Bybit CEO Ben Zhou revealed on Thursday that 88.87% of the $1.4 billion stolen in crypto from the exchange remains traceable, despite the Lazarus Group moving the funds through Bitcoin mixers.
The stolen assets, consisting of 500,000 ETH, have largely been converted into 12,836 BTC and are now distributed across 9,117 wallets. Zhou, who posted a detailed breakdown of the hack on X, confirmed that 3.54% of the stolen funds have already been frozen, while 7.59% have disappeared into the dark web. The rest? Still within reach—but the hackers are doing everything they can to cover their tracks.
The attack has pushed North Korea to third place among governments holding Bitcoin, with the country now controlling 13,562 BTC worth over $1.14 billion. The only governments holding more are the United States, with 198,109 BTC valued at $16.71 billion, and the United Kingdom, which has 61,245 BTC worth $5.17 billion.
Bhutan and El Salvador have been pushed down the list, now holding 10,635 BTC and 6,117 BTC, respectively. The sudden increase in North Korea’s Bitcoin holdings came just days before Donald Trump signed an executive order establishing the Strategic Bitcoin Reserve (SBR), intensifying speculation about Pyongyang’s long-term crypto strategy.
Hackers used mixers to hide stolen Bitcoin
Zhou’s post revealed that 86.29% of the stolen assets—approximately $1.23 billion worth of ETH—were converted into Bitcoin and split across 9,117 wallets. The hackers began using mixers immediately, sending at least 193 BTC to Wasabi Mixer before dispersing the laundered funds through various peer-to-peer (P2P) vendors.
“We believe this trend will grow as more funds will go through mixers,” Zhou wrote. He acknowledged that tracking mixed transactions has become the number one challenge, and called on bounty hunters to help decrypt them. Over the past 30 days, Bybit received 5,012 bounty reports, but only 63 were valid. Zhou made it clear—more bounty hunters are needed.
Bybit ignored security risks before the attack
In an interview, Zhou admitted that Bybit had warnings about security flaws months before the hack. He revealed that three to four months before the attack, the exchange noticed that Safe, the compromised software, was not fully compatible with Bybit’s security framework.
“We should have upgraded and moved away from Safe,” Zhou said. “We’re definitely looking to do that now.”
Rahul Rumalla, Safe’s chief product officer, responded by defending the company, saying new security features had already been introduced. “Our job is not just to fix what happened but to ensure the entire space learns from it so this doesn’t happen again,” Rumalla said.
Bybit’s internal audit revealed that hackers had infiltrated Safe’s system long before the heist. A developer’s computer was compromised, allowing the attackers to plant malicious code and manipulate transactions. The final attack was executed through a fraudulent transaction request sent to Zhou himself, who unknowingly approved the transfer. The moment he signed off, the hackers drained $1.5 billion in crypto.
The outflow was immediately visible on the blockchain, and crypto analysts quickly linked the theft to Lazarus Group, a North Korean hacking syndicate. Zhou responded by rushing to Bybit’s Singapore office and triggering an emergency response known internally as P-1, waking the entire leadership team.
Bybit users withdrew billions after the hack
The market reacted fast. Zhou promised users on X that Bybit remained solvent, posting:
“Even if this hack loss is not recovered, all clients’ assets are 1:1 backed. We can cover the loss.”
That assurance didn’t stop the panic withdrawals. Within hours, users pulled nearly $10 billion from the platform. The entire crypto market took a hit.
Other crypto companies moved in to stabilize the situation. Gracy Chen, CEO of Bitget, sent Bybit a 40,000 ETH loan (worth roughly $100 million)—without interest or collateral. “We never questioned their ability to pay us back,” Chen said.
Between crisis meetings, Zhou kept updating users on X, even posting a health app screenshot that showed his stress levels were unusually low.
“Too focused commanding all the meetings. Forgot to stress,” he wrote. “I think it will come soon when I start to really grasp the concept of losing $1.5B.”
Meanwhile, Lazarus Group continued laundering the stolen funds. Using a money-laundering strategy seen in previous hacks, they spread the assets across countless wallets, funneling them through mixers and P2P networks. Despite Bybit and other exchanges freezing some funds, tracking the rest has become a race against time.
Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot
