Hackers linked to the North Korean government have successfully laundered nearly the entire $1.4 billion stolen from the Bybit exchange. Following the February 21 breach—the largest cryptocurrency theft in history—investigators confirm the proceeds have been converted into Bitcoin and dispersed across approximately 4,400 digital addresses.
The Mechanics of a Record-Breaking Heist
The attack, which saw 401,346 Ethereum siphoned from a Bybit wallet, has drawn intense scrutiny from the FBI and leading blockchain intelligence firms. Experts from Elliptic, TRM Labs, and Chainalysis have been tracking the funds as they moved through a sophisticated multi-stage laundering operation.
According to Andrew Fierman, head of national security intelligence at Chainalysis, roughly 90% of the stolen assets are now held in Bitcoin. The remaining 10% have either been lost to transaction fees, frozen by platforms, or moved through off-ramps, which convert cryptocurrency into fiat currency.
Operational Efficiency and the Use of Mixers
Between February 24 and March 2, the perpetrators demonstrated unprecedented speed. By utilizing THORSwap, a decentralized protocol, the hackers swapped assets across blockchains without intermediaries, effectively obscuring the origins of the stolen capital.
Ari Redbord, global head of policy at TRM Labs, noted that this level of efficiency suggests North Korea has either scaled its own infrastructure or is leveraging advanced underground financial networks in China. The current phase of the operation involves funneling the Bitcoin into crypto mixers—services designed to scramble transaction histories and frustrate forensic investigators.
Can the Funds Be Recovered?
Despite the hackers’ progress, the path to cashing out remains fraught with obstacles. Mixers typically process only a few million dollars daily, raising questions about whether they can absorb the sheer volume of the Bybit heist.
Recovery efforts are ongoing. Bybit has initiated a bounty program, offering rewards for information leading to the freezing of assets. To date, the exchange has paid $4.3 million to 19 bounty hunters, as detailed on the official bounty portal. Experts remain cautiously optimistic that if the funds pass through centralized exchanges, they could still be intercepted and blocked by authorities.
Tom Robinson, co-founder of Elliptic, emphasized that while the hackers have moved the money, they have not yet realized their gains. The race between the perpetrators attempting to liquidate the assets and investigators working to blacklist the stolen funds continues to be a high-stakes test for global anti-money laundering (AML) mechanisms.