THORChain, a cross-chain swap protocol, witnessed a huge uptick in its activity as the party behind the Bybit heist attempted to launder stolen funds through the platform. The Bybit heist now tagged the largest cryptocurrency heist the world has ever seen, happened on February 21, 2025, and saw the exchange lose about $1.46 million in ETH and a smattering of other tokens. ETH holdings of the Lazarus Group as of February 21. Source: Arkham Intelligence According to the FBI and other on-chain sleuths, the North Korean Lazarus Group was behind the hack, so the consensus is that the same group attempted to clean the stolen funds through THORChain. The hackers most likely opted for THORChain because of its decentralized nature, which helped them launder their stolen funds while protecting their identities. Their activity has thrown the protocol into the public eye once more. However, THORchain needs not such negative attention as it struggling to stay afloat. It even had to pause lending operations earlier this year in a proactive attempt to prevent mass exit. THORChain’s volume before and after the hackers On-chain analyst Yu Jin claims the hackers converted the stolen Ethereum (ETH) into Bitcoin (BTC) via THORChain, which resulted in the generation network’s trading volume reaching $2.91 billion and earning the protocol $3 million in fees. Prior to the North Korean hackers using the platform to clean their dirty money, THORChain’s average daily transaction volume was about $80 million. However, when the laundering started from February 22 onward, that figure started rising rapidly, crossing an average of $580 million per day and totaling $2.91 billion in just five days. On February 26 alone, data from THORChain explorer revealed THORChain processed $859.61 million in swaps, its highest-ever daily volume, and added $210 million more on February 27, bringing the total to over $1 billion within 48 hours. If there was any doubt that the hack had something to do with the Lazarus Group, the decision to swap the Bybit funds for Bitcoin fits the North Korea-linked group’s modus operandi. The Federal Bureau of Investigation (FBI) issued a PSA implicating North Korea in the Bybit hack. Source: FBI THORChain does not appreciate the attention THORChain core developer and Nine Realms engineer going by the “Pluto” pseudonym acknowledged via a post on X (formerly Twitter) that illicit funds had indeed passed through the protocol. “When we first started seeing illicit flows on THORChain, our team bridged the gap for wallets and integration partners, helping them integrate screening services like @elliptic,” Pluto began in his post. He added that the team is actively working with wallet and integration partners to implement screening services to address this issue. “Everyone needs to work together to make a best effort at stopping these flows to the best of our ability without compromising L1 integrity,” Pluto also wrote . “It’s our job as L1 operators to ensure the 2nd and 3rd layers (aggregators and frontends) conform with industry best practices.” According to Pluto, if they don’t provide such guidance, governments will try to shut down L1s, which would deprive the world of “valuable public utility infrastructure.” Did THORChain play a part in stopping the hackers? The Bybit hack is now being considered a stress test on the ecosystem as it trudges toward mainstream adoption. In the past, word of such an event would have triggered mass panic on both the parts of the investors and service providers, but the industry went a different route this time. Bybit’s CEO Ben Zhou took a transparent approach, revealing what happened and reassuring its users that funds were safe even though there was withdrawal congestion. In the aftermath of the hack, Bybit also witnessed a show of solidarity from other exchanges, including Binance, who loaned it money to keep its withdrawals going. Many other exchanges and crypto entities have stepped in to help retrieve and freeze the stolen funds since then. Bybit also acknowledged THORChain’s effort in a post . The X post noted that THORChain blacklisted addresses linked to the hackers, but there is no clear evidence that the protocol stopped the hackers from laundering funds. One thing that is certain is that THORChain’s permissionless and decentralized nature was pivotal to the hackers’ decision to use it to launder funds even though its transparency aided tracking efforts. So, were the hackers able to get the stolen funds off THORChain? The answer is yes, but they did not get away with it without complications. They were able to clean significant amounts of the stolen assets—at least $250 million (100,000 ETH) within days, with some estimates suggesting up to 20% of the total amount (about $292 million) was processed by February 25. To get it out, they swapped the ETH to BTC, DAI, and other assets; then they split the funds across multiple wallets to avoid getting detected. It was smart but their moves were not hidden. Thanks to blockchain transparency, firms like Chainalysis and Elliptic were able to trace the fund movements, leading to some being frozen. The $1.46 billion in crypto stolen from Bybit on February 21, 2025, is the largest crypto theft ever. Source: Elliptic Research So far, Chainalysis has reported $40 million seized, and $42.85 million was frozen via coordinated efforts. Despite all the freezes and retrievals, reports claim the hackers still hold a substantial amount of ETH that far surpasses the holdings of prominent figures like the chain’s developer, Vitalik Buterin. The situation remains precarious, with the hackers racing to get their stolen funds off-chain. Bybit, supported by the authorities, continues to intensify efforts to retrieve its funds or track down the hackers. Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now
