Uncovering the Aftermath of the Bybit Hack: Where Did the Stolen ETH Go?
Stolen Assets Representing 20% of CEO's Claim Hidden in Obscurity
The infamous Bybit hack, which took place on February 21, 2025, yielded an enormous haul of approximately $1.4 billion in liquid-staked Ether (STETH), Mantle Staked ETH (mETH), and various ERC-20 tokens [enrich1]. As of now, roughly 46% of the stolen assets remain untraceable, leaving a trail of roughly $693 million that has been identified [enrich1].
The remaining $62.9 million of those traceable funds have already been frozen, and the coming weeks are seen as critical for freezing the rest [enrich2]. The coins will start to be "cleaned" on various platforms such as exchanges, OTC, and P2P marketplaces during this window [enrich2].
The Journey of Traced ETH
From the traceable funds, approximately 83% (which amounts to 417,348 ETH) was converted into Bitcoin, with this conversion taking place across 6,954 wallets with an average of 1.71 BTC each [base]. This massive conversion played out primarily through the THORChain [base], though the exact methods used for the conversion are not specified.
Significant portions of the traceable ETH were routed through the cross-chain protocol, with 361,255 ETH (around 72%) passing through [base]. This fraction can be monitored by Bybit [base]. Another 79,655 ETH (16%) was directed through the DEX called ExCH [base].
Approximately 40,233 ETH or $100 million (accounting for 8% of the losses) was sent through the OKX Web3 Wallet proxy [base]. Out of this amount, 16,680 ETH can be tracked by the exchange's analysts, but information on 23,553 ETH ($65 million) remains unavailable [base].
The Bounty Program and Its Results
Bybit CEO Ben Zhou has provided an update on the bounty program, which saw 11 participants contribute to the freezing of some funds [base]. The Mantle and Paraswap teams, as well as on-chain analyst ZachXBT, stood out in these efforts, with payouts reaching $2.18 million in USDT [base].
Accusations and Analysis
The Federal Bureau of Investigation (FBI) has implicated North Korea's Lazarus Group (also known as TraderTraitor, APT38, BlueNoroff, and Stardust Chollima) in the Bybit hack [base]. Cryptopunk Adam Back pointed to the "flawed EVM design" as the root cause of the exchange hack [base]. Analysts from Sygnia suggest that the incident occurred due to a vulnerability in the Safe infrastructure, a claim that has since been criticized by Binance founder Changpeng Zhao [base].
The conversion of the traced ETH from the Bybit hack resulted in approximately 417,348 ETH being converted into Bitcoin, primarily through the THORChain. Roughly 72% of the traceable ETH passed through the cross-chain protocol, while another 16% was directed through the DEX called ExCH. Additionally, notable contributions were made by various entities in the bounty program, such as the Mantle and Paraswap teams and on-chain analyst ZachXBT.
