Bybit Hacker Uses THORChain to Move Stolen Funds and Evade Crypto Freezing Efforts

The Bybit hacker uses THORChain to launder $106M in stolen ETH evading security measures while exchanges work to freeze assets.

Posted by by Austin Mwendia
  • The Bybit hacker uses THORChain and OKX DEX to launder stolen funds and convert them into non-freezable DAI.
  • Exchanges and security firms freeze stolen assets but the hacker shifts strategies to evade tracking and asset recovery.
  • The hacker now bridges assets to Solana and uses fake KYC data which creates new challenges for crypto security teams.

The hacker behind the Bybit attack has resumed moving stolen assets and has refined their laundering techniques. According to Web3 security firm Beosin, the hacker has primarily relied on THORChain to transfer stolen cryptocurrency to the Bitcoin blockchain. They then convert the assets into non-freezable DAI using OKX DEX.  

Hacker Converts Over $106 Million Worth of ETH  

A recent blockchain activity has shown that the Bybit hacker has already converted 37,900 ETH which is worth approximately $106 million, into other assets. This laundering operation began on February 22, 2025, and it lasted around 30 hours. The hacker used multiple cross-chain exchange platforms, including Chainflip, THORChain, LiFi, DLN, and eXch, to move funds.  

As of the latest update, the hacker still holds 461,491 ETH, valued at around $12.9 billion. The structured approach in asset movement suggests an increasingly stable laundering method. Security analysts believe that by using decentralized platforms, the hacker aims to evade tracking and asset freezing efforts.  

Exchanges and Authorities Take Countermeasures  

Several cryptocurrency platforms have responded to the hack by freezing assets linked to the stolen funds. ChangeNow froze 34 ETH, while Avalanche restricted access to 0.38755 BTC. The Lightning Network-based exchange FixedFloat also froze $120,000 worth of USDC and USDT stablecoins.  

Additionally, THORChain blacklisted addresses associated with the North Korean hacking syndicate suspected to be involved in the attack. Stablecoin issuers Tether and Circle have flagged wallets linked to the hacker, with Tether freezing 181,000 USDT.  

Follow us on Google News Discover the latest trends in the crypto market

Bybit stated that $42.85 million in stolen assets have been frozen across multiple exchanges. The platform also warned users about scammers posing as Bybit officials attempting to steal sensitive personal information.  

Hacker’s Shift to Solana Raises New Concerns  

On-chain data indicates that the hacker is now bridging assets to Solana and using fake KYC data to deposit funds on exchanges. In response, Bybit collaborated with Pump.fun and Solana Foundation President, Lily Liu, to remove a Solana-based token linked to the hacker.  

The evolving laundering strategies highlight the challenges exchanges and security firms face in recovering stolen funds. Blockchain security experts continue to monitor the hacker’s activities as efforts to track and freeze assets persist.

Tags:
Profile picture of Austin Mwendia
Austin Mwendia Posted by

Austin Mwendia is a seasoned crypto writer with expertise in blockchain technology and finance. With years of experience, he offers insightful analysis, news coverage, and educational content to a diverse audience. Austin's work simplifies complex crypto concepts, making them accessible and engaging.