Lazarus has finished laundering all the Ethereum it stole from Bybit

Every last 499,000 ETH—worth $1.39 billion—stolen from Bybit by the notorious Lazarus Group has been fully laundered, and it took them only 10 days for the stolen crypto to disappear into the blockchain, according to EmberCN on X.

In the process, Ethereum’s price crashed 23%, tumbling from $2,780 to $2,130 as the stolen funds were shuffled through mixers and exchanges.

Did Bybit’s bounty hunt for stolen funds fail?

Lazarus, a state-backed North Korean hacking group, is known for its social engineering tactics and zero-day exploits. The group is allegedly led by ​​Park Jin Hyok, who is wanted by the FBI, but North Korea has denied his and Lazarus’ existence many times.

Anyway, the notorious hackers used THORChain as their primary laundering service, pushing $5.9 billion through the network. The platform collected $5.5 million in transaction fees as Lazarus moved the funds, making it the single largest laundering operation in crypto history.

The money is now scattered, impossible to claw back. Meanwhile, Bybit is on the offensive, offering millions in rewards for any lead on the stolen assets. Just a week ago, Ben Zhou, the exchange’s CEO and co-founder, announced a massive bounty program to track down the missing ETH.

The bounty, hosted on lazarusbounty.com, has already paid out over $4 million to individuals who helped trace transactions linked to the theft.

“We will not stop until Lazarus or bad actors in the industry are eliminated,” Zhou said in a post on X. “In the future we will open it up to other victims of Lazarus as well.”

The bounty system is like this: If someone identifies and reports a blockchain transaction tied to the Bybit hack, they’ll receive 5% of the recovered crypto. Any exchange or mixer that assists in the retrieval will also get 5%. In total, around $140 million in bounties is available.

Zhou also announced the creation of a “HackBounty platform,” a new industry-wide effort designed to combat crypto theft. “I am energized by the incredible camaraderie on-chain and in real life. This can be a transformative moment for our industry if we get it right. Together, we can build a stronger defense system against cyber threats,” Zhou said.

The Bybit hack happened on February 21 at 12:30 UTC. Funds were being transferred from a cold wallet (offline storage) to a hot wallet (online storage). That’s when Lazarus struck.

Bybit’s internal investigation found that hackers altered the smart contract logic, hijacking the transfer. Instead of moving to the intended hot wallet, over 400,000 ETH and stETH, worth more than $1.5 billion, was rerouted to a mystery wallet controlled by the attackers.

Sygnia Labs and Verichains traced the breach to SafeWallet, the software Bybit used to manage its transactions, and these guys believe that Lazarus modified the JavaScript code of the platform, which allowed them to redirect the ETH to their own accounts.

The hack likely began with a cloud infrastructure breach. SafeWallet was hosted on AWS S3 and CloudFront, and one of these accounts was compromised. The software provider later confirmed that one of its developer machines had been infected, leading to the injection of malicious code into the system.

“The forensic review into the targeted attack by the Lazarus Group on Bybit concluded that this attack targeted the Bybit Safe and was achieved through a compromised machine of a SafeWallet developer resulting in the proposal of a disguised malicious transaction,” SafeWallet said in its investigative report.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot