The hacker behind the $1.4 billion Bybit exploit has already laundered more than 50% of the stolen Ethereum, primarily using THORChain to swap ETH for Bitcoin. According to blockchain analytics firm Spot On Chain’s Feb. 28 post on X, the attacker has laundered 266,309 Ethereum ( ETH ), about $614 million, in the past 5 days at an average rate of 48,420 ETH per day. If this pace continues, the remaining 233,086 ETH could be fully laundered within another five days. 🚨 The #Bybit hacker has laundered over 50% of the stolen $ETH within a week post-hack. In the past 5.5 days, 266,309 $ETH ($614M)—53.3% of the stolen 499K ETH—has been washed away, mostly via #THORChain for $BTC , at a rate of 48,420 $ETH per day. At this pace, with 233,086… https://t.co/LkFsX6AeYg pic.twitter.com/vYQUcUBQes — Spot On Chain (@spotonchain) February 28, 2025 The hacker’s money-laundering rampage has caused a record-breaking spike in THORChain ( RUNE ) activity. crypto.news reported on Feb. 27 that daily transaction volumes increased dramatically from an average of $80 million to $580 million per day starting on Feb. 22. In just five days, the total transaction volume reached $2.91 billion, with THORChain earning $3 million in fees from the increased usage. Feb. 26 alone saw a record-breaking $859.61 million in swaps, followed by an additional $210 million on Feb. 27, pushing the two-day total past $1 billion. You might also like: China’s underground networks were ready for Bybit incident, analysts say In a Feb. 26 statement , the U.S. Federal Bureau of Investigation officially linked North Korean hackers to the heist. According to the FBI, the Bybit hack, known as “TraderTraitor,” is part of a wider series of cyberattacks attributed to North Korean state-sponsored hackers. Meanwhile, forensic investigations by Sygnia Labs and Verichain confirmed that Bybit’s security infrastructure remained intact despite the breach. A detailed post-mortem of the hack revealed that the vulnerability was linked to a Safe Wallet developer machine that had been compromised. The attackers exploited this machine to insert malicious JavaScript code into the Gnosis Safe UI, specifically targeting Bybit’s cold wallet. Safe has affirmed that its smart contracts are safe, but the incident shows that hackers are increasingly focusing on infrastructure providers rather than exchanges themselves. Bybit has launched a website to track the laundering of its stolen funds and is offering a bounty to exchanges that assist in recovering the assets. Read more: Bybit hack a ‘North Korea issue’ and not a crypto issue: pro
