In what is now the largest financial medium hack in history - crypto or otherwise - Bybit suffered a devastating security breach last week, with hackers stealing approximately $1.44 billion in Ethereum and related tokens. This attack eclipses even the largest past breaches, marking a significant escalation in cyber threats against centralized exchanges.

Since the attack, blockchain security firms, national security agencies, and law enforcement teams have been actively tracking the movement of the stolen funds. However, the hackers have employed sophisticated laundering techniques to obscure the stolen assets and evade detection.

The largest theft, ever

At 14:13 UTC on February 21, 2025, an attacker executed an attack on a Bybit Cold Wallet - a multisig wallet, which was a smart contract - giving the attacker control over the contract and hence, the assets in the wallet.

Over the next 2 mins and 36 seconds, the hacker performed 5 more transactions to steal a total of $1.44 billion from Bybit:

• 90 USDT worth $90 [link]

• 401,347 ETH worth $1.12B [link]

• 8,000 mETH worth $23M [link]

• 90,376 stETH worth $253.16M [link]

• 15,000 cmETH worth $38.8M [link]

Laundering the stolen funds

As soon as the hackers extracted the funds to their wallets, one of the most sophisticated money laundering operations began. As of February 28, 2025, over $400 million of the stolen funds have already been converted into Bitcoin (BTC), which may likely be converted into cash at non-compliant crypto exchanges. 

The attackers are utilizing various techniques to make tracking and recovery efforts more challenging. This includes using intermediary wallets - a tactic commonly used to move stolen funds through multiple wallets in an attempt to break the transaction trail and frustrate forensic investigators. Within the first hour of the hack, the attacker sent 10k ETH each to 40 different wallets to try and obfuscate their movements. Six days since the hack, the total number of wallets used to launder the stolen funds has expanded to over 12,000.

In addition to splitting the funds across hundreds of wallets, the attackers use Decentralized Exchanges (DEX) and cross-chain bridges to swap assets between blockchains to complicate the tracking process further. In the immediate aftermath of the attack, that is, within minutes of the heist, they used Paraswap and Uniswap on Ethereum to convert mETH and stETH to ETH. 

While initially experimenting with various asset conversions, the attackers seem to have settled on predominantly converting the stolen ETH into Bitcoin (BTC) – a notable shift in laundering tactics. As of writing, $416.91 million has been swapped into Bitcoin, with the vast majority of these ETH-to-BTC swaps seem to be happening on Thorchain and Maya Protocol, with some on Chainflip and other venues. The market for purchasing BTC heats up, coincidentally, Blackrock moved 1,800 BTC ($160m) to Coinbase Prime (from a cold wallet) on Feb 25th and a further 5,100 BTC ($441m) on Feb 27th.

Historically, North Korean-affiliated hackers have relied on mixing services like Tornado Cash to launder funds. However, due to the sheer scale of this hack, mixers cannot effectively obscure such a large volume of assets. Instead, the attackers are employing a high-frequency laundering strategy known as “flood the zone,” where large numbers of transactions overwhelm investigators and forensic tools.

While forensic tools like Range Trail or those offered by Arkham and TRM Labs can track these wallets, the speed and volume of the transactions from this hack is challenging for any team to stay on top of. To combat this, Bybit’s innovative Lazarus Bounty program has energized community investigators to track the onchain activity of the hackers, resulting in a total of 12,167 wallets actively have been linked to the hackers as of writing. 

Bybit’s Lazarus Bounty Program

Recognizing the situation's urgency, Bybit has introduced an innovative bounty program to combat laundering efforts. The program offers an immediate 10% payment on the value of any frozen transaction, encouraging blockchain analysts, investigators, and security professionals to help track and halt stolen funds.

For details on how to participate in Bybit’s bounty program, visit: Bybit’s Official Bounty Page.

This initiative could significantly increase community-led investigative efforts, adding another layer of complexity for the attackers. Additionally, real-time blockchain monitoring tools, such as those offered by Range, are proving essential in detecting, tracking, and mitigating the impact of such attacks.

As of writing, the program has awarded $4.3 million in bounties for reports that have led to the freezing of $43 million of the stolen funds.

North Korea’s Growing Role in Crypto Heists

This hack is not an isolated incident. Over the past decade, North Korean state-sponsored hacking groups have been linked to several major crypto thefts, stealing nearly $5 billion since 2017. Notable heists include:

• 2022 Ronin Bridge Hack – $600 million stolen

• 2023 Atomic Wallet Breach – Over $100 million stolen

• 2024 WazirX and DMM Bitcoin Exchange Hacks – Totaling over $540 million

The independent investigator ZachXBT was the first to link the Bybit hack to the Lazarus Group (a group aligned with or sponsored by North Korea’s government). He proved the link between the Bybit hack and previous high-profile exploits involving the Phemex and BingX cryptocurrency exchanges.

These crypto heists are believed to be part of a broader strategy to circumvent international sanctions and fund North Korea’s weapons programs.

Staying ahead of threats

The Bybit hack underscores the growing sophistication of blockchain-based cybercrime and the necessity of proactive security measures. Hackers are adopting faster, more sophisticated laundering methods to evade detection with every hack. Exchanges, DeFi platforms, and cross-chain bridges must implement real-time risk monitoring, transaction screening, and cross-chain forensics to detect and prevent similar attacks and laundering in the future.

While the industry came together in a large part and started monitoring and, to some extent blocking transactions from the wallets linked to the hackers, Lazarus has still been able to convert $416 million to BTC - something that could have been prevented if more of the industry actively blocked transactions with blacklisted wallets.

At Range, we continue to develop industry-leading tools that enable blockchain ecosystems to identify vulnerabilities, track illicit transactions, and enhance transparency across multiple networks. Our platform empowers security teams to stay ahead of attackers, protecting assets and users in an increasingly high-stakes environment.

Teams on Solana who are using our Solana Transaction Security Standard are protected from interacting with the 12,000+ wallets linked to the hack, while DeFi teams across other ecosystems who use the Range Platform for real-time alerts can be instantly alerted when these stolen funds enter their app or protocol.

Book a demo with Range today for a deeper dive into real-time blockchain security solutions or to explore how our tools can safeguard your protocol.