TLDR
- Bybit exchange suffered a $1.4 billion hack in February 2025, with North Korea’s Lazarus Group reportedly laundering all 499,000 ETH within 10 days
- THORChain was the primary platform used for laundering, processing $605 million in 24 hours and collecting $5.5 million in fees during the process
- 20% ($280 million) of stolen funds have “gone dark,” while 77% remain traceable and 3% have been frozen
- Hackers converted 83% of funds to Bitcoin, spreading it across 6,954 wallets
- Bybit launched Lazarusbounty.com and has paid $2.17 million to 11 bounty hunters for helping recover funds
The cryptocurrency exchange Bybit has confirmed that hackers stole $1.4 billion worth of digital assets in February 2025. The theft involved approximately 499,000 Ethereum tokens.
North Korea’s Lazarus Group reportedly orchestrated the attack. The group managed to launder the entire amount within just 10 days of the theft.
Bybit CEO Ben Zhou provided details about the current status of the stolen funds. According to Zhou, 77% of the assets remain traceable, while 20% have “gone dark” and become untraceable.
3.4.25 Executive Summary on Hacked Funds:
Total hacked funds of USD 1.4bn around 500k ETH, 77% are still traceable, 20% has gone dark, 3% have been frozen.
Breakdown:
– 83% (417,348 ETH, ~$1B) have been converted into BTC with 6,954 wallets (Average 1.71 btc each) . This and…— Ben Zhou (@benbybit) March 4, 2025
The hackers primarily used THORChain, a decentralized cross-chain liquidity protocol, to convert the stolen Ethereum to Bitcoin. THORChain processed $605 million in transactions during a single 24-hour period.
The platform collected $5.5 billion in transaction volume during the laundering process. THORChain earned $5.5 million in fees from these transactions.
Tracking The Billions
THORChain faced criticism from the cryptocurrency community for its role in the laundering operation. A core contributor named Pluto resigned after other validators rejected a proposal to halt Ethereum transactions.
The hackers converted 83% of the stolen funds into Bitcoin. They distributed these assets across 6,954 different cryptocurrency wallets.
THORChain processed 72% of the laundered funds, equivalent to $900 million. The remaining funds moved through other platforms.
About 16% of the assets became untraceable after passing through ExCH. The OKX Web3 Proxy handled another 8% of the stolen funds, worth approximately $100 million.
Investigators have managed to freeze 3% of the stolen assets. This amounts to roughly $42 million in recovered funds.
Bybit launched a website called Lazarusbounty.com to track the stolen funds. The platform offers rewards to exchanges that help recover the assets.
The exchange has paid $2.17 million in bounties to 11 different individuals or groups. Mantle, Paraswap, and ZachXBT rank among the top contributors to the recovery effort.
Blockchain analytics firm Elliptic identified more than 11,000 wallets connected to the Bybit hackers. This information helps track the movement of stolen funds.
Thx to the @elliptic team for putting up a real time bybit exploit data, really appreciate the effort and work put into helping us. https://t.co/bmFZJ0Hn3y
— Ben Zhou (@benbybit) February 26, 2025
Bybit hired Web3 security firm ZeroShadow for blockchain forensics on February 25. The company focuses on tracing and freezing the stolen assets.
Zhou stated that investigators could potentially recover $65 million in Ethereum with support from the OKX Wallet team. The next two weeks remain critical for freezing additional funds before potential cashouts.
