The hacker responsible for the $1.4 billion exploit of Bybit has successfully laundered over 50% of the stolen Ethereum, predominantly utilizing THORChain to exchange ETH for Bitcoin.
Recent analytics indicate that the perpetrator has laundered 266,309 Ethereum (ETH)—approximately $614 million—over the last five days, averaging 48,420 ETH per day. If this trend persists, the remaining 233,086 ETH could be fully laundered within an additional five days.
The laundering activities have resulted in an unprecedented surge in THORChain (RUNE) activity, with daily transaction volumes soaring from an average of $80 million to an astounding $580 million starting February 22.
Within just five days, total transaction volume reached $2.91 billion, yielding THORChain $3 million in fees due to the heightened activity. Notably, February 26 recorded $859.61 million in swaps alone, followed by $210 million on February 27, pushing the two-day total beyond $1 billion.
The U.S. Federal Bureau of Investigation (FBI) has officially connected the breach to North Korean hackers, identifying the Bybit incident, dubbed “TraderTraitor,” as part of a broader campaign of cyberattacks attributed to state-sponsored actors from North Korea.
Forensic analyses by leading security firms confirmed that Bybit’s security measures were not compromised despite the exploit. Investigations revealed that the vulnerability was related to a compromised developer machine of Safe Wallet, which was used to insert malicious JavaScript code into the Gnosis Safe UI, targeting Bybit’s cold wallet. Safe has assured that its smart contracts remain secure, indicating a troubling trend where hackers are increasingly targeting infrastructure providers rather than exchanges themselves.
In response, Bybit has launched an initiative to track the laundering of its stolen funds and is offering rewards to exchanges that help recover the misappropriated assets.
