How Did Bybit Hackers Launder $1.39B in 10 Days?

The ByBit hackers successfully laundered the entire 499,000 $ETH ($1.39 billion) stolen from the Bybit cryptocurrency exchange, according to EmberCN. Per reports, the process took just ten days, with THORChain serving as the primary channel for laundering, handling $5.9 billion in transaction volume and earning $5.5 million in fees.

Hackers reportedly used mixing techniques, instant swap services, and decentralized platforms without Know Your Customer (KYC) requirements to obscure the trail.

FBI Confirms North Korean Involvement

The Federal Bureau of Investigation (FBI) has officially linked the ByBit hack to North Korea. In a public service announcement on February 26, 2025, the FBI stated that the TraderTraitor cyber actors were responsible for the heist, which took place on February 21, 2025.

The agency revealed that the attackers converted portions of the stolen ETH into Bitcoin and other cryptocurrencies, dispersing funds across thousands of addresses. The FBI warned that these assets would likely be further laundered and eventually exchanged for fiat currency.

To counteract these efforts, the FBI has called on RPC node operators, crypto exchanges, blockchain analytics firms, DeFi services, and other virtual asset providers to block transactions linked to the stolen assets. The agency has also released wallet addresses associated with the hackers.

How the Hack Happened

Bybit confirmed that the hack occurred during a routine transfer of Ethereum from an offline “cold” wallet to a “warm” wallet used for daily trading. The attacker exploited security vulnerabilities during this process, gaining access to the funds and transferring them to an unknown address.

Bybit assured users that their holdings remained safe. CEO Ben Zhou stated that the company is solvent and all client assets are fully backed. Zhou emphasized that Bybit would cover any unrecovered losses, thanks to its $20 billion in customer assets and potential loans from partners.

The hacker reportedly used a complex laundering strategy, utilizing:

• Intermediary wallets
• Decentralized exchanges (DEXs)
• Cross-chain bridges

Among these, THORChain played a major role. This led to controversy within the THORChain community, with one core developer resigning over concerns about the platform’s involvement in the laundering process.

Efforts to Recover the Stolen Funds

Bybit is actively seeking to recover the stolen ETH. The company has called on cybersecurity experts and blockchain analysts to assist in the effort and is offering a 10% bounty on any recovered funds, potentially worth $140 million.

This attack adds to growing concerns about North Korean cyber operations targeting the crypto sector. The FBI and blockchain intelligence firms like Elliptic and TRM Labs have flagged over 11,000 wallet addresses linked to the hack, confirming the attackers’ operational efficiency.