North Korean Hackers Launder $140M of $1.46B Stolen from Bybit

Cryptocurrency exchange Bybit has suffered a significant blow, with a hack resulting in the theft of approximately $1.46 billion. As the recovery efforts commence, it has been revealed that North Korean hackers are involved in a laundering operation, further complicating the situation.

According to blockchain intelligence firms Elliptic and Arkham Intelligence, the hackers have begun laundering around $140 million (10%) of the stolen funds through anonymous exchange services and conversion to Bitcoin. This marks the beginning of what is expected to be a lengthy recovery process for the largest theft in crypto history.

The hackers distributed the stolen assets across 50 different wallets immediately after the theft, with each wallet containing approximately 10,000 ETH. These wallets are now being systematically emptied as the funds undergo conversion to Bitcoin. The attackers began by converting stolen tokens such as stETH and cmETH to Ethereum using decentralized exchanges, aligning with the typical methods employed by the Lazarus Group.

Both Elliptic and Arkham Intelligence have connected the attack to North Korea’s Lazarus Group, citing the use of decentralized exchanges and other services, including cross-chain bridges and coin swap services. The group has stolen over $3 billion in crypto assets since 2017, with proceeds reportedly funding North Korea’s ballistic missile program.

In response to the theft, Bybit announced early Saturday that it would offer a bounty of 10% of recovered funds—up to $140 million—to any on-chain security experts who assist in recovering the assets. This announcement came as the exchange faced mounting pressure from user withdrawals. Data from Arkham Intelligence shows that users have withdrawn approximately 23,000 BTC from Bybit’s hot wallet since the incident, representing an outflow of roughly $1.7 billion since Friday afternoon.

The anonymous crypto exchange eXch has emerged as a key player in the laundering operation, processing tens of millions of dollars in stolen assets despite direct requests from Bybit to block the activity. In a purported email response, eXch claimed it chose not to acknowledge Bybit’s requests due to past reputational conflicts between the two entities.

A coordinated industry response has led to the freezing of $42.85 million in stolen funds across multiple platforms. THORChain has blacklisted several addresses linked to the North Korean hack