Bybit’s CEO Ben Zhou: 20% of the hacked funds have gone dark

Up to 20% of the funds from the Bybit hack are untraceable and have gone dark, noted the exchange’s CEO Ben Zhou. However, up to 77% have been traced, giving some hopes of recovery.

Nearly two weeks after the Bybit hack, the lost funds have gone through multiple transactions. The exchange’s CEO Ben Zhou noted that 3% have been intercepted and frozen. Another 20% of the funds have gone dark, while 77% are still traceable. 

The hack also served as a stress test for crypto partnerships, as 11 counterparties participated in freezing the funds. 

Zhou noted that most of the ETH had been laundered through THORChain, though this was also the reason for being able to track down the coins. ETH was swapped into BTC, which can also be mixed but is also easily traceable. 

Currently, most of the funds are automatically split into new BTC wallets, each holding 1.71 coins as a balance. The exchange is a long way from intercepting each wallet, especially if the funds are laundered through risky external markets. 

Non-KYC exchanges pose a risk

Most of the dark funds were sent to the eXch, a non-KYC market operator. The exchange was among the first to receive inflows from the hacker’s wallets. More than 10 days ago, Bybit contracted the market operator but did not receive a response. 

Some of the dark funds were later discovered by bounty hunters, with Mantle at the top for assistants and bounty hunters. The protocol intercepted over $41M in funds previously considered lost. 

Additional funds may be tracked down, contingent on OKX cooperating with the history of its Web3 wallet team.

Hacker managed to swap out of all ETH holdings

In just 10 days, the Bybit hacker managed to swap all of the available ETH, for an estimated 499,395 tokens. The main tool for immediate, though traceable swaps, was THORChain. 

Bybit’s team is also reaching out to THORChain for any chance of tracking funds. For now, the BTC wallets where most of the funds are parked remain free and uncensored, except for being flagged. 

THORChain can technically track and filter malicious addresses that interact with its nodes. However, it is up to the nodes to achieve consensus on which addresses to blacklist. Currently, THORChain has received a list of addresses to be denied swaps, but not all nodes can be made to support the list. THORChain itself has no links to the hack; it was simply used as the most accessible tool for immediate swaps.

The project advises all US-based node operators to track down addresses from an FBI list. For the Bybit hack, the arrangement of tracking the Lazarus addresses remains uncertain.

THORChain carried an estimated 70% of the swaps after the Bybit hack. The peak day of swaps was February 24, when THORChain had the highest transaction count since 2023. 

Elliptic joins the Bybit investigation with real-time monitoring

The biggest challenge after a large-scale hack is to warn all counterparties of the event, and start intercepting transactions from flagged wallets. Elliptic has already introduced automated tracking, which intercepted $150,000 of the Bybit funds when they were sent to an exchange. 

Elliptic has its own blacklist of addresses, tied to the current Bybit hack and previous Lazarus group exploits. 

The recent exploit brought out a new level of cooperation for crypto entities. Previously, exchanges only acted in a limited fashion to intercept funds. The largest hack, however, caused all protocols to track down the funds where possible. Additionally, despite facing the biggest hack, Bybit never stopped withdrawals and managed to rebuild its liquidity within days.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot

Source: https://www.cryptopolitan.com/bybit-ceo-ben-zhou-hacked-funds-gone-dark/