- Bybit CEO has said that 20% of the $1.4 billion stolen from the exchange is untraceable
- Hackers converted $1 billion in ETH to BTC via THORChain and spread it
- So far, 11 bounty hunters have assisted in freezing $42 million of the stolen funds
In a stunning update, Bybit CEO Ben Zhou has revealed that $280 million of the $1.4 billion stolen from the cryptocurrency exchange in the February hack has vanished into untraceable channels.
3.4.25 Executive Summary on Hacked Funds: Total hacked funds of USD 1.4bn around 500k ETH, 77% are still traceable, 20% has gone dark, 3% have been frozen. Breakdown: â 83% (417,348 ETH, ~$1B) have been converted into BTC with 6,954 wallets (Average 1.71 btc each) . This andâŚ
â Ben Zhou (@benbybit) March 4, 2025
The security breach, attributed to the North Korean hacking group Lazarus, saw approximately 500,000 Ether (ETH) pilfered from Bybitâs reserves. While the majority of the funds remains visible on the blockchain, Zhouâs announcement underscores the challenges facing investigators as they race against time to freeze the assets before the hackers fully cash out.
The attack exploited vulnerabilities in SafeWallet, a third-party wallet platform used by Bybit. Lazarus hackers compromised a developerâs device, injecting malicious code that allowed them to siphon off nearly $1.5 billion in ETH during a routine transfer.
Despite Bybitâs swift action to restore 1:1 backing of client assets within days, the hackers have been relentlessly moving the stolen funds across multiple platforms, complicating recovery efforts.
Hackers leveraged THORChain to fragment funds
A significant portion of the stolen Etherâ417,348 ETH valued at around $1 billionâhas been converted into Bitcoin (BTC) and scattered across 6,954 wallets, each holding an average of 1.71 BTC.
Zhou noted that 72% of the haul, or 361,255 ETH worth $900 million, was funneled through THORChain, a decentralized exchange known for its privacy features.
THORChain alone processed a record $4.66 billion in swaps in the week ending March 2, raking in over $5.5 million in fees from these illicit transactions. This fragmentation and conversion strategy has made tracking the funds increasingly difficult for blockchain forensic teams.
Meanwhile, 20% of the stolen assetsâapproximately 79,655 ETHâhave âgone dark,â meaning theyâve been laundered through platforms like ExCH and rendered untraceable.
Zhou highlighted that an additional 40,233 ETH, worth $100 million, passed through OKXâs Web3 Proxy. Of this, 23,553 ETH ($65 million) remains untraceable without further cooperation from the OKX Wallet team, while 16,680 ETH is still within reach of investigators.
The CEO stressed that the next one to two weeks are pivotal as the hackers prepare to offload their haul via exchanges, over-the-counter (OTC) trading desks, and peer-to-peer (P2P) networks.
Bybit has enlisted bounty hunters amid freezing efforts
In a bid to thwart the hackers, Bybit has enlisted the help of bounty hunters and security firms.
Zhou reported that 11 partiesâincluding prominent players like Mantle, Paraswap, and blockchain sleuth ZachXBTâhave assisted in freezing $42 million, or 3% of the stolen funds.
So far, Bybit has paid out $2.178 million in USDT to these contributors as part of its recovery efforts, with more details available at Lazarusbounty.com. The exchange also partnered with Web3 security firm ZeroShadow on February 25 to enhance its blockchain forensics and maximize asset recovery.
Despite these efforts, the hackers show no signs of slowing down. Blockchain analytics firm Elliptic has identified over 11,000 wallets linked to the Lazarus group, suggesting a sprawling network designed to obscure their tracks.
đ¨ Free Real-time Bybit Exploit Data đ¨
Elliptic has launched a free data feed of illicit addresses linked to the Bybit exploit.
đ Why it matters:
â Minimize exposure to sanctionsâ Stop laundering of stolen fundsâ Strengthen crypto security
Access via CSV or API âŹď¸âŚ pic.twitter.com/U9Qa2tc8Zz
â Elliptic (@elliptic) February 25, 2025
Zhou indicated that an additional $65 million in ETH could be salvaged with OKXâs support, but time is running out as the attackers continue laundering operations through platforms like ExCH and OKX Web3 Proxy.
