TechFlow news — On February 22, according to analysis by Eric Wall, co-founder of Taproot Wizards, the Bybit hack has been largely confirmed as the work of the North Korean hacking group Lazarus Group. As reported by Chainalysis in 2022, this group typically follows a fixed pattern when laundering stolen funds, a process that can span several years. Data from 2022 showed that the group still held $55 million worth of funds stolen during a 2016 attack, indicating they are in no rush to cash out quickly.
Regarding the process of disposing of stolen funds:
-
Step one: Convert all ERC20 tokens (including liquid staking derivatives such as stETH) into ETH;
-
Step two: Exchange all obtained ETH into BTC;
-
Step three: Gradually convert BTC into Chinese yuan through Asian exchanges;
-
Final use: These funds are believed to support North Korea’s nuclear and ballistic missile programs;
The analysis notes that Bybit is currently filling an approximately $1.5 billion ETH shortfall via borrowing, a strategy likely based on expectations of recovering the stolen assets. However, given the confirmation of involvement by Lazarus Group, the likelihood of fund recovery is extremely low, meaning Bybit will have to purchase ETH to repay its loans. In the long term, Bybit's ETH buying may offset against Lazarus Group’s ETH selling activity aimed at acquiring BTC, while the BTC accumulated by Lazarus Group will gradually create sell-side pressure over the coming years.




