Bybit’s $1.4B Hack Deepens: $380M in Stolen Crypto Goes Dark

The February 2025 breach, which was initially kept under wraps during forensic investigation, saw attackers compromise Bybit's cold wallets and siphon off an estimated 500,000 ETH. The group believed to be behind the attack is Lazarus Group, a well-known cybercrime group associated with several significant digital breaches in recent years.

Zhou shared a detailed breakdown of the stolen assets in an executive summary posted to X, noting:

• 68.57% of the stolen funds remain traceable.
• 27.59% (approx. $386 million) have "gone dark" — meaning they can no longer be tracked.
• 3.84% of the funds have been successfully frozen.

The term "gone dark" refers to assets that were laundered through mixers, bridged to other chains, and likely moved into peer-to-peer (P2P) markets or over-the-counter (OTC) desks, making them essentially untraceable using conventional blockchain analytics tools.

The Lazarus Group has made a name for itself as a pioneer of sophisticated cryptocurrency laundering techniques. Bybit’s case is no exception. According to forensic teams assisting with the investigation, roughly 84.45% of the stolen ETH was immediately converted into Bitcoin — a tactic designed to break the on-chain trail, as mixing tools for Bitcoin remain more mature and widely used.

Once converted, the BTC was spread across thousands of wallet addresses in rapid succession and gradually funneled through cross-chain bridges and coin mixing services. The hackers then utilized obscure centralized exchanges and OTC markets to liquidate funds — often in jurisdictions with little to no enforcement capability. Experts say this layered approach makes recovery near-impossible after a certain threshold.

Despite the unprecedented scale of the hack, Bybit moved quickly to contain the damage. Within 72 hours, the exchange secured 447,000 ETH from a syndicate of institutional backers, including Galaxy Digital, FalconX, and Wintermute, restoring liquidity and user confidence. Customer funds were not affected, thanks to Bybit’s internal reserve protocol.

In an aggressive move to claw back assets and punish those responsible, Bybit has since launched a $140 million bounty program — one of the largest in crypto history. The campaign aims to enlist the help of white-hat hackers, security researchers, and on-chain sleuths to trace the stolen funds or identify individuals involved in their laundering.

The incident has reignited industry-wide debate over the vulnerabilities in multi-signature wallet systems and the dependence on third-party wallet infrastructure providers. The breach was allegedly made possible by a security flaw in infrastructure managed by Safe{Wallet}, a prominent MPC (multi-party computation) wallet provider.

Crypto advocates argue the industry must adopt better security standards, especially for institutions handling billions in customer assets. “It’s time we treat crypto custodianship with the same level of scrutiny as traditional finance,” said crypto security expert Taylor Monahan.

Meanwhile, blockchain forensic firms like Chainalysis and TRM Labs continue to work alongside Bybit and law enforcement agencies, hoping to at least freeze some of the dark funds if they ever re-emerge on traceable platforms.

The Bybit hack stands as one of the most significant crypto breaches on record, not just for its sheer size but for the alarming percentage of funds that have vanished without a trace. It serves as a stark warning about the escalating cyber threat landscape — especially when adversaries are well-funded, state-backed, and growing more technically advanced with each attack.

As of now, the trail of hundreds of millions in stolen crypto has gone cold — lost in the maze of wallets, mixers, and shadowy exchanges that form the dark underbelly of global digital finance.