TLDR
- Lazarus Group stole $1.4 B from Bybit via a cold‑wallet exploit.
- 432,748 ETH (~$1.21 B) converted to BTC through THORChain fragmentation.
- Mixers (Wasabi, Tornado Cash, etc.) hid funds; $90.6 M via Wasabi.
- 68.6% of assets remain traceable, 3.8% frozen, rest in OTC/privacy.
- Bounty program validated 70 of 5,443 tips, paying $2.3 M.
Bybit co-founder and CEO Ben Zhou has confirmed that the North Korea-linked Lazarus Group was behind the crypto exchange’s $1.4 billion hack earlier this year. According to an executive summary shared by Zhou, hackers exploited a vulnerability in Bybit’s cold wallet infrastructure. The breach involved malicious code inserted through a compromised Safe{Wallet} developer system, allowing attackers to redirect assets to their wallets while disguising the transactions as legitimate.
4.21.25 Executive Summary on Hacked Funds:
Total hacked funds of USD 1.4bn around 500k ETH. 68.57% remain traceable, 27.59% have gone dark, 3.84% have been frozen. The untraceable funds primarily flowed into mixers then through bridges to P2P and OTC platforms.
Recently, we have…— Ben Zhou (@benbybit) April 21, 2025
The summary revealed that of the stolen funds, approximately 68.6% remain traceable, while 27.6% have gone dark. Only 3.8% has been frozen. The untraceable assets were mainly routed through Wasabi Mixer, then moved across cross-chain platforms and privacy tools. The final destination included peer-to-peer and over-the-counter exchanges, making further tracking difficult.
Majority of ETH Converted Through THORChain
Zhou disclosed that 432,748 ETH, accounting for roughly 84.5% of the total stolen Ether, was moved to Bitcoin via the THORChain network. This represents around $1.21 billion of the pilfered funds. Of that, about 67.25%—or 342,975 ETH, equivalent to $960 million—was exchanged for 10,003 BTC. These transactions were dispersed across 35,772 wallets, each holding an average of 0.28 BTC.
A smaller portion, estimated at 5,991 ETH or 1.17% of the stolen funds, remains on the Ethereum blockchain. These tokens are spread across 12,490 wallets, each with an average of 0.48 ETH. The transaction pattern indicates a deliberate effort to fragment and obscure the flow of stolen assets.
Tools and Mixers Obstruct Recovery Efforts
The report highlights the significant role privacy tools played in concealing the stolen assets. Zhou noted that the Wasabi Mixer was heavily used by the Lazarus Group, followed by smaller usage of CryptoMixer, Tornado Cash, and Railgun. From there, the assets were routed through a sequence of services including eXch, Stargate, LI.FI, Lombard, SunSwap, and THORChain.
A portion of the BTC was later moved back to Ethereum using THORChain, further complicating the tracing process. In total, 944 BTC, valued at approximately $90.6 million, was laundered through Wasabi Mixer alone.
The laundering process eventually ended at over-the-counter and peer-to-peer fiat currency platforms, removing many assets from the blockchain and making them untraceable. These techniques are consistent with past tactics used by state-sponsored threat actors.
Bounty Program Yields Limited but Critical Results
To assist in asset recovery, Bybit launched the Lazarus Bounty program, offering up to 10% of any recovered assets. Zhou stated that 5,443 bounty reports were submitted in 60 days, but only 70 were validated. The program has so far paid $2.3 million to 12 bounty hunters. The largest contribution came from the Mantle Layer-2 platform, responsible for freezing $42 million in stolen funds.
Zhou emphasized the need for skilled bounty hunters, particularly those capable of decoding mixer transactions. Bybit has reiterated its commitment to working with investigators and the wider crypto community to trace and recover stolen funds.
