Despite February’s record-breaking $1.4 billion crypto heist allegedly orchestrated by North Korea’s Lazarus Group, the majority of stolen funds from the Bybit exchange remain traceable, according to CEO Ben Zhou.
In a detailed update posted April 21 on X, Zhou revealed that 68.6% of the stolen digital assets - worth nearly $960 million - can still be followed through blockchain forensics. Approximately 27.6% of the funds have gone dark, while just 3.8% have been successfully frozen so far.
The February breach, which exploited Bybit’s cold wallet infrastructure, is considered one of the largest exchange hacks to date. Following the theft, attackers employed a complex laundering strategy involving mixers, bridges, and decentralized platforms to obscure the funds’ origins.
Zhou pointed out that Wasabi Wallet, a privacy-focused Bitcoin mixer, was the primary laundering tool used by the hackers. Smaller amounts were subsequently funneled through CryptoMixer, Tornado Cash, and Railgun, all of which are well-known in the crypto community for enhancing anonymity.
Cross-chain swaps and bridge services also played a pivotal role. Lazarus-linked funds were routed through platforms like THORChain, eXch, Lombard, LI.FI, Stargate, and SunSwap before being converted and moved into peer-to-peer (P2P) and over-the-counter (OTC) markets - making recovery more challenging.
A major portion of the stolen Ether - 432,748 ETH, or about $1.21 billion - was moved from Ethereum to Bitcoin through THORChain, a decentralized cross-chain liquidity protocol. About two-thirds of that Ether, roughly $960 million, has been converted into 10,003 BTC distributed across 35,772 Bitcoin wallets, Zhou confirmed.
Meanwhile, around $17 million in ETH remains on Ethereum across 12,490 addresses, offering investigators some remaining leads on the chain.
To incentivize blockchain sleuths and white-hat hackers, Bybit launched a $140 million Lazarus Bounty Program shortly after the incident. So far, 5,443 reports have been submitted, but only 70 have proven valid, Zhou reported.
The exchange has paid out $2.3 million in bounties, with a significant portion awarded to Mantle Network, an Ethereum layer-2 protocol. Mantle’s efforts led to the freezing of $42 million in compromised assets.
“We’re just getting started,” Zhou said, encouraging further participation. “We need more bounty hunters, especially those who can help decode mixer activity. That’s where a lot of the complexity lies.”
The ripple effects of the Bybit exploit are already being felt across the crypto ecosystem. On April 17, decentralized exchange eXch announced it would shut down by May 1 following reports implicating it in laundering part of the hacked funds.
As the hunt continues, the incident underscores both the sophistication of state-sponsored crypto crime and the evolving role of public-private collaboration in cybercrime response. Bybit’s ability to trace nearly $1 billion in stolen funds offers a glimmer of hope in an increasingly complex threat landscape.