between financial privacy and security in the evolving crypto landscape.

This article has been refined and enhanced by ChatGPT.