Bybit CEO confirms that $280M of the stolen $1.4B is no longer traceable

Bybit CEO has said that 20% of the $1.4B stolen from the exchange is now untraceable.
Hackers converted $1B in ETH to BTC via THORChain and spread it.
So far, 11 bounty hunters have assisted in freezing $42M of the stolen funds.

In a stunning update, Bybit CEO Ben Zhou has revealed that $280 million of the $1.4 billion stolen from the cryptocurrency exchange in the February hack has vanished into untraceable channels.

3.4.25 Executive Summary on Hacked Funds:
Total hacked funds of USD 1.4bn around 500k ETH, 77% are still traceable, 20% has gone dark, 3% have been frozen.
Breakdown:
– 83% (417,348 ETH, ~$1B) have been converted into BTC with 6,954 wallets (Average 1.71 btc each) . This and…

— Ben Zhou (@benbybit) March 4, 2025

The security breach, attributed to the North Korean hacking group Lazarus, saw approximately 500,000 Ether (ETH) pilfered from Bybit’s reserves. While the majority of the funds remains visible on the blockchain, Zhou’s announcement underscores the challenges facing investigators as they race against time to freeze the assets before the hackers fully cash out.

The attack exploited vulnerabilities in SafeWallet, a third-party wallet platform used by Bybit. Lazarus hackers compromised a developer’s device, injecting malicious code that allowed them to siphon off nearly $1.5 billion in ETH during a routine transfer.

Despite Bybit’s swift action to restore 1:1 backing of client assets within days, the hackers have been relentlessly moving the stolen funds across multiple platforms, complicating recovery efforts.

Hackers leveraged THORChain to fragment funds

A significant portion of the stolen Ether—417,348 ETH valued at around $1 billion—has been converted into Bitcoin (BTC) and scattered across 6,954 wallets, each holding an average of 1.71 BTC.

Zhou noted that 72% of the haul, or 361,255 ETH worth $900 million, was funneled through THORChain, a decentralized exchange known for its privacy features.

THORChain alone processed a record $4.66 billion in swaps in the week ending March 2, raking in over $5.5 million in fees from these illicit transactions. This fragmentation and conversion strategy has made tracking the funds increasingly difficult for blockchain forensic teams.

Meanwhile, 20% of the stolen assets—approximately 79,655 ETH—have “gone dark,” meaning they’ve been laundered through platforms like ExCH and rendered untraceable.

Zhou highlighted that an additional 40,233 ETH, worth $100 million, passed through OKX’s Web3 Proxy. Of this, 23,553 ETH ($65 million) remains untraceable without further cooperation from the OKX Wallet team, while 16,680 ETH is still within reach of investigators.

The CEO stressed that the next one to two weeks are pivotal as the hackers prepare to offload their haul via exchanges, over-the-counter (OTC) trading desks, and peer-to-peer (P2P) networks.

Bybit has enlisted bounty hunters amid freezing efforts

In a bid to thwart the hackers, Bybit has enlisted the help of bounty hunters and security firms.

Zhou reported that 11 parties—including prominent players like Mantle, Paraswap, and blockchain sleuth ZachXBT—have assisted in freezing $42 million, or 3% of the stolen funds.

So far, Bybit has paid out $2.178 million in USDT to these contributors as part of its recovery efforts, with more details available at Lazarusbounty.com. The exchange also partnered with Web3 security firm ZeroShadow on February 25 to enhance its blockchain forensics and maximize asset recovery.

Despite these efforts, the hackers show no signs of slowing down. Blockchain analytics firm Elliptic has identified over 11,000 wallets linked to the Lazarus group, suggesting a sprawling network designed to obscure their tracks.

🚨 Free Real-time Bybit Exploit Data 🚨

Elliptic has launched a free data feed of illicit addresses linked to the Bybit exploit.

🔍 Why it matters:

✅ Minimize exposure to sanctions
✅ Stop laundering of stolen funds
✅ Strengthen crypto security

Access via CSV or API ⬇️… pic.twitter.com/U9Qa2tc8Zz

— Elliptic (@elliptic) February 25, 2025

Zhou indicated that an additional $65 million in ETH could be salvaged with OKX’s support, but time is running out as the attackers continue laundering operations through platforms like ExCH and OKX Web3 Proxy.