Bybit Hacker Launders Over $700M in Stolen Ethereum in Record Time

The hacker behind the $1.4 billion Bybit exploit is moving fast. In less than a week, they have already laundered more than half of the stolen Ethereum. Most of it has been swapped for Bitcoin using THORChain, a decentralized cross-chain liquidity protocol.

Over $700M Washed in Just Five Days

According to blockchain analytics firm Spot On Chain, the attacker has laundered 266,309 ETH—worth roughly $614 million—in the past 5.5 days. That’s an average of 48,420 ETH per day. At this pace, the remaining 233,086 ETH could be fully laundered within another five days.

🚨 The #Bybit hacker has laundered over 50% of the stolen $ETH within a week post-hack.

In the past 5.5 days, 266,309 $ETH ($614M)—53.3% of the stolen 499K ETH—has been washed away, mostly via #THORChain for $BTC, at a rate of 48,420 $ETH per day.

At this pace, with 233,086… https://t.co/LkFsX6AeYg pic.twitter.com/vYQUcUBQes

— Spot On Chain (@spotonchain) February 28, 2025

THORChain has been the primary tool for these transactions. Its activity has surged since the Bybit hack, with daily transaction volumes jumping from $80 million to $580 million starting Feb. 22.

On Feb. 26 alone, THORChain processed a record $859 million in swaps, followed by another $210 million on Feb. 27, per a Coinfomania report. In total, the five-day transaction volume reached $2.91 billion, generating $3 million in fees for the network, Yu Jin, on-chain analyst’s X post further revealed.

Bybit 被盗事件的赢家除了黑客，就是 @THORChain 了：黑客洗钱为 THORChain 带来了 $29.1 亿的交易量跟 $300 万的手续费收入。

Bybit 黑客的主要洗钱方式是通过 @THORChain 将 ETH 兑换成 BTC。这为 THORChain 带来了巨量的交易量跟手续费。同时也带动了 THORChain 的代币 $RUNE 上涨。… https://t.co/952qqgyuoN pic.twitter.com/QV3BPWoDqC

— 余烬 (@EmberCN) February 27, 2025

North Korea Behind the Attack, FBI Says

The U.S. Federal Bureau of Investigation (FBI) has officially linked the Bybit hack to North Korean state-sponsored hackers. The agency described the attack—dubbed “TraderTraitor”—as part of a larger cybercrime campaign linked to North Korea.

This is not the first time North Korean hackers have been accused of large-scale crypto heists. The regime has reportedly used stolen digital assets to fund weapons programs and evade sanctions.

Bybit’s Security Wasn’t the Problem

While the hack resulted in massive losses, Bybit’s core security infrastructure was not compromised. Investigators at Sygnia Labs and Verichain traced the breach to a Safe Wallet developer machine that had been infected with malicious JavaScript code.

The attackers used this exploit to target Bybit’s cold wallet via the Gnosis Safe UI. Safe has since confirmed that its smart contracts remain secure, but the attack highlights a growing trend—hackers are shifting focus from exchanges to infrastructure providers.

Bybit Launches Tracker, Offers Bounty

In response, Bybit has launched a website to track the movement of the stolen funds. The exchange is also offering a bounty to any platform or entity that helps recover the missing assets.

Join us on war against Lazarus – https://t.co/6DnaH1WTId
Industry first bounty site that shows aggregated full transparency on the sanctioned Lazarus money laundering activities. V1 includes:
– Becoming a bounty hunter by connecting your wallet and help tracing the fund, when…

— Ben Zhou (@benbybit) February 25, 2025

The hacker still holds more ETH than Ethereum co-founder Vitalik Buterin or even the Ethereum Foundation. If the laundering continues at the current pace, Bybit’s stolen funds could be fully washed within days.

With U.S. authorities and blockchain analysts closely monitoring the transactions, it remains to be seen whether this hacker can cash out without leaving a trace—or if their trail will eventually catch up with them.