Lazarus Group Converts Stolen ETH to Bitcoin
Hackers behind the Bybit exploit, believed to be linked to North Korea’s Lazarus Group, have converted over 209,384 ETH (~$480 million) into Bitcoin, primarily using ThorChain, according to Ethereum security expert Taylor Monahan.
The stolen funds represent more than half of the 400,000 ETH taken during last Friday’s $1.5 billion hack on Bybit. The FBI has since confirmed that the attack was executed by North Korean TraderTraitor actors, who specialize in laundering stolen crypto.
Arkham Intelligence, which has been tracking the hacker wallets, revealed that $240 million in ETH was laundered via ThorChain, a decentralized cross-chain swapping protocol that enables the direct conversion of assets between blockchains.
ThorChain Swaps and Laundering Tactics
The attackers have executed over 3,900 transactions to bridge ETH through ThorChain and other blockchain tools, including:
- Asgardex
- DeFiSwap
- FortunaSwap
- GemWallet
- TrustWallet
ThorChain processed $737 million in total swaps on Wednesday, its highest single-day trading volume ever.
Despite community concerns, ThorChain validators failed to block the stolen funds from moving. Three validators initially voted to halt transactions linked to the Bybit hack, but the decision was quickly overturned, citing the protocol’s decentralization.
Bybit Offers Bounty to Freeze Stolen Funds
Bybit’s CEO announced that the exchange would offer a 5% bounty to exchanges, bridges, and mixers that help freeze hacker-associated funds. This follows the 10% bounty offered for returning the funds.
With $43 million in stolen ETH already frozen, the focus now shifts to preventing Lazarus from further laundering and converting assets to fiat.
