Bybit CEO: Two-Thirds of Lazarus-Hacked Funds Remain Traceable

Bybit CEO: Two-Thirds of Lazarus-Hacked Funds Remain Traceable

Nearly three months after one of the largest crypto exchange hacks in history, Bybit CEO and co-founder Ben Zhou revealed that 68.6% of the $1.4 billion stolen by North Korea’s Lazarus Group remains traceable.

In a detailed executive update shared on X on April 21, Zhou said the majority of the stolen assets are still being monitored despite extensive efforts to launder them through crypto mixers and cross-chain bridges. Only 3.8% of the stolen funds have been frozen, while 27.6% have “gone dark,” flowing into privacy tools and peer-to-peer networks that make recovery increasingly difficult.

Lazarus Exploited Cold Wallet Infrastructure

The February hack was the largest ever suffered by a centralized exchange, exploiting vulnerabilities in Bybit’s cold wallet infrastructure. Zhou confirmed that 944 BTC (approximately $90 million) was funneled through the Wasabi mixer, a privacy-focused Bitcoin wallet known to obscure transaction trails.

Following the Wasabi mixer, smaller amounts of stolen Bitcoin were routed through CryptoMixer, Tornado Cash, and Railgun, before moving into cross-chain protocols like THORChain, eXch, Stargate, LI.FI, Lombard, and SunSwap. These services were allegedly used to obfuscate the origin of funds and swap assets across chains before ultimately reaching peer-to-peer and OTC (over-the-counter) networks.

Ethereum-to-Bitcoin Swaps Hide $1.2B in ETH

Zhou also revealed that hackers managed to move 432,748 Ether (~$1.21 billion) from the Ethereum network to Bitcoin using THORChain. Roughly two-thirds of that ETH — around $960 million — was converted into 10,003 BTC across 35,772 unique wallets.

Meanwhile, $17 million worth of ETH still remains on Ethereum, distributed across 12,490 wallets.

Around $1.2 billion worth of stolen crypto is still being tracked. Source: Lazarus Bounty

Bybit’s $140M Bounty Program and the Search for Mixers

To counter the laundering efforts, Bybit launched the Lazarus Bounty Program in February, pledging $140 million in rewards for any actionable intelligence leading to fund recovery. In the 60 days since launch, Bybit has received 5,443 bounty reports, but only 70 have proven valid, resulting in $2.3 million in payouts to 12 participants.

One standout contributor, Mantle Network, was credited with recovering $42 million in frozen assets, earning a substantial portion of the bounty pool.

Zhou emphasized the importance of community involvement:

“We welcome more reports. We need more bounty hunters that can decode mixers — we need a lot of help there down the road.”

Fallout: eXch Exchange to Shut Down

One of the platforms allegedly used in laundering the stolen funds, the eXch crypto exchange, announced it would shut down operations by May 1 following mounting scrutiny over its involvement in the aftermath of the Bybit hack.

Conclusion

While the Lazarus Group remains one of the most notorious threats in the crypto space, the Bybit case underscores how difficult — yet not impossible — it is to trace stolen digital assets. With hundreds of millions still visible on-chain, and millions more at stake in bounty rewards, the cat-and-mouse game between hackers and crypto sleuths is far from over.