Bybit Hacker Launders Over 54% of Stolen Funds via THORChain

Highlights:

• Bybit hacker laundered over half of the stolen funds using THORChain’s cross-chain protocol.
• THORChain’s privacy features face criticism as a key developer resigns.
• FBI urges the crypto community to block transactions linked to Bybit hackers.

Crypto intelligence platform Lookonchain reported on Feb. 28 that the exploiter of crypto exchange Bybit laundered more than 54% of the stolen funds within a week through the cross-chain asset swap protocol THORChain. So far, the hacker has moved 270,000 ETH, worth about $605 million. 

The $1.5 billion Bybit hack on February 21 was the biggest crypto heist ever. Blockchain analysts, including Arkham Intelligence, link it to North Korea’s Lazarus Group.

Hackers accessed the system by exploiting a Safe developer’s stolen credentials. During a fund rotation process using Safe(Wallet), they injected malicious JavaScript into Safe’s AWS S3 storage. This injection disrupted the multisig transaction process, allowing unauthorized access and hackers to exploit the system. 

The #Bybit hacker is laundering funds via #THORChain!

So far, the #Bybit hacker has laundered 270K $ETH($605M, 54% of the stolen funds) and still holds 229,395 $ETH($514M). pic.twitter.com/NtcKUpxsxc

— Lookonchain (@lookonchain) February 28, 2025

THORChain Dev Quits After Failing to Block North Korean Transactions

After the Bybit hack, THORChain’s swap volume surged past $1 billion as the hacker used it to launder funds. In response, the THORChain community proposed a vote to block transactions linked to North Korea’s Lazarus Group. However, the vote failed, meaning the protocol would not take action against these illicit transactions. 

After a vote reversal, THORChain developer Pluto announced their exit on Feb. 27, stating they would assist with the transition. Validator TCB later revealed they were one of three validators who voted to stop Ether trading to block the Lazarus Group.

I was part of the 3 validators that voted to halt $eth trading on @THORChain

I've been having discussions with @Pluto9r, @ol3gpetrov, @zachxbt and others about blocking the flows from ByBit hack

I hope we get a resolution before a validator resumes trading@ol3gpetrov is…

— TCB (@1984_is_today) February 27, 2025

FBI Urges Exchanges and Node Operators to Block Transactions Linked to Bybit Hackers

In a public notice on February 26, the U.S. FBI confirmed North Korea’s involvement in the Bybit hack. The agency labeled this cyber activity as “TraderTraitor” and identified 51 Ethereum addresses holding stolen assets. The FBI urged RPC node operators, exchanges, bridges, blockchain analytics firms, and DeFi providers to block transactions linked to TraderTraitor.

The FBI urged people to report any relevant information to the Internet Crime Complaint Center. This could assist in tracking the stolen funds and identifying the attackers. In April 2022, the FBI stated that the group referred to as TraderTraitor is also known by other names, including Lazarus Group, APT38, BlueNoroff, and Stardust Chollima.

THORChain founder John-Paul Thorbjornsen defends the protocol, stating that no sanctioned wallet has interacted with it. He also argues that blocking funds in real-time is unrealistic because THORChain operates as a decentralized protocol without direct control over transactions.

I recommended to all the nodes I delegate with to continue trading.

I have checked the OFAC/FBI list and none of those addresses have *ever* interacted with TC. I have not been served by any authority, nor aware of any node that has.

I will support my nodes to run a static… https://t.co/zYghRCGkuZ

— JP (@jpthor) February 28, 2025

Impact on ETH and RUNE Prices

According to CoinGecko, ETH was trading at $2,208 at press time, reflecting a 5% drop in 24 hours. At the same time, THORChain’s native token, RUNE, peaked above $1.60 after the hack and was trading at $1.33 at the time of writing, reflecting a 9% drop.

Additionally, ETH’s trading volume on February 28 reached $36 billion, showing increased market activity. On the other hand, RUNE’s trading volume dropped to $768.23 million, a 34.07% decrease.