Lazarus Group Launders $480M in ETH via ThorChain After $1.5B Bybit Hack

Lazarus Group laundered $480M in ETH from the $1.5B Bybit hack via ThorChain, sparking debates over decentralization and illicit finance.

Zagham Abbas
February 28, 2025
3:07 pm

Zagham Abbas

Zagham is a renowned crypto journalist known for his insightful analysis and in-depth reporting on the cryptocurrency industry.

North Korea’s Lazarus Group converts $480M ETH to BTC using ThorChain after the $1.5B Bybit hack.
Decentralized governance on ThorChain allows illicit transactions to continue despite initial attempts to block them.
ThorChain’s RUNE token sees a surge in trading activity amid controversy over its role in laundering stolen crypto.

The hackers behind the recent $1.5 billion Bybit exploit, identified as North Korea’s notorious Lazarus Group, have converted at least 209,384 ETH (~$480 million) into Bitcoin, according to MetaMask’s Head of Security, Taylor Monahan. The massive fund transfer, representing over half of the stolen 400,000 ETH, was tracked by blockchain analytics firm Arkham Intelligence.

Arkham Intelligence revealed that at least $240 million of the stolen funds had been laundered using ThorChain, a decentralized cross-chain trading protocol. The hackers primarily swapped the stolen crypto for native BTC, leveraging ThorChain’s non-custodial nature to obfuscate the transactions.

ALERT: LAZARUS LAUNDERING THROUGH THORCHAIN – MINIMUM $240M SO FAR

Over $240M of ETH has been sent through Thorchain by Lazarus-tagged wallets on Arkham.

These funds have mainly been swapped for native BTC. pic.twitter.com/C1EYtj6aFw
— Arkham (@arkham) February 27, 2025

Monahan estimates that the attackers have utilized ThorChain for at least 161,490 ETH (~$370 million), executing nearly 4,000 bridge transactions over 115 hours. This amounts to a staggering $3.2 million per hour in illicit fund transfers.

Last week, U.S. authorities confirmed that the Bybit breach was orchestrated by North Korea’s TraderTraitor actors, which include the Lazarus Group. The FBI noted that the stolen assets are being rapidly converted into Bitcoin and other cryptocurrencies before being dispersed across thousands of blockchain addresses to evade tracking.

ThorChain Divided Over Stolen Crypto

Blockchain analysts have described the tracking of Lazarus’ funds as particularly complex due to the scale and fragmentation of transactions. Pseudonymous security researcher SomaXBT highlighted the difficulty, posting on X (formerly Twitter), “This is how tracking the Bybit hack looks, just two hops of 10 ETH each, and my MacBook Air is already burning up from loading these transactions.”

This is how Bybit hack's tracking looks. 💀
and its just track of 2 hops (10 ETH each)

my mac air is literally burning to load this txs 🥵 pic.twitter.com/NM2yeyrFyU
— SomaXBT (@somaxbt) February 26, 2025

In response to the hack, Bybit’s CEO announced an expanded bounty program, offering a 5% reward to any exchanges, bridges, or mixers that freeze funds linked to the stolen assets. This comes in addition to the initial 10% bounty for returning the stolen funds.

Some validators within ThorChain briefly attempted to block transactions linked to the hack. ThorChain’s decentralized governance quickly reversed the vote to refuse the transactions, allowing the fund flows to resume. This has sparked internal debates within the ThorChain community regarding the ethics of facilitating illicit transactions.

ThorChain’s RUNE Token and Market Impact

ThorChain’s native token, RUNE, has seen increased trading activity following the exploit, with volumes exceeding $737 million on Wednesday alone. RUNE’s price surged to a local high above $1.60 but remains significantly below its 2024 peak of over $10.

Despite concerns over regulatory scrutiny, some users view the increased activity as a net positive for the platform. One ThorChain user on X remarked, “It’s all coming from Lazarus hackers, but who really cares? It’s a win for TC. The only concern is what happens to price once these swaps stop.”

it’s all coming from Lazarus hackers.

but who really cares its a win for TC. only concern is what happens to price once these swaps stop. BTC is bleeding at the moment if we didn’t have this i don’t think we’d be above $1 right now
— diplo (@ThorChainz) February 26, 2025

However, security experts warn that ThorChain’s lack of intervention could draw regulatory backlash. “ThorChain not doing anything to stop the movement of stolen ETH isn’t going to end well,” X user @AirdropGlideapp noted. “Funny how one person can shut down ThorFi in 2 minutes, but when it comes to stopping North Korea laundering billions, it’s suddenly impossible.”

Thorchain not doing anything to stop the movement of stolen ETH through their platform isn't going to end well.

Funny how one person can shut down ThorFi in 2 minutes, but when it comes to stopping North Korea laundering billions of dollars of Ethereum through Thorchain, it's… pic.twitter.com/bIFYluIHKd
— Ed | AirdropGlideApp (@AirdropGlideapp) February 27, 2025

With over $1.5 billion stolen, the Bybit hack is shaping up to be one of the largest crypto heists on record. Lazarus has deployed advanced laundering tactics, splitting funds across multiple chains and using decentralized exchanges such as Uniswap, Paraswap, and KyberSwap to convert Ethereum-based assets before bridging to Bitcoin.

As regulators and blockchain sleuths continue to monitor the stolen funds, the question remains: Will decentralized protocols like ThorChain take a more proactive stance against illicit activity, or will hackers continue to exploit them for cross-chain laundering?