A substantial portion of the $1.4 billion hack suffered by cryptocurrency exchange Bybit earlier this year has reportedly gone untraceable, according to CEO Ben Zhou, who provided detailed forensic findings in an executive summary shared on social media platform X on Monday.
As per CoinDesk, Zhou revealed that 27.95% of the stolen funds, or over $380 million, have “gone dark” and cannot be tracked through traditional forensic methods. The cyberattack, attributed to North Korea-linked Lazarus Group, occurred in February 2025 and resulted in the theft of approximately 500,000 ether (ETH) from one of Bybit’s cold wallets. “Total hacked funds of USD 1.4bn around 500k ETH. 68.57% remain traceable, 27.59% have gone dark, 3.84% have been frozen,” Zhou said in his post.
The untraceable funds were laundered through a complex network of crypto mixers and cross-chain bridges, then funneled to peer-to-peer (P2P) and over-the-counter (OTC) platforms. The laundering trail reportedly involved the use of Wasabi Wallet, a well-known crypto mixer, as well as Tornado Cash, Railgun, and CryptoMixer.
To further obscure the path, the attackers conducted cross-chain swaps using platforms such as Thorchain, eXch, Lombard, LiFi, Stargate, and SunSwap, ultimately converting the stolen ETH into more liquid assets.
Breakdown of the stolen funds:
-
84.45% (432,748 ETH) was converted into Bitcoin (BTC), with 67.25% (342,975 ETH) transformed into 10,003 BTC and distributed across 35,772 wallets, averaging just 0.28 BTC per wallet.
-
1.17% (5,991 ETH), worth approximately $16.77 million, remains on the Ethereum blockchain across 12,490 wallets.
-
3.84% of funds have been successfully frozen.
The hack involved the attacker gaining full control of a specific ETH cold wallet and transferring the assets to an unidentified address. This case has been attributed to the notorious Lazarus Group, known for a string of sophisticated cybercrimes linked to the North Korean regime.
Zhou also shared updates on the Lazarus Bounty initiative, which has received 5,443 reports since its launch. So far, 70 reports have been deemed valid. He emphasized the need for skilled individuals to help decode and track the increasingly sophisticated laundering tactics, stating, “We need more bounty hunters that can decode mixers as we need a lot of help there down the road.”
This incident adds to a growing list of state-sponsored crypto heists, highlighting the vulnerabilities in centralized exchange infrastructures and the growing complexity of blockchain-based laundering methods.
Disclaimer: This article is based on information reported by CoinDesk and other public disclosures. Cryptocurrency markets involve high risk. Please consult a financial advisor before making investment decisions.
