North Korean hacking group Lazarus just started laundering 5,000 ETH from the Bybit $1.5 billion hack, kicking off their typical complex operation to clean the money.
Blockchain investigator ZachXBT exposed the movement, sharing wallet addresses and timestamps in a Telegram update, but it was shortly after confirmed with Bybit CEO Ben Zhou via an X post, though less than an hour later, Zach deleted the post.
We are starting to see some funds being moved to https://t.co/O4AqIJo81z as bridge to convert to BTC: bc1qlu4a33zjspefa3tnq566xszcr0fvwz05ewhqfq
with below transactions:
0x4f5f7ba657bf518d383828183087978b452b99da6cde0c9b94739b8d72a8c5ef…— Ben Zhou (@benbybit) February 22, 2025
The stolen crypto first landed in a new Ethereum address, then got routed through eXch, a centralized mixer, before being bridged to Bitcoin via Chainflip.
Bybit sees massive inflows as funds move
Meanwhile, Bybit is seeing massive inflows amid the disaster. Data from SoSoValue and TenArmor shows that in the past 12 hours, the exchange received over $4 billion in deposits, with 63,168.08 ETH, $3.15 billion in USDT, $173 million in USDC, and $525 million in CUSD.
Most of this comes from Bybit cold wallets to hot wallets, fueling withdrawals and bridge loans from external liquidity providers.
Minutes after deleting the Telegram post, Zach made a post on X, connecting the Bybit hack to the Phemex hack, exposing an overlap in stolen funds. “Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain, commingling funds from the initial theft address for both incidents,” Zach said in his post.
A shared address—0x33d057af74779925c4b2e720a820387cb89f8f65—links the two attacks, according to Zach. Bybit’s Ben Zhou confirmed that withdrawals are now back to full speed.
“12 hours from the worst hack in history. ALL withdrawals have been processed. Our withdrawal system is fully back to normal pace. You can withdraw any amount and experience no delays,” he said.
Zhou also promised a full incident report and new security measures in the coming days. “Bybit will come out with a full incident report as well as security measures in the next few days. I will personally keep you all posted.”
Meanwhile, Elliptic, Chainalysis and Arkham Intelligence tracked the stolen ETH across 39 different addresses as it was quickly shuffled and offloaded, then Arkham announced a $36K bounty for the hacker’s identity and Zach won by exposing Lazarus shortly after.
According to records kept by Elliptic, the Bybit hack is now the largest crypto theft in history, overtaking the $611 million stolen from Poly Network (2021), and $570 million drained from Binance (2022).
Lazarus has a history of draining crypto platforms to fund North Korea’s regime. The group first hit South Korean exchanges in 2017, stealing $200 million in Bitcoin. Since then, they’ve perfected advanced crypto laundering methods, hiding funds through mixers, bridges, and obscure DeFi protocols.
Elliptic’s Tom Robinson confirmed Friday that all stolen wallet addresses have been flagged to prevent laundering through major exchanges.
“The more difficult we make it to benefit from crimes such as this, the less frequently they will take place,” Robinson wrote in a post.
Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now
