Hackers Withdrew $1.4 Billion Stolen From Bybit in 10 Days – What’s Next?
Date: 2025-03-05 Author: Oliver Abernathy Categories: BUSINESS
According to on-chain analysts at EmberCN, a significant portion of the stolen assets were converted into Bitcoin.
Bybit is one of the world’s largest digital asset trading platforms. At the end of 2024 and beginning of 2025, it ranked third in terms of trading volumes on the spot and futures markets, according to Wu Blockchain. The exchange also remains popular in Russia – in January 2025, almost a third of its Internet traffic came from Russian users.
The hack occurred on February 21, when the attackers gained access to the exchange's cold wallet where Ethereum was stored. Bybit said that the rest of the wallets were untouched. By February 24, the exchange was able to recoup its losses using direct purchases and borrowed funds.
The hacker activity led to a sharp increase in trading volumes on the THORChain platform. During the week ending March 2, $4.66 billion in swaps were conducted through this protocol, including $1 billion in a single day. According to Nansen, the stolen assets were moved through a complex network of addresses with gradual fragmentation of volumes. Key platforms for laundering the funds included THORChain, Paraswap, Mantle, OK DEX, and DODO.
THORChain recorded record revenues amid this activity. According to EmberCN, the total transaction volume on the platform reached $5.9 billion, and fees amounted to $5.5 million.
The FBI and on-chain researchers suspect the North Korean hacker group Lazarus, known for its money laundering schemes through decentralized bridges and complex transactions in DeFi protocols, of organizing the attack. In late February, Bybit declared "war" on this group and promised a reward for help in blocking funds - the total reward is $140 million.
According to Bybit CEO Ben Zhou, so far 77% of the stolen assets can be tracked, 20% have escaped surveillance, and 3% have been frozen. The platform has already paid $2.17 million in USDT to 11 organizations that helped block the funds.
Law enforcement agencies, analytical companies (Elliptic, Chainalysis, Arkham) and independent researchers have joined the investigation of the attack. According to Grigory Osipov, Director of Investigations at Shard, Russian and foreign analysts, including Nansen, Pickshield, SlowMist, CertiK and crypto detective ZachXBT, are actively studying the movement of the stolen funds.
However, it was not possible to block the assets that passed through THORChain - the platform continues to function without changes. According to Osipov, some of the stolen funds are still stored in cold wallets and can be converted through decentralized services, despite attempts to track them.
At the same time, the expert noted that the statement about the "complete laundering" of funds remains controversial. Attention to this case remains, and investigations will continue - they will try to identify the stolen assets and link them to specific transactions for a long time.
Bybit is one of the world’s largest digital asset trading platforms. At the end of 2024 and beginning of 2025, it ranked third in terms of trading volumes on the spot and futures markets, according to Wu Blockchain. The exchange also remains popular in Russia – in January 2025, almost a third of its Internet traffic came from Russian users.
The hack occurred on February 21, when the attackers gained access to the exchange's cold wallet where Ethereum was stored. Bybit said that the rest of the wallets were untouched. By February 24, the exchange was able to recoup its losses using direct purchases and borrowed funds.
The hacker activity led to a sharp increase in trading volumes on the THORChain platform. During the week ending March 2, $4.66 billion in swaps were conducted through this protocol, including $1 billion in a single day. According to Nansen, the stolen assets were moved through a complex network of addresses with gradual fragmentation of volumes. Key platforms for laundering the funds included THORChain, Paraswap, Mantle, OK DEX, and DODO.
THORChain recorded record revenues amid this activity. According to EmberCN, the total transaction volume on the platform reached $5.9 billion, and fees amounted to $5.5 million.
The FBI and on-chain researchers suspect the North Korean hacker group Lazarus, known for its money laundering schemes through decentralized bridges and complex transactions in DeFi protocols, of organizing the attack. In late February, Bybit declared "war" on this group and promised a reward for help in blocking funds - the total reward is $140 million.
According to Bybit CEO Ben Zhou, so far 77% of the stolen assets can be tracked, 20% have escaped surveillance, and 3% have been frozen. The platform has already paid $2.17 million in USDT to 11 organizations that helped block the funds.
Law enforcement agencies, analytical companies (Elliptic, Chainalysis, Arkham) and independent researchers have joined the investigation of the attack. According to Grigory Osipov, Director of Investigations at Shard, Russian and foreign analysts, including Nansen, Pickshield, SlowMist, CertiK and crypto detective ZachXBT, are actively studying the movement of the stolen funds.
However, it was not possible to block the assets that passed through THORChain - the platform continues to function without changes. According to Osipov, some of the stolen funds are still stored in cold wallets and can be converted through decentralized services, despite attempts to track them.
At the same time, the expert noted that the statement about the "complete laundering" of funds remains controversial. Attention to this case remains, and investigations will continue - they will try to identify the stolen assets and link them to specific transactions for a long time.
