In a stunning display of cyber agility, hackers have already converted over 209,000 ETH, about $480 million, into Bitcoin, deepening the challenge of tracking their stolen loot. This represents over half of the 400,000 ETH stolen from Bybit, excluding additional drained tokens.
According to blockchain intelligence firm Arkham, at least $240 million of this laundered ETH was processed through THORchain, a decentralized cross-chain liquidity protocol that allows for the swapping of assets between different blockchains. Most of the stolen funds have been converted to native Bitcoin (BTC), further complicating tracking efforts.
The FBI has officially linked the attack to North Korea’s Lazarus Group, part of the larger TraderTraitor network known for targeting crypto institutions. While Lazarus has a history of breaking up stolen funds and using multiple protocols to launder assets, experts say the Bybit exploit is one of the most complex they’ve seen.
Ethereum security researchers report that the stolen assets have been fragmented across thousands of separate transactions, making it nearly impossible to follow the movement of funds efficiently. Pseudonymous researcher SomaXBT shared on X how their computer struggled to process even a small subset of the transactions, describing the tracking effort as overwhelming.
“To track the hack as whole in one graph needs big computer power. Big boys like Zach and others are killing it with their Big toys. Even Hackers also moving funds in light speed,” he wrote.
In total, the hackers drained an estimated $1.1 billion worth of ETH at the time of the attack, along with 90,000 stETH, 15,000 cmETH, and 8,000 cETH. While some funds have been frozen—including $43 million in mETH—the total holdings of the hackers remain unclear, given the sophisticated laundering techniques they are employing.
Details of the Conversion Process
The Bybit hackers have executed at least 3,934 bridge transactions to launder 161,490 ETH (worth approximately $370 million) through THORChain in just 115 hours since the attack. This amount accounts for the majority of the 209,384 ETH the attackers have successfully converted to Bitcoin.
According to MetaMask’s Head of Security, Taylor Monahan, the hackers have been moving assets at an alarming rate of $3.2 million per hour, leveraging decentralized protocols to avoid detection. The attackers primarily utilized THORChain and eXch, two non-custodial cross-chain platforms known for their lax KYC requirements. However, eXch recently disabled ETH and ERC-20 token swaps, slowing down the hackers’ ability to funnel more funds into Bitcoin.
In response, Bybit CEO Ben Zhou announced an expansion of the platform’s bounty program. The exchange is now offering a 5% reward to exchanges, bridges, and mixers that help freeze stolen funds. This is in addition to the 10% bounty Bybit initially offered to anyone who could return the assets.
Beyond THORChain, the hackers have employed a range of blockchain tools to obfuscate their transactions, including Asgardex, DeFiSwap, FortunaSwap, GemWallet, LiFi, ShapeShift, and TrustWallet. These decentralized services allow seamless asset swaps across multiple networks, making it even more difficult for authorities to track the flow of stolen crypto.
THORChain Faces Internal Division Over Laundering Transactions
The laundering transactions has sparked internal debate within the THORChain validator community, as some attempted to block Lazarus-linked transactions from being processed. Earlier on Thursday, three validators voted to reject transactions associated with the stolen Bybit funds, temporarily halting the hackers’ ability to move assets. However, the vote was overturned within minutes, as THORChain’s highly decentralized consensus system preserves validator autonomy.
Quick Facts:
- Hackers responsible for the $1.5 billion Bybit theft have converted over half of the stolen Ethereum into Bitcoin.
- The laundering process involved the use of intermediary wallets, decentralized exchanges, and mixing services to obscure the fund trail.
- The FBI has confirmed the involvement of North Korea’s Lazarus Group in orchestrating the Bybit hack.
