While Bybit fully replaced the stolen funds through loans and purchases, blockchain investigators linked the laundering efforts to Solana meme coin scams, including rug pulls on Pump.fun. On-chain data suggests that wallets involved in the Bybit hack were also tied to the $29 million Phemex hack. Meanwhile, Solana’s network has seen a sharp decline in user activity due to the meme coin controversy, but analysts believe addressing these security challenges could strengthen the blockchain’s long-term resilience. Bybit Crypto Likely to Be Laundered Through Mixers The recent $1.4 billion hack of Bybit, which was the largest crypto heist in history, is now entering the laundering phase . Blockchain security firm Elliptic attributed the attack to North Korea’s Lazarus Group, and reported that the hackers are trying to obfuscate the transaction trail by engaging in a process that is known as layering. This process involves spreading funds across multiple wallets, swapping assets through decentralized exchanges, and using cross-chain bridges. Elliptic suggested that mixers like Tornado Cash could be used next, although laundering such a big sum could prove challenging. (Source: Elliptic ) The theft took place on Feb. 21, after which the stolen assets were distributed to 50 different wallets within just two hours. Each received approximately 10,000 ETH. At least 10% of the stolen funds have since moved from these wallets, which indicates that the hackers are actively trying to conceal their tracks. One unnamed service provider has been singled out by Elliptic as a key player in facilitating this laundering process after it refused to block transactions despite direct requests from Bybit. A well known exchange, eXch, has also been linked to the laundering efforts due to allegations that it enabled tens of millions of dollars in stolen crypto to be swapped anonymously. However, eXch denied any involvement in helping the Lazarus Group. (Source: X ) The North Korean hacking collective previously laundered more than $200 million worth of stolen crypto assets between 2020 and 2023, primarily using mixers and peer-to-peer marketplaces. However, recent reports from Chainalysis suggest that criminal groups like Lazarus have increasingly turned to cross-chain bridges as a more effective way to launder illicit funds. Despite the severity of the attack, Bybit’s CEO reassured users that a new audited proof-of-reserve report is expected to be published soon. Bybit Replaces Stolen Funds After Hack Bybit CEO Ben Zhou recently confirmed that the crypto exchange was able to fully replace the $1.4 billion worth of ETH that was stolen in the Feb. 21 hack. Zhou announced that a new audited proof-of-reserve report will be published soon which will prove client assets are back at a 1:1 ratio using a Merkle tree verification system. The statement was made after blockchain analytics firm Lookonchain estimated that Bybit received approximately 446,870 ETH, worth around $1.23 billion, through a combination of loans, whale deposits, and purchases. This covers nearly 88% of the stolen funds. Lookonchain’s analysis revealed that a Bybit-linked wallet address “0x2E45...1b77” bought 157,660 Ether, valued at $437.8 million, through over-the-counter transactions with major crypto investment firms, including Galaxy Digital, FalconX, and Wintermute. Another $304 million in Ether was reportedly purchased using the wallet address “0xd7CF...A995,” which has been linked to transactions on both centralized and decentralized exchanges. Arkham Intelligence data also indicates that this address interacted with Binance and MEXC hot wallets, which also supports the claim that these funds are tied to Bybit’s replenishment efforts. Multiple transfers were made to these wallet addresses to accumulate the necessary funds, with the first purchase from “0x2E45...1b77” occurring on Feb. 22 at 4:44 pm UTC. Despite the scale of the hack, Bybit has continued to operate normally, and customer withdrawals reached $5.3 billion on Feb. 22. Proof-of-reserve auditor Hacken verified that Bybit’s reserves still exceed its liabilities, which means that user funds remain fully backed. Bybit’s total assets currently stand at $10.9 billion, according to DefiLlama data . The hack initially triggered a sharp decline in ETH’s price, which fell over 7% in seven hours, dropping from $2,831 to $2,629. However, the cryptocurrency has since rebounded to around $2,734, according to CoinMarketCap data . ETH’s price action over the past week (Source: CoinMarketCap ) Overall, the quick response by Bybit to replace the stolen funds reassured users and the broader crypto community that the exchange is taking the breach and its users' funds very seriously. Bybit Hack and Solana Scams Share Same Laundering Trail It is a well known fact that the Lazarus Group is the primary suspect behind the $1.4 billion Bybit hack, but new evidence suggests that the hack may also be linked to recent Solana meme coin scams. These include rug pulls on the Pump.fun platform, according to on-chain investigator ZachXBT. The attack on Bybit is the largest crypto hack in history, and its losses included liquid-staked Ether (stETH), Mantle Staked ETH (mETH), and other digital assets. Blockchain security firms like Arkham Intelligence identified the North Korean state-backed hacking collective as the most likely culprit behind the exploit. (Source: Telegram) ZachXBT’s findings suggest that the same entity responsible for laundering the hacked Bybit funds may also be involved in fraudulent meme coin launches on Solana’s Pump.fun. He pointed out that on Feb. 22, the attacker transferred $1.08 million from the Bybit hack to an Ethereum address, which then bridged USDC to Solana. The funds were subsequently distributed across multiple wallets on Solana, some of which had previously been tied to meme coin scams. The investigator also revealed that more than 920 addresses receiving funds from the Bybit hack were linked to a person laundering funds for Lazarus Group, who also launched meme coins through Pump.fun. Onchain data also suggests that the same wallets associated with the Bybit hack were involved in the $29 million Phemex hack in January. The connection between Lazarus Group and the Pump.fun platform is happening during a surge in meme coin scams on the Solana blockchain. Investor sentiment took a big hit after the collapse of the Libra (LIBRA) token, which was endorsed by Argentine President Javier Milei. The project’s insiders allegedly pocketed over $107 million in a rug pull, which caused a 94% price crash within hours and wiping out $4 billion in investor capital. So far, the rising frequency of these scams had a very noticeable impact on Solana’s ecosystem, with monthly capital inflows turning negative at -5.9%, according to Glassnode . Solana user activity also saw a decline, with the number of active addresses on the network dropping to a weekly average of 9.5 million in February. This is a sharp 40% decrease from the 15.6 million active addresses that was recorded in November of 2024. According to CryptoVizArt, a senior analyst at Glassnode, this is a major cooldown for the blockchain, although activity is still higher than pre-bull market levels. Despite these challenges, some analysts believe the increased scrutiny on Solana’s security issues may ultimately benefit its long-term growth. Blockchain researcher Aylo suggested in a Feb. 18 post that addressing these vulnerabilities could actually strengthen Solana’s position in the crypto market.
