Stolen Funds Obscured: $380M in Crypto From Bybit’s $1.4B Breach Now Untraceable

Bybit CEO Reveals $380M of Stolen Funds From Lazarus Group Hack Now Untraceable

Bybit’s CEO, Ben Zhou, has confirmed that nearly 28% of the $1.4 billion stolen in a February hack by the North Korean Lazarus Group has gone untraceable. The funds, which primarily flowed through crypto mixers and cross-chain bridges, have now vanished into the depths of decentralized networks, making them increasingly difficult to recover.

In an executive summary posted Monday on X (formerly Twitter), Zhou provided an update on the status of the stolen assets. “Out of the total $1.4 billion — approximately 500,000 ETH — 68.57% is still traceable, 27.59% has gone dark, and 3.84% has been frozen,” Zhou wrote.

The untraceable funds have largely been funneled into mixers such as Wasabi, Tornado Cash, Railgun, and CryptoMixer. From there, the hackers used cross-chain bridges to move the assets into peer-to-peer (P2P) and over-the-counter (OTC) platforms, obscuring their final destinations.

Zhou explained that the Lazarus Group executed a series of swaps using platforms like Thorchain, eXch, Lombard, LiFi, Stargate, and SunSwap to convert the stolen funds into more liquid forms of crypto, including Bitcoin (BTC). This multi-stage process allowed the illicit funds to move through various channels and convert into assets that are harder to trace.

The hack began with the Lazarus Group gaining access to a specific ETH cold wallet, draining 500,000 ETH in total. Blockchain forensics have revealed that 432,748 ETH, or roughly 84.45% of the total, was converted into Bitcoin via Thorchain. Of this amount, 342,975 ETH (about $960 million) was swapped for 10,003 BTC, which was distributed across 35,772 wallets, with each holding an average of just 0.28 BTC. This spread was likely designed to avoid detection.

Another 1.17% of the stolen funds, or 5,991 ETH (roughly $16.77 million), remains on the Ethereum blockchain, distributed across 12,490 wallets.

In response, Bybit launched the Lazarus Bounty program to help recover the stolen assets, offering rewards for useful information. Over the last two months, 5,443 bounty reports have been submitted, with 70 being validated as actionable leads. Zhou emphasized the need for more help in tracking the funds: “We need more bounty hunters who can decode mixers. The work ahead is going to be challenging.”

This breach highlights the growing complexity of tracking illicit activities in decentralized finance and the increasing difficulty of recovering funds once they’ve been laundered through multiple layers of obfuscation.