North Korea’s Lazarus Group has resumed laundering funds from the $1.4 billion Bybit hack, moving 62,200 Ether (ETH) worth $138 million on March 1. The latest transactions bring the total laundered amount to approximately 343,000 ETH, or 68.7% of the stolen funds, according to pseudonymous crypto analyst EmberCN.
Authorities in the United States, including the Federal Bureau of Investigation (FBI), have attempted to block transactions linked to the hack. However, the Lazarus Group has continued moving assets using decentralized exchanges, cross-chain bridges, and instant swap services that do not require Know Your Customer (KYC) verification.
The majority of Stolen Funds Already Moved
The February 21 Bybit hack resulted in the theft of 499,000 ETH, valued at $1.4 billion. Of that amount, 343,000 ETH has already been moved. On February 28, only 54% of the stolen assets had been laundered. That figure has now increased to nearly 69%. According to EmberCN, the remaining 156,500 ETH could be laundered within the next three days.
The FBI has identified 51 Ethereum addresses associated with the Bybit hackers, while blockchain analytics firm Elliptic has flagged over 11,000 crypto wallet addresses potentially tied to the exploiters.
Crypto Firms Under Pressure to Block Transactions
Efforts to disrupt laundering activities have intensified. The FBI issued a public warning to node operators, crypto exchanges, and blockchain bridge services to block transactions linked to the Bybit hackers. The Lazarus Group briefly slowed its laundering activities in response but resumed operations on March 1.
One of the primary platforms used for laundering is THORChain, a cross-chain asset swap protocol. Developers behind THORChain have faced criticism for enabling a significant share of the Lazarus Group’s transactions. A proposal to block North Korean-linked transfers was initially approved but later reversed, leading one developer, known as “Pluto,” to announce their resignation from the project.
John-Paul Thorbjornsen, founder of THORChain, distanced himself from the controversy, stating that he is no longer involved with the protocol. He also asserted that none of the crypto wallet addresses sanctioned by the FBI or the U.S. Treasury’s Office of Foreign Assets Control (OFAC) have interacted with THORChain.
Converting Stolen Ether Into Other Assets
The Lazarus Group has been converting stolen Ether into Bitcoin (BTC), Dai (DAI), and other assets. Chainalysis, a blockchain forensics firm, reported that the hackers have leveraged decentralized exchanges, cross-chain bridges, and instant swap services to obscure the movement of funds. These methods allow them to bypass centralized exchange compliance measures and evade law enforcement tracking.
The Bybit hack is the largest known exploit in the cryptocurrency industry, surpassing the $650 million Ronin Bridge hack in March 2022. The scale and speed of the laundering operations have highlighted the challenges that authorities and crypto platforms face in preventing cybercrime.
