As a result of a cyberattack by North Korean hackers in February this year, crypto exchange Bybit lost approximately $1.46 billion worth of ETH (8% of Bybit’s total reserves).

   Bybit CEO Ben Zhou wrote on social media platform X that as of today, only 3.84% of the stolen amount has been frozen. The rest of the stolen assets continue to dissipate rapidly through tens of thousands of varied transactions across multiple networks, and it is highly unlikely they will ever be recovered.

   The wanted hacker Park In, linked to the North Korean Lazarus Group (which is believed to be responsible for the Bybit hack), has not been apprehended as of now.

Bybit’s Response and Statements from CEO Ben Zhou

Following the discovery of the hack, Bybit CEO Ben Zhou quickly issued an official statement on his social media page on X (formerly Twitter). He confirmed the incident and emphasized that the damage was limited to a single cold wallet of the exchange.

In his post, Zhou stressed that there was no cause for panic among users. Despite the significant loss of approximately $1.46 billion worth of Ethereum, he assured clients that:

• The exchange’s main reserves remained intact,
• Bybit had sufficient funds to cover any potential user losses,
• The compromised cold wallet contained only a portion of the platform’s reserves, not all of them.

These statements were intended to stabilize the situation and reassure both Bybit’s customers and the broader crypto community. Any news about a major crypto platform being hacked can trigger a wave of mass withdrawals and asset sell-offs, so the leadership’s timely response was critically important.

Zhou also clarified that the platform continued operating normally. Trading was not suspended, and deposits and withdrawals were functioning as usual. Bybit launched an internal investigation together with external cybersecurity experts and began cooperating with law enforcement agencies to track and freeze the stolen funds.

The Situation with Asset Freezing

Some time later, Ben Zhou provided an update: at that point, only 3.84% of the stolen assets had been successfully frozen. The remainder, he said, had already been dispersed through numerous transactions across various blockchains. This significantly complicated the recovery process, and Zhou expressed skepticism about the prospects of fully retrieving the lost assets.

Thus, Bybit’s approach in the days following the incident was clear:

• Maintain maximum transparency with clients,
• Minimize potential market panic,
• Guarantee the security of the remaining assets and ensure normal exchange operations,
• Make every possible effort to recover the stolen funds.

Current Situation: How Much Has Been Frozen and Why Crypto Assets Are So Hard to Trace

As of the latest official update published by Bybit CEO Ben Zhou, the exchange has managed to freeze only 3.84% of the stolen crypto assets.
This means that out of the $1.46 billion worth of Ethereum stolen, roughly $56 million has actually been frozen. The remaining funds continue to move actively between various addresses across blockchains.

Why Has So Little Been Frozen?
Cryptocurrencies like Ethereum operate within decentralized networks. This means that fund transfers occur directly between users without the involvement of central operators who could instantly block transactions, as traditional banks can.

After the hack, the attackers didn’t simply move the funds to another wallet and leave them there. They immediately began an active phase of so-called crypto “laundering”:

• Moving funds through tens of thousands of microtransactions,
• Using decentralized exchanges (DEXs) that don’t require mandatory identity verification,
• Employing mixers — services that blend funds from different users to obscure the transaction history,
• Bridging assets between different blockchains using cross-chain bridges.

Each new laundering step makes it significantly harder for law enforcement and cybersecurity experts to trace the assets, as they must analyze thousands of small transactions, many of which occur across multiple networks simultaneously.

Specifics of Crypto Asset Thefts
Unlike traditional financial systems, where a bank can block a client’s account or reverse a transaction in cases of fraud, blockchain transactions are irreversible.
Once funds are sent to a new address, they can only be returned either voluntarily by the recipient or through legal actions if the individual is identified and held accountable.

For this reason, the percentage of recovered funds after crypto thefts traditionally remains extremely low. According to various analytical reports, on average, only 5–10% of stolen assets are successfully recovered. If hackers use mixers and cross-chain technologies, this figure drops even further.

The Situation with Bybit: Real Prospects for Fund Recovery
Given the transaction patterns of the stolen assets and the involvement of the highly professional North Korean Lazarus Group, the chances of fully recovering the stolen funds are extremely slim.
Even freezing 3.84% of the stolen amount is considered a significant achievement under such circumstances.

Bybit representatives have refrained from making bold statements about the prospects of recovering the remaining assets, instead simply acknowledging the reality: the stolen funds continue to disperse rapidly across various networks, making their tracking and retrieval increasingly difficult.

Who Was Behind the Attack: The Lazarus Group and Hacker Park In

Following the initial investigation into the Bybit hack, the attention of law enforcement and cybersecurity experts quickly focused on the infamous North Korean hacking group, Lazarus.

Who Are the Lazarus Group?
The Lazarus Group is one of the most well-known cybercriminal organizations in the world and is believed to be connected to the North Korean government.
The group has been operating internationally for over a decade and is responsible for a series of high-profile attacks targeting financial institutions, crypto projects, and other major entities.

Key characteristics of Lazarus include:

• A high level of technical expertise among its members,
• Complex, multi-layered attack strategies involving phishing, zero-day exploits, and social engineering,
• A primary motivation to acquire financial resources to fund North Korea’s state programs, including efforts to circumvent international sanctions.

According to various analytical agencies and official organizations (including the FBI and the United Nations), the total damages attributed to Lazarus attacks exceed $2.4 billion.

Notable Incidents Attributed to the Lazarus Group
Lazarus has been linked to several of the largest cybercrimes of the past decade:

• Bangladesh Central Bank Heist (2016):
  Hackers used fraudulent SWIFT messages to steal $81 million, which was quickly laundered through casinos and shadow exchanges in Southeast Asia.
• Axie Infinity Hack (2022):
  Lazarus exploited the Ronin Network cross-chain bridge, stealing $625 million worth of cryptocurrencies.
  This incident remains one of the largest DeFi hacks in history.
• Harmony Bridge Attack (2022):
  The group exploited vulnerabilities in Harmony’s cross-chain infrastructure to steal approximately $100 million.
• Stake Platform Breach (2023):
  Lazarus hacked the crypto gambling platform Stake, causing $41 million in damages.
• Bybit Exchange Hack (2025):
  The group’s largest known operation to date, stealing approximately $1.46 billion worth of Ethereum.

Through these operations, the Lazarus Group has demonstrated a remarkable ability to conduct complex and large-scale cyberattacks against a wide range of targets — from national banks to decentralized finance protocols and centralized crypto exchanges.

Who Is Park In?
After the Bybit hack, the FBI issued a wanted notice for a hacker named Park In, who is believed to be associated with Lazarus.
According to federal authorities, Park In was actively involved in both the planning and technical execution of attacks on crypto projects.

As of now, Park In remains at large. His whereabouts are unknown, and given the complex geopolitical situation surrounding North Korea, bringing him to justice will be extremely challenging.

The FBI’s official involvement and the issuance of a wanted notice highlight the severity of the incident and strongly support the conclusion that North Korean hackers were responsible for the largest theft in Bybit’s history.

Why Crypto Exchanges Are a Prime Target for Hackers

Cryptocurrency exchanges, especially large centralized platforms like Bybit, have long been a top target for cybercriminals. The scale of attacks, such as the recent incident where $1.46 billion was stolen, can be attributed to several factors.

1. Concentration of Massive Amounts of Assets

Large exchanges accumulate assets from millions of users worldwide.
Their wallets often hold billions of dollars in various cryptocurrencies.
This makes crypto exchanges the digital equivalent of a “bank vault,” but often with far less regulation and security than traditional banks.

For hackers, attacking an exchange presents an opportunity to seize enormous amounts in a single successful operation.

2. The Difficulty of Ensuring Complete Security

Even the largest exchanges, which invest millions of dollars in cybersecurity, cannot fully eliminate the human factor:

• Employee errors,
• Vulnerabilities in software,
• Use of outdated security protocols.

Moreover, exchanges need to provide 24/7 access to users’ funds. This forces them to keep part of their assets in “hot wallets” connected to the internet, which increases the risk of a hack.

3. Irreversibility of Blockchain Transactions

One key feature of cryptocurrencies is that blockchain transfers are irreversible.
There is no centralized authority that can cancel or freeze a transaction after it has been confirmed.

This means that once a hacker manages to withdraw funds from an exchange, stopping their further distribution becomes extremely difficult — especially if methods like mixers and cross-chain bridges are used.

4. Anonymity and Jurisdictional Complications

Cryptocurrencies provide a high level of anonymity. Hackers can register new wallets without linking them to their real identities.
Moreover, attacks often originate from countries with which most nations have no extradition agreements or efficient information-sharing arrangements, such as North Korea.

In the case of Lazarus, the group operates under the cover of the state, further complicating any legal processes for asset recovery or capturing the criminals.

5. Prestige of the Target

For hacker groups, successfully attacking a large exchange is not only a financial gain but also a reputational achievement within the world of cybercrime.
The bigger the incident, the higher the status of the group in underground communities.

In the case of the Bybit hack, the amount of damage was so significant that the attack immediately entered the ranks of the largest cryptocurrency thefts of all time, further solidifying Lazarus’ notorious reputation.

Lessons from the Bybit Hack and the Future of Crypto Exchanges

The attack on Bybit in February 2025 was a real test for the cryptocurrency community and highlighted how vulnerable even the largest and most secure crypto exchanges can be. The loss of $1.46 billion due to the hack carried out by the Lazarus group raises many questions about the security of asset storage in the cryptocurrency world.

Cyber Threats Are Becoming More Sophisticated

As demonstrated by the Bybit attack, cybercriminals are becoming increasingly sophisticated in their methods. Technologies used by hackers to “launder” stolen funds, such as mixers, cross-chain bridges, and anonymous decentralized exchanges, make tracking the stolen assets extremely difficult. Instead of simply transferring the cryptocurrency to one address, criminals can conduct tens of thousands of microtransactions in an hour, leaving traces across different blockchains, effectively nullifying efforts to recover the funds.

Such incidents not only jeopardize the financial interests of users but also undermine trust in cryptocurrency exchanges and decentralized financial systems. The constant threat from hackers presents the industry with an important choice: how to improve security and increase transparency to avoid such losses in the future.

Security Issues with Centralized Exchanges

Many cryptocurrency users already know that storing assets on centralized exchanges carries risks. Exchanges, like any other centralized financial institutions, can become targets for hackers, especially if they don’t adhere to the highest security standards. While exchanges do make serious efforts to protect users’ funds, as shown by the Bybit hack, no one is immune to attacks.

However, centralized exchanges remain a crucial part of the cryptocurrency infrastructure. They provide users with convenience and high liquidity, as well as advanced trading tools. It’s important for users to not only remember to implement security measures but also to choose exchanges with a strong reputation and transparent procedures.

Predictions and Challenges for the Industry

Following the Bybit incident, we can expect increased focus on the regulation of cryptocurrency exchanges and higher security standards. In the future, exchanges and other cryptocurrency services will likely have to strengthen their protective measures and develop new defense methods against attacks, such as integration with more advanced security monitoring systems and increased transparency of actions.

Nevertheless, for most users, the important question remains: will cryptocurrency platforms be able to ensure the security of their assets at an adequate level, and what will be done to restore users’ trust in centralized exchanges?

In conclusion, it can be said that the cryptocurrency industry faces a significant challenge. The Bybit hack served as a reminder that, despite the growing popularity and importance of cryptocurrencies, there will always be threats in the world of digital assets that all market participants must combat.