Bybit CEO Ben Zhou has revealed that over a quarter of the funds stolen in the March Bybit hack can no longer be tracked while 84.5% has been converted to Bitcoin via Thorchain.
In an Apr. 21 post on X, Zhou shared a detailed update on the $1.5 billion hack, the biggest crypto theft to date. According to Zhou, 27.6% of the stolen assets have gone completely dark after moving through crypto mixers, cross-chain platforms, and eventually to over-the-counter and peer-to-peer exchanges.
4.21.25 Executive Summary on Hacked Funds:
Total hacked funds of USD 1.4bn around 500k ETH. 68.57% remain traceable, 27.59% have gone dark, 3.84% have been frozen. The untraceable funds primarily flowed into mixers then through bridges to P2P and OTC platforms.
Recently, we have…— Ben Zhou (@benbybit) April 21, 2025
The largest share, 68.6%, remains traceable, while only 3.8% has been frozen. The funds were first moved through the Wasabi mixer, reportedly favored by North Korea’s Lazarus Group. From there, they passed through platforms like Thorchain, eXch, Stargate, and SunSwap. Eventually, the funds reached OTC or P2P fiat exchange services, making them harder to trace.
Approximately 432,000 Ethereum (ETH), or 84.5% of the total amount of ETH that was stolen, was converted into Bitcoin (BTC) using THORChain (RUNE) and distributed among over 35,000 wallets. There are just 6,000 ETH, about 1.17% of the stolen funds, left on the Ethereum blockchain.
The hack has been linked to Lazarus, a state-sponsored organization in North Korea that frequently targets cryptocurrency platforms with cyberattacks. To obtain access, the group compromised a Safe{Wallet} developer system and introduced malicious code into the Bybit signers’ interface. The attackers redirected the funds to their own wallets while making the transactions look legitimate.
In response, Bybit froze any remaining assets, partnered with investigators to track down the stolen money, and offered a 10% bounty for assistance in recovering the funds. The exchange claims to have successfully managed to handle 99.99% of withdrawal requests, remaining fully solvent.
Zhou has called for more bounty hunters to help track down funds hidden through mixers, stating, “We need a lot of help there down the road.” In the past 60 days, 5,443 bounty reports were received of which 70 were valid bounty reports. The incident has increased pressure on the crypto industry to strengthen security and improve monitoring of cross-chain and privacy tools.
On Apr. 17, eXch, a privacy-focused crypto exchange implicated in the laundering, announced it would shut down on May 1. The team cited pressure from an international investigation and denied knowingly aiding illicit activity.
