North Korean Hackers Launder $280M in Bybit Theft in 10 Days

North Korean hackers have successfully moved $280 million of stolen funds from the cryptocurrency exchange Bybit, according to recent reports. The hack, which occurred in February 2025, involved the theft of approximately 499,000 Ethereum tokens, valued at around $1.4 billion at the time.

The Lazarus Group, a North Korean cybercrime organization, is believed to be behind the attack. The group managed to launder the entire amount within just 10 days of the theft, using a decentralized cross-chain liquidity protocol called THORChain to convert the stolen Ethereum to Bitcoin.

According to Bybit CEO Ben Zhou, 77% of the stolen assets remain traceable, while 20% have "gone dark" and become untraceable. The hackers converted 83% of the funds into Bitcoin, spreading it across 6,954 different cryptocurrency wallets. THORChain processed $605 million in transactions during a single 24-hour period and collected $5.5 million in fees during the laundering process.

Bybit has launched a website called Lazarusbounty.com to track the stolen funds and offers rewards to exchanges that help recover the assets. The exchange has paid $2.17 million in bounties to 11 different individuals or groups, with Mantle, Paraswap, and ZachXBT ranking among the top contributors to the recovery effort.

Blockchain analytics firm Elliptic identified more than 11,000 wallets connected to the Bybit hackers, helping investigators track the movement of stolen funds. Bybit has also hired Web3 security firm ZeroShadow for blockchain forensics to trace and freeze the stolen assets.

Investigators have managed to freeze 3% of the stolen assets, amounting to roughly $42 million in recovered funds. Zhou stated that with support from the OKX Wallet team, investigators could potentially recover $65 million in Ethereum. The next two weeks remain critical for freezing additional funds before potential cashouts.