The cryptocurrency world faced its largest-ever heist on February 21, 2025, when hackers stole $1.4 billion in Ethereum (ETH) from Bybit, a Dubai-based exchange. Months later, Bybit CEO Ben Zhou provided a critical update, revealing that 88.87% of the stolen funds—approximately $1.24 billion—remains traceable on the blockchain. However, a significant portion, $16 million in Bitcoin (BTC), has already been funneled through the Wasabi mixer and offloaded to peer-to-peer (P2P) vendors, signaling active laundering efforts by the culprits, widely attributed to North Korea’s Lazarus Group. This saga continues to test the resilience of crypto security and recovery mechanisms.
The Heist and Initial Fallout
The breach targeted a Bybit cold wallet during a routine transfer, siphoning off 401,346 ETH—valued at $1.4 billion at the time—through a sophisticated attack involving malicious code in the third-party SafeWallet platform. Blockchain firms like Elliptic and Chainalysis quickly pinned the hack on Lazarus, a state-sponsored group linked to over $6 billion in crypto thefts since 2017. The stolen ETH, now worth $1.04 billion at $2,000 per ETH , was rapidly converted into 12,836 BTC ($1.23 billion at $83,000 per BTC), per Zhou’s update.
Bybit responded swiftly, securing a bridge loan to restore 1:1 client asset backing by February 24 and launching a $140 million bounty program. As of March 20, $4.3 million has been paid to 19 hunters for freezing $42.89 million—3.54% of the total. Zhou’s latest figures show 88.87% traceability, with 7.59% “gone dark” (untraceable) and 3.54% frozen, aligning with earlier reports of 77% traceability on March 4.
$16 Million Through Wasabi and P2P
A key revelation from Zhou’s March 20 statement is that $16 million in stolen BTC—approximately 193 BTC—has been processed through the Wasabi mixer and moved to P2P vendors. Wasabi, a non-custodial CoinJoin tool, blends transactions to obscure origins, a tactic Elliptic notes is favored by Lazarus. Zhou’s X post specifies hackers using multiple mixers—Wasabi, CryptoMixer, Railgun, and TornadoCash—with Wasabi explicitly tied to this $16 million tranche, “193 BTC already washed via Wasabi.” The funds’ journey to P2P vendors—platforms like Paxful where BTC is traded directly for cash—marks a critical laundering stage.
Bybit’s Countermeasures
Bybit’s recovery efforts have frozen $42.89 million, with exchanges like Binance and OKX locking suspect accounts—$43,000 on OKX alone. The bounty program, offering 10% of recovered sums, has validated 63 of 5,012 reports by March 20. Zhou stressed urgency on March 4: “This and the coming week is critical for fund freezing”, a window now narrowing as P2P activity rises.
The exchange remains solvent, with Zhou asserting $20 billion in assets (Reuters, February 21) and client funds secure. However, the hack’s scale— dwarfing the $611 million Poly Network theft (Reuters, February 24)—has intensified scrutiny on Bybit’s reliance on SafeWallet, compromised via a developer’s device.
For Bybit’s 60 million users, this saga blends hope and unease—89% traceability offers a lifeline, yet $16 million slipping away stings. Zhou’s updates signal transparency, a balm for a rattled community, while bounty hunters embody a collective fightback. But as Lazarus exploits tools like Wasabi, it’s a sobering reminder: crypto’s openness is both its strength and its Achilles’ heel.
Disclaimer: TrueToCrypto.com (the “Website”) is for general informational purposes only and is obtained from independent sources that are believed to be reliable. However, TrueToCrypto.com, its owners, affiliates, officers, employees, and agents (collectively, “We,” “Us,” or “Our”) make no representations or warranties, express or implied, as to the accuracy, completeness, timeliness, reliability, or suitability of the information contained on or accessed through this Website. Further read Disclaimer.
