Bybit’s Missing Billions Are Going Dark as Mixers and OTC Markets Blur the Trail

Key Takeaways

• Crypto laundering tactics are evolving fast, with hackers increasingly using mixers and cross-chain platforms to hide stolen funds.
• Despite ongoing tracking efforts, 28% of the Bybit-hacked funds remain untraceable, and only 3.8% have been frozen.
• With mixers and bridges under scrutiny, the need for more skilled on-chain sleuths and bounty hunters is becoming urgent.

The $1.4 billion Bybit hack, one of the largest digital heists to date, is still unfolding, and the trail hasn’t gone cold just yet.

Despite increasingly sophisticated laundering techniques, blockchain forensic teams are actively tracking billions in stolen crypto as it moves through mixers, bridges, and decentralized networks.

Over $1.4B in Hacked Crypto Still (Mostly) Traceable

Bybit co-founder and CEO Ben Zhou reported that, as of April 21, 2025, approximately $1.4 billion in stolen crypto—roughly 500,000 ETH—has been traced. Of that, 68.57% remains traceable, 28% has gone dark, and just 3.8% has been frozen.

Zhou said that most of the untraceable funds were funneled through mixing services and cross-chain bridges before being cashed out via over-the-counter (OTC) and peer-to-peer (P2P) exchanges.

According to the CEO, Wasabi Mixer is now the primary tool used by DPRK-linked groups. After passing through Wasabi, smaller flows are cycled through platforms like CryptoMixer, Tornado Cash, and Railgun.

Funds were then swapped or bridged across platforms like Thorchain, eXch, Lombard, LiFi, Stargate, and SunSwap before reaching fiat off-ramps.

Lazarus Mixers and Wallets Still Being Monitored

Of the original 500,000 ETH, a massive 432,748 ETH (~$1.21 billion, or 84.45%) was bridged to Bitcoin via Thorchain.

Of that amount, 342,975 ETH was converted into 10,003 BTC and scattered across 35,772 wallets, averaging just 0.28 BTC per wallet, indicating a deliberate effort to fragment and mask the funds.

Only 1.2% of the original ETH remains on Ethereum (ETH). Meanwhile, 944 BTC was processed through Wasabi, with a small portion later bridged back to Ethereum via Thorchain.

In response, the Lazarus Bounty platform has received 5,443 reports in the past 60 days, 70 of which have been confirmed as valid.

“We welcome more reports,” said Zhou. “We need more bounty hunters who can decode mixer activity—we need a lot of help down the road.”

Questions Around Bybit’s Transparency

Despite Zhou’s transparency, some community members expressed skepticism about the platform’s security and the accuracy of its figures.

“Transparency appreciated, Ben. But I’ve got one question,” said Kevin Ang on X. “Out of 5,443 bounty reports, only 70 were valid? That level of precision doesn’t sound like crowdsourced discovery—it sounds like insiders already knew what to look for. Were those 70 bounty hunters public contributors, or were they white-hats already close to the fire? Because to outsiders, this feels less like a hunt and more like a post-exploit sanitization operation.”

Another user echoed the sentiment: “It’s very odd that we identify no one after stealing this much. We need to crack down and press legal charges; otherwise, it’s become quite normal.”