2 months ago
46
North Korea’s Lazarus Group has executed one of the most sophisticated crypto laundering schemes to date, moving $1.39 billion in stolen Ethereum (ETH) from Bybit in just 10 days.
The cybercriminals exploited decentralized finance (DeFi) protocols, particularly THORChain, to obscure the origins of the funds.
According to a Mar. 4 post on X by on-chain analyst EmberCN, much of the stolen Ethereum was routed through THORChain, a decentralized cross-chain liquidity protocol, and then converted into Bitcoin (BTC).
黑客已经把从 Bybit 盗取的 49.9 万枚 ETH ($13.9 亿) 全部清洗完了,整个过程历时 10 天。 ETH 价格在这个过程中下跌了 23% (从 $2,780 跌到现在的 $2,130)。 而黑客洗钱使用的主要通道 THORChain 也因黑客洗钱获得了 $59 亿的交易量跟 $550 万的手续费收入。 本文由 #Bitget|@Bitget_zh 赞助
Despite growing concerns about illicit activity, THORChain validators rejected a proposal to halt ETH transactions, leading to the resignation of a core contributor in protest.
Bybit CEO Ben Zhou also posted an update on Mar. 4, revealing that while 77% of the stolen assets remain traceable, 20% have disappeared, and 3% have been frozen.
3.4.25 Executive Summary on Hacked Funds: Total hacked funds of USD 1.4bn around 500k ETH, 77% are still traceable, 20% has gone dark, 3% have been frozen. Breakdown: – 83% (417,348 ETH, ~$1B) have been converted into BTC with 6,954 wallets (Average 1.71 btc each) . This and…
The case has sparked renewed debate over DeFi’s role in facilitating financial crime and the limits of decentralised governance.
THORChain processed $605M in a day
THORChain recorded $605 million in transactions within 24 hours of the laundering process.
Overall, $5.9 billion in volume moved through the platform, generating $5.5 million in fees.
This has drawn widespread criticism, with one X user describing THORChain’s response as “negligence at best, greed at worst”.
THORChain just helped North Korea launder $605 million. No KYC, no off switch, no resistance. Lazarus Group jacked Bybit for $1.5 billion in February 2025, then funneled the stolen ETH through THORChain like it was built for them. Over five days, $2.91 billion in volume ripped…
Unlike centralised exchanges that impose compliance measures, THORChain operates under a decentralised governance model.
Despite clear evidence of illicit transactions, its validators chose not to intervene, allowing the funds to continue moving.
The refusal to act led Pluto, a core contributor, to resign in protest.
Breakdown of the stolen Bybit funds
According to Zhou’s X post, 83% of the stolen funds were converted into Bitcoin and distributed across 6,954 wallets.
A staggering 72% ($900 million) passed through THORChain before being rerouted via mixing services. Additional transactions included:
- 16% of the assets were processed through ExCH, making them untraceable.
- OKX Web3 Proxy handled 8% ($100 million), adding another layer of obfuscation.
Despite efforts to track the assets, 20% of the funds have gone dark, making them nearly impossible to recover.
Only 3% has been frozen by exchanges and authorities.
Bybit’s bounty programme recovers stolen assets
Bybit has since launched Lazarusbounty.com, a tracking initiative that rewards individuals and organisations helping to recover the stolen funds.
So far, $2.17 million in bounties has been paid to 11 contributors, with blockchain investigator ZachXBT, along with Mantle and Paraswap, among the top participants.
While Bybit and other exchanges have worked to contain the damage, the Lazarus Group’s rapid movement of funds highlights the increasing sophistication of crypto laundering methods.
Regulators may use this case to push for stricter oversight of DeFi protocols, which remain a critical blind spot in financial crime enforcement.
The post North Korea’s Lazarus Group launders $1.39B in stolen Bybit ETH in just 10 days appeared first on Invezz
English (US) ·