Nearly 28% of crypto stolen in $1.4B Bybit hack have “gone dark”

Bybit’s CEO has called for more bounty hunters to help trace stolen crypto, as nearly 28% of the $1.4 billion looted by North Korea’s Lazarus Group remains unaccounted for. While detailing the summary on hacked funds in an April 21 X post, co-founder and CEO Ben Zhou said that about $386 million worth of the hacked funds has “gone dark” after being funneled through mixers and bridges towards several peer-to-peer and over-the-counter platforms. Ben Zhou @benbybit · Follow 4.21.25 Executive Summary on Hacked Funds:Total hacked funds of USD 1.4bn around 500k ETH. 68.57% remain traceable, 27.59% have gone dark, 3.84% have been frozen. The untraceable funds primarily flowed into mixers then through bridges to P2P and OTC platforms. Recently, we have 8:44 am · 21 Apr 2025 577 Reply Copy link Read 87 replies For those unaware, crypto mixers are services that hide the origin of digital assets by blending funds from multiple users and redistributing them to new addresses. This process breaks the on-chain link between sender and receiver, making tracking much more difficult. Cryptocurrency mixers were primarily created as a privacy-enhancing tool, but they are also widely exploited for laundering stolen funds . According to Zhou, the attackers drained around 500,000 ETH in February by taking control of a cold wallet. Roughly 68.6% of the stolen funds remain traceable, while recovery efforts have so far frozen just under 4%, a relatively small portion, amounting to around $54 million. The stolen ETH was primarily moved to Bitcoin via THORChain, with 432,748 ETH (around $1.21 billion) swapped out. Of this, 342,975 ETH, valued at roughly $960 million, was converted into 10,003 BTC and split across nearly 36,000 wallets. Another 5,991 ETH, or approximately $17 million, remains on Ethereum dispersed across 12,000 wallets. On the Bitcoin side, Zhou revealed that 944 BTC (approximately $90 million) went through the Wasabi mixer, with smaller amounts then entering other services, such as CryptoMixer, Tornado Cash, and Railgun. Bad actors also leveraged cross-chain swaps using platforms such as eXch, Lombard, LiFi, Stargate, and SunSwap before ultimately liquidating via fiat off-ramps. To track these movements, Bybit launched the Lazarus Bounty program in February, offering $140 million in rewards for anyone who can help with the recovery process. So far, only 70 out of more than 5,400 reports have been validated. A bulk of the $2.3 million in bounties paid has gone to layer-2 platform Mantle, which helped freeze $42 million worth of the stolen crypto. “We need more bounty hunters that can decode mixers,” Zhou said, noting the rising complexity in tracing these funds as they bounce across multiple chains. History of the ByBit hack The Bybit hack in February 2025 became the largest security incident the crypto industry has witnessed since its inception. North Korean state-sponsored hacking group Lazarus has been hailed as the key suspect behind the breach. On February 21, the attackers reportedly exploited ByBit’s Ethereum multisig cold wallet during a routine transfer to the exchange’s warm wallet by manipulating the signing interface. Although the correct wallet address was displayed on ByBit’s end, the underlying smart contract logic had been altered to reroute funds to the hackers. A separate report released in March by cybersecurity firm Mandiant claimed that the breach may have started with a malware-laced fake stock investment project. The malware was allegedly downloaded onto a Mac laptop belonging to a developer at Safe{Wallet}, a third-party infrastructure provider integrated with Bybit. The post Nearly 28% of crypto stolen in $1.4B Bybit hack have “gone dark” appeared first on Invezz

Source: Invezz