Lazarus Completes Laundering of Stolen Bybit Ethereum Worth $1.39 Billion

Lazarus Group has successfully laundered all 499,000 ETH stolen from Bybit, valued at approximately $1.39 billion. 

According to blockchain security firm EmberCN, the North Korean-backed hackers completed the process within 10 days, making the stolen assets nearly impossible to recover. As the funds were moved through various mixing services and exchanges, Ethereum’s price dropped by 23%, falling from $2,780 to $2,130.

Chart showing Earnings & Fees. Source: EmberCN X account

Stolen Ethereum was moved through THORChain

Lazarus primarily used THORChain to launder the stolen cryptocurrency, pushing approximately $5.9 billion through the platform. As the hackers shuffled funds, the network collected $5.5 million in transaction fees. This marks the largest cryptocurrency laundering operation to date.

Despite Bybit’s efforts to track and recover the stolen assets, Ethereum has been dispersed across different wallets. The exchange launched a bounty program to incentivize individuals and companies to assist in tracing the transactions. So far, over $4 million has been awarded through the initiative.

Bybit’s bounty program offers millions of leads

Bybit CEO Ben Zhou remains committed to pursuing Lazarus and other bad actors in the industry. The exchange has launched LazarusBounty.com, a platform dedicated to rewarding those who help track down the stolen ETH. Anyone identifying and reporting a transaction linked to the Bybit hack will receive 5% of any recovered funds. Exchanges and mixers that cooperate will also be eligible for a 5% reward. The exchange has set aside approximately $140 million in bounties.

Zhou also introduced HackBounty, an industry-wide initiative designed to combat crypto theft. He expressed optimism that collaboration among exchanges and security experts could strengthen defenses against cyber threats.

Investigation links hack to safe wallet breach

The Bybit hack occurred on February 21 at 12:30 UTC when funds were transferred from a cold wallet to a hot wallet. Investigations by Sygnia Labs and Verichains revealed that the hackers altered the smart contract logic, redirecting the assets to a wallet they controlled.

Bybit determined the breach occurred through the transaction management software the company uses named SafeWallet. Specialists suggest Lazarus developers changed their JavaScript programming language to create this ETH diversion functionality. SafeWallet based their operation on AWS S3 and CloudFront services before the infrastructure apparently fell victim to a cloud system intrusion. The compromised developer machine within SafeWallet service allowed malicious code to inject before unauthorized transactions occurred.

The post Lazarus Completes Laundering of Stolen Bybit Ethereum Worth $1.39 Billion first appeared on Coinfea.