TL;DR
- Lazarus Group, a North Korean cybercrime group, is believed to be behind the $1.4 billion theft from Bybit, marking one of the largest cryptocurrency hacks to date.
- Investigations suggest that the stolen funds are likely to be laundered through “mixers”, making it more difficult to trace transactions and potentially hindering recovery efforts.
- Bybit is working to regain user trust, having replenished its Ethereum reserves and set to release a proof-of-reserves (PoR) report to ensure that customer assets are fully backed.
In one of the largest thefts in cryptocurrency history, an estimated $1.4 billion was stolen from the Bybit platform on February 21, 2025. Elliptic researchers have identified that Lazarus Group, a collective known for its involvement in high-profile cybercrimes, is behind this breach. This group, operating out of North Korea, has a history of large-scale crypto thefts, and this incident appears to be no exception.
The laundering process of these stolen funds seems to be underway, with Elliptic revealing that the first step involves converting the stolen tokens into native blockchain assets such as Ether (ETH). Using decentralized exchanges (DEXs), the hackers have begun transforming tokens like stETH and cmETH into ETH, avoiding the risk of their assets being frozen on centralized exchanges, thus complicating efforts to trace them.
“Layering” and the Distribution of Stolen Funds
With the funds now converted into Ether, the hackers have entered a phase known as “layering”. This stage of money laundering involves dispersing the stolen funds across multiple directions to break the trail. Within the first two hours of the theft, over 50 wallets were used to distribute the stolen funds, each holding approximately 10,000 ETH. According to the latest data, around 10% of the funds, equating to $140 million, have already been moved and distributed through various laundering channels, including DEXs and cross-chain bridges.
One of the most notorious players in this process is the exchange “eXch”, a platform that has facilitated anonymous swaps, making it a common venue for illicit transactions, particularly in dark web activities.
Bybit Recovers and Assures Users
Despite the massive theft, Bybit has taken immediate steps to restore user confidence. Ben Zhou, the platform’s CEO, stated that the exchange has fully replenished its Ethereum reserves and will publish a proof-of-reserves (PoR) report to ensure that customer assets are securely backed on a 1:1 basis.
As this situation unfolds, the use of cryptocurrencies and their security mechanisms is once again being put to the test. Meanwhile, the crypto community watches closely as exchanges and platforms work to improve their protection systems in response to increasingly sophisticated attacks.
