The North Korea-linked hacking group Lazarus has successfully laundered over $1 billion in Ethereum (ETH) and its derivatives—stolen from the cryptocurrency exchange Bybit—in less than two weeks. However, a portion of the stolen funds remains under the watchful eye of blockchain analysts, raising hopes for potential partial recovery.
According to researchers from Lookonchain, Nansen, and Arkham, the hackers completely drained their wallet, which held nearly $1.5 billion at the time of the attack. A significant portion of these funds was funneled through the decentralized exchange THORChain, which has recently faced financial turmoil.
On March 4, Bybit CEO Ben Zhou reported that out of nearly 500,000 stolen ETH and its derivatives—valued at approximately $1.09 billion—77% are still being actively tracked, 20% have vanished from monitoring systems, and 3% have been frozen.
Blockchain analysts determined that 83% of the stolen ETH was converted into Bitcoin (BTC) using 6,954 wallets. Zhou emphasized that the coming weeks will be critical for freezing these assets, as the stolen funds begin moving into centralized exchanges, over-the-counter (OTC) trading platforms, and peer-to-peer (P2P) services.
Some of the laundered assets were funneled through the cryptocurrency exchange ExCH, which soon after the incident became embroiled in a dispute with Bybit. Additionally, the hackers utilized a proxy service linked to OKX.
OKX President Hong Fang stated that the company is actively updating its blacklist of suspicious wallet addresses, reiterating that all transactions involving self-custodial wallets remain traceable.
Moreover, bounty hunters have joined the effort to recover the stolen assets. According to LazarusBounty.com, 19 individuals have registered to assist in freezing illicit funds, with total bounty payouts exceeding $2 million.
Once again, Lazarus Group has reinforced its reputation as one of the most formidable cybercriminal syndicates in the world, orchestrating the laundering of billions at an unprecedented speed. Their operation leveraged thousands of wallets, decentralized exchanges, and underground platforms, posing a significant threat to the stability of the cryptocurrency market.
The sheer scale of this attack underscores the extent to which cybercriminals can exploit vulnerabilities when regulatory and security mechanisms fail to keep pace with their evolving tactics.
