Bybit CEO Says 20% of Stolen Funds from Record $1.4B Hack ‘Gone Dark’

Highlights:

• Bybit’s CEO confirmed that $280M of stolen funds is untraceable due to mixing services.
• Hackers converted 83% of stolen funds into BTC and spread them across 6,954 wallets.
• Bybit launched a $140M bounty, paying $2.18M to those helping recover funds.

In a March 4 X post, Bybit’s CEO, Ben Zhou, confirmed that $280 million, or 20% of the $1.4 billion stolen from the crypto exchange, has become untraceable due to mixing services. He added that 77% remains traceable, while 3% has been frozen.

On February 21, Bybit faced the largest hack ever recorded on a centralized crypto exchange. The Lazarus Group attributed the attack to a targeted malware assault. Hackers breached the Safe Wallet system, draining approximately 400,000 ETH and around 113,000 ETH-related tokens, amounting to around $1.4 billion. After the massive attack, Bybit stayed transparent. The exchange faced increased withdrawals but secured enough Ether from various platforms to cover losses.

3.4.25 Executive Summary on Hacked Funds:
Total hacked funds of USD 1.4bn around 500k ETH, 77% are still traceable, 20% has gone dark, 3% have been frozen.
Breakdown:
– 83% (417,348 ETH, ~$1B) have been converted into BTC with 6,954 wallets (Average 1.71 btc each) . This and…

— Ben Zhou (@benbybit) March 4, 2025

Hackers Swap Stolen ETH for BTC

Zhou revealed that 83% of the stolen funds, totaling 417,348 ETH worth about $1 billion, were converted into Bitcoin. The assets were distributed across 6,954 wallets, with an average of 1.71 BTC per wallet. This split complicates tracking and recovery efforts. He stressed that the coming week is crucial for tracking and freezing these funds. “This and the coming week is critical for fund freezing as the funds will start to clear at exchanges, OTC and P2P,” Zhou wrote.

Zhou stated that Bybit hackers mainly relied on THORChain, a decentralized exchange, to convert ETH into BTC. They also used platforms like ExCH and OKX Web3 Proxy to transfer some funds. He mentioned that $65 million in ETH could be recovered, but assistance from the OKX Wallet team would be necessary.

THORChain Faces Scrutiny Over Stolen Funds Transfers

According to Ben Zhou, hackers transferred 72% of the stolen Ether to Bitcoin through THORChain, the largest transfer of funds.

THORChain recorded $4.67 billion in volume, possibly linked to Bybit exploiters. As North Korean hackers used the platform, debates arose on blocking illicit funds or maintaining decentralization. TCB, a key THORChain member, announced his departure, expressing concerns over the protocol’s role in processing stolen funds.

The guy who has been effectively the lead dev for a while will be moving on from @THORChain

As I mentioned yesterday, I will also see myself out if we don't rapidly adopt a solution to stop NK flows, so this will likely be one of my last posts on the TC subject

The TC… https://t.co/FUddEn91yu

— TCB (@1984_is_today) February 27, 2025

Bybit’s Recovery Efforts Freeze Stolen Assets, Offer Bounties

As part of the recovery efforts, 11 parties played a role in freezing stolen assets, the CEO of Bybit said. Mantle, Paraswap, and blockchain investigator ZachXBT made key contributions. Their actions helped track and freeze illicit transactions, stopping hackers from accessing certain stolen funds.

The exchange introduced a $140 million bounty program to gather information on the cyberattack. So far, bounty hunters have received $2.18 million in USDT for assisting in the recovery efforts. Bybit has launched a website to monitor stolen fund movements and offers rewards to those helping freeze them. The site has identified seven cooperative exchanges and one uncooperative platform, eXch, a no-KYC swap service that declined to freeze stolen funds. eXch has denied any involvement in laundering funds for North Korea.

Cyvers CEO Deddy Lavid said some laundered funds might still be traceable despite asset swaps.

He noted:

“While laundering through mixers and cross-chain swaps complicates recovery, cybersecurity firms leveraging on-chain intelligence, AI-driven models, and collaboration with exchanges and regulators still have small opportunities to trace and potentially freeze assets.”