Hackers launder $1.4 billion stolen Bybit crypto, convert majority to Bitcoin

The hackers who stole roughly $1.4 billion in digital assets from the Bybit exchange are reported to have successfully laundered nearly all of the stolen funds, converting the majority into Bitcoin. The heist, which occurred on February 21, 2025, is now recognised as the largest cryptocurrency theft in history and potentially the most significant heist of any kind ever recorded.

Blockchain monitoring firms, security experts, and the FBI have pointed to North Korea’s state-sponsored hacking groups as the culprits behind this sophisticated operation.

Bybit, a Dubai-based cryptocurrency exchange with over 60 million users worldwide, reported that the breach targeted one of its Ethereum (ETH) cold wallets. The attack happened during what appeared to be a routine transfer to a hot wallet, only for hackers to manipulate the transaction through a meticulously planned assault. The result: 401,346 ETH, valued at roughly $1.4 billion at the time, was syphoned off within seconds.

According to a post-mortem report commissioned by Bybit and conducted by cybersecurity firm Sygnia, the hackers exploited malicious code embedded in Safe Wallet’s infrastructure, a multi-signature wallet provider used by the exchange, highlighting vulnerabilities in even the most secure systems.

How the hackers are laundering the ByBit’s $1.4bn loot 

Since the theft, the hackers have moved with remarkable speed and efficiency to launder their loot. Tom Robinson, co-founder and chief scientist of blockchain monitoring firm Elliptic, confirmed that the stolen Ethereum has been fully transferred out of the dozens of initial wallets where it was split and that most of it has been converted into Bitcoin. 

Ari Redbord, a former U.S. federal prosecutor and now global head of policy at TRM Labs, corroborated these findings, noting that the laundering process reflects a highly organized effort. The FBI has identified the perpetrators as North Korea’s Lazarus Group, a notorious hacking syndicate linked to previous high-profile crypto thefts, including the $650 million Ronin bridge hack in 2022.

Andrew Fierman, head of national security intelligence at Chainalysis, provided further insight into the operation, stating that his firm is tracking approximately 90% of the stolen funds.

“The majority of these have been converted to Bitcoin and are being held in around 4,400 addresses,” Fierman noted. 

The remaining 10% of the loot, he added, has either been lost to transaction fees, frozen by recovery efforts, or “off-ramped” into fiat currency through services that convert crypto to cash.

The laundering process began in earnest between February 24 and March 2, marking what experts describe as the first phase of the operation. During this period, the hackers relied heavily on THORSwap, a decentralised cross-chain protocol that allows users to swap assets across blockchains without intermediaries.

Redbord emphasised that this tool enabled the hackers to obscure the origins of the stolen cryptocurrency with “unprecedented operational efficiency.” By converting the Ethereum to Bitcoin and dispersing it across thousands of addresses, the hackers have complicated efforts to trace and recover the funds.

This efficiency has alarmed industry experts and regulators alike.

“The speed and skill with which the hackers moved once they were inside added to the unease,” noted a report from the Financial Post, underscoring how the assets were laundered using decentralised exchanges and cross-chain bridges.

Redbord explained that the next phase, already underway, involves depositing portions of the Bitcoin into mixers, services designed to further muddle the money trail and “create doubt in the tracing process” for investigators.

In response to the hack, Bybit has maintained operational continuity, honouring all customer withdrawal requests despite a massive $4 billion run on the platform within two days of the breach. CEO Ben Zhou has spearheaded recovery efforts, launching lazarusbounty.com to track the stolen funds and offering a $140 million bounty, 10% of the stolen amount, to anyone who can help freeze the assets.

Zhou reported that 77% of the funds remain traceable, with 3% successfully frozen, though $280 million has “gone dark,” according to his updates on X.

The fallout from the Bybit hack has reverberated across the crypto sector, contributing to a decline in prices, with Bitcoin dipping to $82,000 and Ethereum falling 23% from $2,780 to $2,087. The incident serves as a stark reminder of the vulnerabilities in the digital asset ecosystem and the sophisticated adversaries exploiting them.