Bybit: 20% of Hacked Funds Untraceable
In a recent update on the aftermath of the Bybit hack, CEO Ben Zhou revealed a somewhat concerning detail: up to 20% of the stolen funds have vanished into the digital abyss, becoming untraceable. However, it’s not all bad news, as Zhou also pointed out that a significant 77% of the funds are still being tracked, offering a glimmer of hope for potential recovery.
It’s been nearly two weeks since the security breach at Bybit, and those pilfered funds have been busy, bouncing around through numerous transactions. CEO Ben Zhou gave an update, noting that while a small 3% has been successfully intercepted and frozen, a chunkier 20% has unfortunately slipped off the radar, going “dark.” On the brighter side, the majority, 77%, are still being actively tracked.
3.4.25 Executive Summary on Hacked Funds:
Total hacked funds of USD 1.4bn around 500k ETH, 77% are still traceable, 20% has gone dark, 3% have been frozen.
Breakdown:
– 83% (417,348 ETH, ~$1B) have been converted into BTC with 6,954 wallets (Average 1.71 btc each) . This and…— Ben Zhou (@benbybit) March 4, 2025
The Bybit hack wasn’t just a test for the exchange itself; it also put crypto industry partnerships to the test. Zhou mentioned that 11 different partner organizations stepped up to help, participating in the effort to freeze the stolen assets.
According to Zhou, a large portion of the Ethereum (ETH) was funneled through THORChain in an attempt to launder it. Interestingly, this very move to THORChain is what allowed investigators to follow the money trail. The ETH was then swapped for Bitcoin (BTC), a move that might sound like obscuring the funds further, but even Bitcoin transactions, while they can be mixed, aren’t completely invisible.
Currently, a significant amount of the recovered funds are being automatically distributed into fresh Bitcoin wallets, each holding a balance of about 1.71 BTC. The sheer scale of these wallets poses a challenge for Bybit’s team, making it a long and complex process to intercept each one, particularly if the funds are pushed into less regulated, “risky” external markets for further laundering.
Non-KYC Exchanges: A Hacker’s Haven?
It appears a significant portion of the “dark” funds found their way to eXch, a cryptocurrency exchange that doesn’t require Know Your Customer (KYC) verification. eXch was reportedly one of the first platforms to receive deposits from the hacker’s wallets. Bybit revealed they reached out to eXch over ten days prior but have yet to receive any response.
Adding a twist to the recovery story, bounty hunters, particularly from Mantle, have played a role in uncovering some of the lost funds. These efforts, along with others highlighted on platforms like Lazarus Bounty Hunters, have proven fruitful. In fact, it’s reported that over $41 million in funds, previously thought to be lost, have been intercepted thanks to these combined efforts.
Looking ahead, the possibility of recovering even more funds might hinge on the cooperation of OKX and their Web3 wallet team, specifically regarding transaction history and user data.
ETH Vanishes: Hacker Successfully Swaps All Holdings
In a swift ten-day window, the Bybit hacker managed to completely convert all the stolen Ethereum—a staggering 499,395 tokens, according to estimates. THORChain emerged as the primary tool for these rapid swaps, offering a way to move funds quickly, even if those movements were, ultimately, traceable.
The #Bybit hacker has laundered all the stolen 499,395 $ETH($1.04B currently), mainly through #THORChain. pic.twitter.com/HL4gb9f4e8
— Lookonchain (@lookonchain) March 4, 2025
Bybit’s team is also actively engaging with THORChain, exploring all avenues to track the flow of funds. For now, the Bitcoin wallets where the majority of the funds are currently held are still accessible and unrestricted, aside from being flagged for monitoring.
While THORChain has the technical capability to monitor and block suspicious addresses interacting with its network nodes, implementing these blocks relies on node consensus. Currently, THORChain has received a list of addresses linked to the hack to potentially blacklist from swaps. However, getting all nodes on board with this list is proving to be a challenge. It’s important to note that THORChain itself isn’t connected to the hack; it was simply the most convenient and readily available tool for the hacker to quickly execute large-scale swaps.
THORChain is advising its US-based node operators to monitor addresses flagged on an FBI watchlist. When it comes to specifically tracking addresses related to the Bybit hack and the Lazarus group, the strategy is still being worked out.
Interestingly, THORChain handled an estimated 70% of all the swaps related to the Bybit hack. February 24th marked the peak day of this activity, with THORChain experiencing its highest transaction volume since 2023.
Elliptic Enters the Bybit Investigation with Real-Time Fund Tracing
In the wake of a massive hack like this, one of the toughest challenges is quickly alerting all relevant parties and beginning to intercept transactions from the compromised wallets. Elliptic, a blockchain analytics firm, has stepped in, deploying automated tracking tools. These tools have already proven effective, reportedly intercepting $150,000 of the Bybit funds as they were being moved to another exchange.
Elliptic maintains its own blacklist of cryptocurrency addresses, specifically targeting those associated with the current Bybit breach and previous exploits linked to the Lazarus group.
This recent security incident appears to have sparked an unprecedented level of collaboration within the crypto space. Historically, exchanges have often taken a more limited approach to fund interception. However, the sheer scale of the Bybit hack has seemingly galvanized protocols across the board to actively pursue the recovery of funds wherever possible. Adding to the positive notes, despite facing what is possibly their largest security incident to date, Bybit remarkably maintained continuous withdrawals and successfully restored its liquidity position within just days.
