Two days prior, the Bybit exploiter retained custody of 449,395.23 ethereum ( ETH), yet within a 48-hour window, the actor relocated 71,862.63 ETH—valued at $173 million—across decentralized ledgers.
Bybit Dangles $140M Bounty in High-Stakes Hunt for North Korea-Linked Crypto Bandits
This article was published more than a year ago. Some information may no longer be current.
WRITTEN BY
SHARE
Bybit Launches Lazarusbounty.com
Amidst a climate of crypto volatility, the assailant has orchestrated a whirlwind of high- volume ether transactions. For instance, during the drafting of this analysis, 91.75 ETH ($227,149.24) vanished into an unknown wallet. Bitcoin.com News initially disclosed on Feb. 23 that the perpetrator’s holdings totaled 449,395.23 ETH; current data reveals a diminished trove of 377,532.60 ETH fragmented across 54 distinct addresses.
This implies the entity—widely attributed to North Korea’s Lazarus Group—has liquidated 71,862.63 ETH in recent days, leaving a residual vault worth $915.16 million. Approximately 35 wallets each harbor roughly 10,000 ETH, while others display fragmented balances: one contains 1,346 ETH, another 6,904.28 ETH, and a third 8,048.85 ETH. Notably, several addresses previously housing 10,000 ETH now retain negligible traces, suggesting strategic redistribution.
Additionally, Arkham Intelligence noted on Tuesday that the Bybit hacker is shifting more ETH into bitcoin again. “The Bybit Hacker has bridged at least $6.2M of the stolen ETH to BTC through Thorchain. They are also swapping ETH <> DAI using OKX Web3 Swap,” Arkham stated on X.
Bybit has unveiled a dedicated web portal cataloging the assailants’ digital footprints, accompanied by a lucrative incentive for ethical white hat hackers who assist in immobilizing the pilfered assets. The platform offers a staggering $140,000,000 reward, pledging instantaneous disbursement “immediately once the funds are confirmed as frozen,” per the exchange’s public declaration.
The bounty site adds:
We require cooperation from all involved parties to either freeze the funds or provide updates on their movement so we can continue tracing. Response time is measured from the moment the specific transaction is reported to the relevant party.
In a message shared with Bitcoin.com News, Bybit told our news desk: “The launch of Lazarusbounty.com sends a clear, unyielding message: stolen funds will not be tolerated for illegal use. This platform serves as a direct challenge to cybercriminals—a warning that any attempt to exploit the blockchain for illicit purposes will be met with relentless, coordinated action. With this five-pronged offensive, Bybit not only challenges cybercriminals but also sets a new industry standard. Rather than waiting for problems to escalate, Bybit is taking the lead in securing the ecosystem and calls on every vigilant community member to support this mission.”
In addition to the latest ether moved, earlier reports had shown how the hacker moved funds into meme coin platforms like Pump.fun. According to Bybit, Pump.fun has been helpful in blocking this type of action. Bybit wrote on X:
Thanks to [Lily Liu] and the [Pump.fun] team for taking swift action to block and remove a Solana-based token whose creator may be affiliated with hacker groups, ensuring the security of the ecosystem. This is a great example of proactive security in action.
