Lazarus Group launches ‘QinShihuang’ meme coin to launder $26M more from Bybit stash

North Korea’s Lazarus Group dropped a meme coin Sunday morning called QinShihuang on the Pump Fun platform to launder $26 million from the nearly $1.5 billion they stole from the crypto exchange Bybit.

On-chain investigator ZachXBT first exposed this, as per usual, confirming that the wallet involved (5STkQy…95T7Cq) sent exactly 60 SOL tokens to another wallet (9Gu8v6…aAdqWS) before launching half a million QinShihuang tokens.

Within like three hours, these tokens were traded heavily, and transaction volume quickly topped $26 million.

Zach traced the funds back clearly. He said the attackers moved $1.08 million USDC stolen from Bybit to wallet address 0x363908df2b0890e7e5c1e403935133094287d7d1 on February 22.

The Bybit attackers bridged these funds from Ethereum onto the Solana blockchain, using wallet EFmqz8PTTShNsEsErMUFt9ZZx8CTZHz4orUhdz8Bdq2P.

How Lazarus is pulling it off

After that, Lazarus moved the USDC onto Binance Smart Chain (BSC), where Zach’s tracking showed that two separate wallets automatically split the stolen USDC across over thirty different addresses, breaking down the funds into smaller, harder-to-track transfers.

Once split, Lazarus then recombined these smaller batches of funds into one wallet: 0x0be9ab85f399a15ed5e8cbe5859f7a882c7b55a3. Zach confirmed wallet 0x0be9 then split the funds some more, sending 106,000 USDC evenly across ten new wallets.

Those ten wallets again bridged everything back over to Solana, completing a full blockchain cycle designed specifically to confuse blockchain trackers. Isn’t it just a little bit impressive?

Zach also noticed something else weird. Many of these Solana addresses received tiny meme coin “dust” transactions from random scammers.

Lazarus, instead of ignoring this dust, started actively swapping these meme coins back into SOL. They cleaned up the dirty SOL, mixed it around, and moved the funds through Pump Fun trades—exactly like with QinShihuang.

Zach posted the addresses involved publicly—around 920 wallets—but removed specific wallets from tracking software interfaces to prevent Lazarus from quickly hiding tracks again. You can find them here.

The stolen Bybit money then ended up on various crypto exchanges and swapping platforms, vanishing quietly behind legit-looking trades.

Helius Labs CEO Mert commented directly on the risks, saying teams who build decentralized apps with no filters or protections are making a huge mistake. He compared crypto apps to email, where the underlying technology is neutral, but user-facing software—like Gmail—blocks known malicious actors.

According to Mert, crypto apps must implement the same basic filtering if they know specific wallet addresses belong to criminal groups like Lazarus. Mert added clearly that he didn’t personally verify if Lazarus issued the coins directly, but he made his comments to warn developers in general about risks like these.

Mert specifically questioned why Pump Fun didn’t blacklist wallets associated with Lazarus. With Pump Fun’s trading volume being so high, Lazarus easily bought coins on clean wallets, pumped prices high using stolen SOL, then sold everything off back into those clean wallets. Through simple pump-and-dump trading, Lazarus turned clearly traceable stolen crypto into clean, untraceable profits.

Not Lazarus’s first rodeo

Zach’s discoveries showed Lazarus has done this before. Some addresses from the current laundering scheme previously launched other meme tokens on Pump Fun. This means Lazarus has repeatedly exploited Pump Fun’s trading activity for money laundering.

SlowMist, a security research firm, pointed out Lazarus used the crypto mixing platform eXch heavily. eXch directly refused to help when Bybit asked for cooperation.

Instead, eXch posted the interception request from Bybit publicly and angrily rejected it. SlowMist explained clearly that eXch openly targets security personnel, exposing personal information online.

They strongly urged crypto platforms to increase security measures against funds coming from eXch, which Lazarus regularly uses to convert stolen ETH into harder-to-trace cryptos like Bitcoin and Monero.

Arthur Hayes, the co-founder of crypto exchange BitMEX, openly asked Vitalik Buterin on X if Ethereum might consider rolling back the blockchain to reverse the massive hack at Bybit, which resulted in around 400,000 ETH being stolen.

Arthur’s post triggered immediate debate among crypto users. He doubled down, saying clearly that he believed Ethereum abandoned immutability after the 2016 DAO hack—when Ethereum developers reversed a $60 million theft using a controversial hard fork.

Arthur said Ethereum “stopped being money” at that point. He argued openly if Ethereum did a rollback before, there shouldn’t be resistance to doing it again now to recover Bybit’s funds.

Vitalik still hasn’t responded publicly to Arthur’s request. But many in the community are criticizing Arthur’s suggestion, with some even thinking he’s trolling Vitalik.

Arthur’s tweet also reignited the debates about blockchain immutability, decentralization, and if rollbacks should ever happen again on major blockchains.

Blockchain analysts explained clearly why Ethereum probably won’t consider a rollback now. Ethereum’s network currently uses an “account-based” model to store funds, just like regular banks.

When Ethereum developers reversed the DAO hack, nodes upgraded software versions and moved ETH funds to new addresses. Today, reversing a similar hack would require massive consensus from Ethereum users, nodes, and developers—a consensus nearly impossible now.

Something kind of similar happened with Bitcoin in 2019. Binance’s CEO Changpeng Zhao openly considered rolling back Bitcoin after hackers stole $40 million. He quickly changed his language from “rollback” to “re-org” due to backlash.

Bitcoin’s miners and maxis rejected the idea strongly, criticizing any attempt to reverse transactions as a fundamental violation of decentralization principles.

Ethereum’s community also rejected rollback ideas this time. But smaller blockchains have done rollbacks successfully in the past, typically after an attack. It’s rare, but not completely unheard of.

Zach first announced the massive Bybit theft last Friday. He spotted suspicious on-chain activity involving over $1.47 billion quickly flowing out from Bybit. Zach watched the attackers rapidly swapping wrapped tokens like mETH and stETH into regular Ethereum tokens through decentralized exchanges, aggressively trying to obscure the stolen funds.

Cryptopolitan Academy: How to Write a Web3 Resume That Lands Interviews - FREE Cheat Sheet