North Korea’s Lazarus Group has been pushing forward with their efforts to launder funds from Bybit after executing what has been classified as the largest crypto hack in history, totaling $1.4 billion. The cyber attackers recently transferred an additional 62,200 ETH ($138 million) on March 1st. This transfer leaves them with only 156,500 Ethereum (ETH) remaining from the original theft. An analysis conducted by crypto researcher EmberCN revealed this information.
With the latest transfer, the total amount laundered by the hackers now stands at approximately 343,000 ETH, which accounts for close to 68.7% of the 499,000 ETH stolen during the attack on February 21. EmberCN’s analysis predicts that at the current pace, the hackers will likely clear the remaining funds within the next three days.
This accelerated laundering activity is happening in defiance of recent actions taken by the Federal Bureau of Investigation (FBI). The FBI publicly attributed the $1.5 billion hack to North Korea in a public service announcement on February 26th.
According to the FBI’s announcement, North Korea was identified as the perpetrator responsible for stealing around $1.5 billion in virtual assets from Bybit in February 2025. They have labeled this specific cyber operation as “TraderTraitor.”
The FBI uncovered that the TraderTraitor actors have been swift in their movements, having already converted portions of the stolen assets into Bitcoin and other cryptocurrencies, spreading them across multiple addresses on various blockchains. The FBI anticipates that these assets will undergo further laundering processes and eventually be converted into fiat currency.
In an effort to combat these illicit activities, the FBI is actively seeking assistance from the private sector. They have called upon RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions linked to the addresses being used by the TraderTraitor actors to launder the stolen assets.
To aid in the identification of suspicious addresses, the FBI has shared addresses associated with the hackers. Additionally, blockchain analytics firm Elliptic has ramped up its monitoring efforts by flagging over 11,000 wallet addresses that may be connected to the operation.
Chainalysis has reported that the hackers have utilized various mixing techniques to obfuscate the trail of the stolen funds. They have also converted portions of the ETH into Bitcoin (BTC), DAI stablecoin, and other assets. The group has predominantly utilized decentralized exchanges, cross-chain bridges, and instant swap services that do not have Know Your Customer (KYC) requirements.
Despite increased scrutiny and monitoring efforts, the Lazarus Group continues to maneuver through the complexities of laundering the stolen funds, underscoring the ongoing challenges in combatting sophisticated cybercriminal activities in the crypto space. As authorities and cybersecurity experts race to apprehend and disrupt the illicit operations of these actors, the cybersecurity landscape remains dynamic and ever-evolving.