In an executive report posted on X on April 21, Zhou stated that out of the total $1.4 billion stolen, around 68.6% is still traceable, 27.6% has “gone dark,” and only 3.8% has been frozen.
According to Zhou, the untraceable portion was primarily funneled into crypto mixing services, then routed through bridges to peer-to-peer (P2P) and over-the-counter (OTC) platforms.
The attack, which occurred in February, is considered the largest crypto exchange hack to date. Lazarus Group exploited vulnerabilities in Bybit’s cold wallet infrastructure to carry out the theft.
“We found that the mixer most frequently used by North Korea recently is Wasabi,” Zhou noted. After laundering Bitcoin through Wasabi, a small portion was further processed through CryptoMixer, Tornado Cash, and Railgun.
Zhou confirmed that 944 Bitcoin, valued at approximately $90 million, was laundered through Wasabi. Multiple cross-chain and swap operations were then conducted via platforms like THORChain, eXch, Lombard, LI.FI, Stargate, and SunSwap, before the stolen funds eventually made their way into P2P and OTC services.
Additionally, about 432,748 Ether — roughly 84% of the total stolen amount, valued at around $1.21 billion — was converted from Ethereum to Bitcoin via THORChain. Around two-thirds of that amount, or approximately $960 million worth of Ether, has been exchanged for 10,003 BTC, dispersed across 35,772 different wallets.
Zhou also reported that roughly $17 million worth of Ether remains on the Ethereum blockchain, spread across 12,490 wallets.
Bybit Has Paid Out $2.3 Million in Bounties
Zhou revealed that out of over 5,400 bounty submissions received over the past 60 days through the “Lazarus Bounty” program, only 70 were deemed valid.
Launched in February, the program offers a total reward pool of $140 million for any information leading to the freezing or recovery of stolen funds. To date, Bybit has paid out $2.3 million to 12 individuals or entities, with the majority going to Mantle — a layer-2 platform that played a key role in freezing $42 million of the stolen funds.
“We welcome more reports and need more bounty hunters capable of decoding mixer activity. This is an area where we need long-term help,” Zhou emphasized.
In a related development, the crypto exchange eXch announced on April 17 that it would cease operations on May 1, following reports that it had been used to launder stolen funds from the Bybit hack.
