North Korean Hackers Converted 84% of Stolen Bybit ETH to Bitcoin

TLDR

• $1.4 billion was stolen from Bybit in February by North Korea’s Lazarus Group
• 68.6% of stolen funds remain traceable, 27.6% have “gone dark,” and 3.8% have been frozen
• Hackers used Wasabi mixer and converted 84% of stolen ETH to Bitcoin via THORChain
• Stolen funds were distributed across thousands of wallets through multiple cross-chain swaps
• Bybit has paid $2.3 million in bounties to 12 hunters tracking stolen funds

Bybit CEO Ben Zhou revealed that more than two-thirds of the $1.4 billion in cryptocurrency stolen from the exchange in February remains traceable. The hack, attributed to North Korea’s Lazarus Group, is the largest crypto exchange breach in history.

Zhou shared details in an executive summary posted on April 21. Of the stolen funds, 68.6% remain traceable, while 27.6% have “gone dark” and 3.8% have been frozen.

The Lazarus Group exploited vulnerabilities in Bybit’s cold wallet infrastructure earlier this year. The hackers gained control of a specific ETH cold wallet and transferred all funds to an unidentified address.

4.21.25 Executive Summary on Hacked Funds:
Total hacked funds of USD 1.4bn around 500k ETH. 68.57% remain traceable, 27.59% have gone dark, 3.84% have been frozen. The untraceable funds primarily flowed into mixers then through bridges to P2P and OTC platforms.
Recently, we have…

— Ben Zhou (@benbybit) April 21, 2025

Tracking the Money Trail

The hackers laundered much of the stolen cryptocurrency through various mixing services. Zhou noted that Wasabi was the primary mixer used by the hackers.

“Recently, we have observed that the mixer mainly used by the DPRK is Wasabi,” Zhou stated. After mixing the Bitcoin, “a small portion of it entered CryptoMixer, Tornado Cash, and Railgun.”

Approximately 944 Bitcoin (worth around $90 million) went through the Wasabi mixer. The hackers then carried out multiple cross-chain swaps through platforms like THORChain, eXch, Lombard, LI.FI, Stargate, and SunSwap.

About 432,748 Ether (ETH), representing 84% of the total stolen funds worth $1.21 billion, was transferred from Ethereum to Bitcoin via THORChain. Around two-thirds of that amount – approximately $960 million worth of Ether – was converted into 10,003 BTC spread across 35,772 wallets.

Zhou reported that roughly $17 million worth of Ether remains on the Ethereum blockchain, distributed across 12,490 wallets.

Bounty Hunters Join the Chase

In response to the hack, Bybit launched the Lazarus Bounty program, offering $140 million in rewards for information leading to frozen funds. To date, the exchange has paid out $2.3 million to 12 bounty hunters.

Most of this reward money went to one entity, the Mantle layer-2 platform. Their efforts resulted in $42 million worth of frozen funds.

“We welcome more reports, we need more bounty hunters that can decode mixers, as we need a lot of help there down the road,” Zhou said.

The exchange reported receiving 5,443 bounty reports over the past 60 days. However, only 70 of these reports were deemed valid.

On April 17, the eXch crypto exchange announced it would cease operations on May 1. This announcement came after reports alleged the firm was used to launder funds from the Bybit hack.

Bybit continues to trace the majority of stolen funds, with approximately $1.2 billion still being tracked. However, the sophisticated laundering techniques employed by the Lazarus Group present ongoing challenges for recovery efforts.