MetaMask Head of Security Taylor Monahan said the Bybit hackers have moved at least 209,384 ETH (~$480 million) onto Bitcoin, in a message to The Block. That represents more than half of the approximately 400,000 ETH taken from the exchange — not including the other drained tokens.
At least $240 million of this amount was laundered using THORchain, according to Arkham Intelligence, which is tracking digital wallets linked to the hacker group. The stolen crypto has "mainly been swapped for native BTC," Arkham said in a post on X.
Last Friday, Arkham Intelligence said North Korea's Lazarus Group had hacked Bybit for over $1.5 billion, citing information provided by online sleuth ZachXBT.
The Federal Bureau of Investigations has since confirmed that the hack was perpetrated by North Korea's malicious "TraderTraitor" actors, which by term includes the Lazarus Group.
"TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains," the FBI said in its announcement. "It is expected these assets will be further laundered and eventually converted to fiat currency."
According to Ethereum security experts, the $1.5 billion hack has been harder than usual to track. Lazarus is known for splitting up funds and using multiple protocols to move funds, but this particular exploit involves thousands of separate transactions.
“This is how Bybit hack's tracking looks,” pseudonymous researcher SomaXBT said on X, venting about the complicated nature of the split funds. “[This is] just a track of 2 hops (10 ETH each). My Mac Air is literally burning to load these txs.”
In total, the hackers drained over 400,000 worth of ETH (~$1.1 billion at the time), 90,000 worth of stETH, 15,000 cmETH and 8,000 cETH in the attack. However, it is unclear how much ETH the hackers currently hold, as some of the assets — including $43 million in mETH — have been frozen.
Metamask's Monahan estimates that the hackers have moved at least 161,490 ETH (worth $370 million at current prices) using 3,934 distinct bridge transactions to ThorChain over the past 115 hours since the hack occurred. That represents a majority of the 209,384 ETH total she reckons has moved onto Bitcoin, she told The Block.
“That's $3,229,800/hour,” she said.
Lazarus appears to be using two primary non-custodial bridges for the attack, the aforementioned ThorChain and eXch. However, eXch, known primarily for its lax KYC controls, appears to have disabled ETH and ERC-20 token swaps, limiting the hackers’ ability to move funds into bitcoin.
On Wednesday, Bybit CEO announced that the exchange would offer a 5% bounty to exchanges, bridges and mixers who help freeze funds associated with the attack. This is an extension of the 10% bounty Bybit initially offered to anyone who could return the funds. It is unclear whether eXch has received a bounty at press time.
Of the 161,490 ETH confirmed to have gone through cross-chain exchange platform ThorChain, the hackers have used a plethora of blockchain tools to hop their way over, including Asgardex, DeFiSwap, FortunaSwap, GemWallet, LiFi, ShapeShift, TrustWallet, among others, according to blockchain data.
ThorChain saw its single largest day of trading volumes on Wednesday, with over $737 million worth of token swaps.
“It’s all coming from Lazarus hackers,” ThorChain user @diplo said on X. ”But who really cares its a win for TC. Only concern is what happens to price once these swaps stop. BTC is bleeding at the moment if we didn’t have this I don’t think we’d be above $1 right now.”
ThorChain's native token RUNE has traded at a peak price above $1.60 since the hack, a local high recently, but a ways off from a high above $10 in 2024 and its an all-time high of $19.30, according to The Block's data page.
"Thorchain not doing anything to stop the movement of stolen ETH through their platform isn't going to end well," @AirdropGlideapp said on X. "Funny how one person can shut down ThorFi in 2 minutes, but when it comes to stopping North Korea laundering billions of dollars of Ethereum through Thorchain, it's suddenly impossible to do anything about it!"
According to several posts on X, there has been internal division regarding the Lazarus-connected flows. Earlier on Thursday, three validators voted to refuse transactions connected to the Bybit hack, which apparently temporarily stopped the flows. However, the "vote was reverted within minutes" due to the extremely decentralized consensus mechanism behind ThorChain that preserves validator optionality, one user explained.
Notably, THORChain pseudonymous core dev “Pluto” has advocated for addressing this onchain money laundering before announcing his resignation from the project. TCB, one of the three validators that voted to stop THORChain's ETH trading, also said he has been struggling to find ways to prevent North Korean money laundering.
"When the huge majority of your flows are stolen funds from north korea for the biggest money heist in human history, it will becomes a national security issue, this isn't a game anymore," TCB said on X, adding that ThorChain is not "decentralized enough" to survive a regulatory attack. "The TC community has strong beliefs based on what they learn from a messaging that is disconnected from the reality of the people who have been executing on the frontlines."
Immediately after draining the Bybit cold wallet, Lazarus moved the stolen funds into three separate "distribution" addresses — 0xB4a, 0x23Ob, and 0x83E — and then broke them down into dozens of newly created addresses. The group also swapped ETH derivatives like stETH and cETH for ETH using decentralized exchanges Uniswap, Paraswap and KyberSwap.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
