Bibit CEO says 20% of the $1.4 billion stolen from the exchange is now untraceable. Hackers converted $1 billion to BTC in ETH via Thorchain and spread it. So far, 11 bounty hunters have helped freeze $42 million of stolen funds.
In a spectacular update, Bybit CEO Ben Zhou revealed that $280 million of the $1.4 billion stolen from Hack’s cryptocurrency exchange in February has disappeared into untraceable channels.
3.4.25 Executive Summary of Hacked Funds:
Total hacked funds are around US$140 million, with 77% still trackable, 20% dark and 3% frozen.
break:
-83% (417,348 ETH, ~$1 billion) was converted to BTC with 6,954 wallets (average 1.71 BTC each). This and…– Ben Zhou (@benbybit) March 4, 2025
A security breach caused by North Korean hacking group Lazarus stolen about 500,000 ether (ETH) from Bibit reserves. While the majority of the fund remains visible on the blockchain, Zhou’s announcement highlights the challenges investigators face when hackers compete against time to freeze their assets before they fully cash out.
The attack exploited a vulnerability in Safewallet, a third-party wallet platform used by Bybit. Lazarus Hackers compromised the developer’s device and injected malicious code that could suck up around $1.5 billion in ETH during daily transfers.
Despite Bibit’s quick action to support client assets in 1:1 within days, hackers are relentlessly moving stolen funds across multiple platforms, complicating recovery efforts.
Hackers used the funds by fragmenting Saucane
A significant portion of the stolen ether (417,348 ETH worth about $1 billion) has been converted to Bitcoin (BTC) and is scattered across 6,954 wallets each holding an average of 1.71 BTC.
Zhou noted that it is being injected through 72% of 361,255 ETH worth $900 million, or through Thorchain, a decentralized exchange known for its privacy features.
Thorchain alone handled a record $4.666 billion swap in the week ending March 2nd, earning more than $5.5 million in fees from these illegal transactions. This fragmentation and transformation strategy has made funding tracking more difficult for blockchain forensic teams.
Meanwhile, 20% of the stolen assets (a modestly 79,655 ETH) have “Dake.” This means that it is washed through platforms such as exchanges and is untraceable.
Zhou highlighted that an additional 40,233 ETH worth $100 million has passed through OKX’s Web3 proxy. Of this, 23,553 ETH ($65 million) remains untraceable without further cooperation from the OKX wallet team, while 16,680 ETH is still within the reach of investigators.
The CEO emphasized that the next week or two will be crucial as hackers prepare to offload haulages via exchanges, over-store (OTC) trading desks and peer-to-peer (P2P) networks.
Bybit enlisted in the Hunter of Grace in a Freezing Effort
To stop hackers, Bybit is seeking help from bounty hunters and security companies.
Zhou reported that 11 political parties, including prominent players such as Mantle, Paraswap and Blockchain Thruce ZachxBT, helped freeze $42 million, or 3% of the stolen funds.
So far, BYBIT has paid these contributors $2178 million in USDT as part of its recovery effort. The exchange partnered with Web3 security company Zeroshadow on February 25th to strengthen its blockchain forensics and maximize its asset recovery.
Despite these efforts, hackers show no signs of slowing down. Blockchain analytics firm Elliptic has identified over 11,000 wallets linked to the Lazarus Group, and proposes a vast network designed to blur the trucks.
Free Free Real-time By-bit Exploit Data 🚨
Elliptic launched a free data feed for illegal addresses linked to Bibit Exploits.
🔍Why is it important:
Minimize exposure to canction sanctions
Stop washing stolen funds
Enhance crypto securityAccess via CSV or API⬇️…pic.twitter.com/u9qa2tc8zz
– Oval (@elliptic) February 25th, 2025
Zhou has shown that an additional $65 million in ETH could be recovered with OKX support, but time runs out as attackers continue their laundry operations through platforms such as Exch and OKX Web3 Proxy.
