Lazarus Bridged $1.3B of Bybit ETH to Bitcoin

‍

The North Korean state-sponsored hacker group, Lazarus, has fully laundered the proceeds from the recent exploit of centralized exchange, Bybit’s ETH cold wallet, bridging 500,000 ETH (~$1.3B) tokens from Ethereum to native Bitcoin. The ETH was primarily bridged via the omni-chain liquidity layer, THORChain, which has processed over $5.5B in volume since the Bybit hack on 21st February. 72% of the proceeds were bridged via THORChain. Other laundering venus include THORChain frontend, AsgarDEX, and cryptocurrency exchange, eXch. 

"Chain hopping" is a laundering technique where criminals rapidly swap stolen assets between different blockchains—in this case, from Ethereum to Bitcoin. By moving funds across incompatible networks, hackers aim to break the transaction trail that investigators follow. While public blockchains are transparent, tracing funds across different chains requires specialized tools, buying the attackers time to further obfuscate the money before it reaches its final destination.

‍

‍

Through processing the transfers, the THORChain protocol netted $5.5M in fees, a sum which some critics argue should be returned to Bybit as part of hack proceeds.

The demand for a decentralized protocol to "return" fees highlights a fundamental conflict in the crypto space. Unlike a centralized company that can manually intervene or freeze funds, decentralized protocols like THORChain are governed by autonomous code. The fees collected are often automatically distributed to liquidity providers—regular users who deposited assets into the system—making a centralized "refund" technically difficult, if not impossible, without altering the protocol's core software.