North Korea’s Lazarus Group launders $1.39B in stolen Bybit ETH in just 10 days

North Korea’s Lazarus Group has executed one of the most sophisticated crypto laundering schemes to date, moving $1.39 billion in stolen Ethereum (ETH) from Bybit in just 10 days.

The cybercriminals exploited decentralized finance (DeFi) protocols, particularly THORChain, to obscure the origins of the funds.

According to a Mar. 4 post on X by on-chain analyst EmberCN, much of the stolen Ethereum was routed through THORChain, a decentralized cross-chain liquidity protocol, and then converted into Bitcoin (BTC).

Despite growing concerns about illicit activity, THORChain validators rejected a proposal to halt ETH transactions, leading to the resignation of a core contributor in protest.

Bybit CEO Ben Zhou also posted an update on Mar. 4, revealing that while 77% of the stolen assets remain traceable, 20% have disappeared, and 3% have been frozen.

The case has sparked renewed debate over DeFi’s role in facilitating financial crime and the limits of decentralised governance.

THORChain processed $605M in a day

THORChain recorded $605 million in transactions within 24 hours of the laundering process.

Overall, $5.9 billion in volume moved through the platform, generating $5.5 million in fees.

This has drawn widespread criticism, with one X user describing THORChain’s response as “negligence at best, greed at worst”.

Unlike centralised exchanges that impose compliance measures, THORChain operates under a decentralised governance model.

Despite clear evidence of illicit transactions, its validators chose not to intervene, allowing the funds to continue moving.

The refusal to act led Pluto, a core contributor, to resign in protest.

Breakdown of the stolen Bybit funds

According to Zhou’s X post, 83% of the stolen funds were converted into Bitcoin and distributed across 6,954 wallets.

A staggering 72% ($900 million) passed through THORChain before being rerouted via mixing services. Additional transactions included:

• 16% of the assets were processed through ExCH, making them untraceable.

• OKX Web3 Proxy handled 8% ($100 million), adding another layer of obfuscation.

Despite efforts to track the assets, 20% of the funds have gone dark, making them nearly impossible to recover.

Only 3% has been frozen by exchanges and authorities.

Bybit’s bounty programme recovers stolen assets

Bybit has since launched Lazarusbounty.com, a tracking initiative that rewards individuals and organisations helping to recover the stolen funds.

So far, $2.17 million in bounties has been paid to 11 contributors, with blockchain investigator ZachXBT, along with Mantle and Paraswap, among the top participants.

While Bybit and other exchanges have worked to contain the damage, the Lazarus Group’s rapid movement of funds highlights the increasing sophistication of crypto laundering methods.

Regulators may use this case to push for stricter oversight of DeFi protocols, which remain a critical blind spot in financial crime enforcement.