One Year After the Bybit Hack: What the Lazarus Trail Tells Us About Modern Crypto Forensics

On 21 February 2025, 401,347 ETH (about 1.5 billion USD at the time) disappeared from a Bybit cold wallet in a single transaction. The theft was attributed within hours to North Korea's Lazarus group — confirmed by the FBI, the US Treasury, and independent on-chain investigators. One year later, it's worth looking back with a clear head: what did the case reveal about the state of crypto forensics?

The attack was not on-chain

Contrary to first impressions, the actual hack was not a smart-contract exploit but a social-engineering attack on Bybit's multi-sig process: a manipulated UI showed the signers harmless transaction data while, in the background, control over a very different wallet was transferred. The vulnerability lay in the human interface — not in the blockchain.

For forensics, this carries an important lesson: after the theft, on-chain patterns still become decisive, because criminals quickly begin chain-hopping, splitting and mixer strategies — and that's where our work begins.

Cross-chain swaps as the escape corridor

Within the first 72 hours, roughly 80 % of the stolen ETH was routed through decentralised cross-chain protocols — primarily THORChain and Chainflip. The goal: conversion to Bitcoin, Monero and smaller chains, so as to bypass the central choke-points (KYC exchanges, stablecoin issuers).

Our database recorded a significant volume spike in THORChain BTC swaps during that window. Interestingly, the attackers did not use providers randomly; instead, a clearly recognisable timing pattern emerged — swaps in batches of 100–300 BTC, distributed over ~12 hours, with consistent pauses. This fingerprint allowed follow-up transactions from the same group to be attributed weeks later.

What worked, what didn't

What worked:

• Real-time attribution: The first cluster assignments came within 4 hours — possible because the attackers were already well-tagged from earlier incidents (Axie, Ronin, Atomic Wallet hack).
• Cross-chain tracking: THORChain and Chainflip store no KYC data, but their on-chain-visible swap parameters (memo fields, liquidity-pool positions) are deterministically analysable.
• Cooperation between CASPs: Under the Travel Rule, European and US exchanges coordinated flags within 24 hours — a step forward from 2022.

What didn't work:

• Fund recovery: The bulk of the coins remains in attacker wallets to this day. Standard blacklist mechanisms (Tether freeze, Circle freeze) only caught small stablecoin amounts.
• Sanctions enforcement: North Korea increasingly relies on OTC brokers outside the reach of Western sanctions — a structural limit for purely on-chain measures.

Takeaways for our work

1. Cross-chain must be the default. In 2026, anyone still doing forensics on a single chain loses the trail within hours. In Coinator, cross-chain swap detection has been an integrated part since 2025 — for THORChain, Chainflip and Bridgers.
2. Timing patterns are the new fingerprints. The more professional the attackers, the less address-based attribution becomes. Behavioural heuristics (time clusters, batch sizes, pause patterns) gain weight.
3. Transparent methodology becomes mandatory. In sanctions and confiscation proceedings, courts increasingly demand a precise derivation of every attribution. Black-box tools fail here — our openly documented methodology provides the needed foundation.

Bottom line

The Bybit hack was a setback for the industry — but also a maturity test for crypto forensics. The tools are substantially better today than they were in 2022. What is missing is the institutional implementation depth on the investigator side — and this is exactly where we want to continue supporting with Coinator: through training, consulting and court-admissible documentation.

Note: This post is based on publicly available on-chain data and the official statements by Bybit, the FBI and European investigative authorities. Specific wallet addresses are omitted out of respect for ongoing proceedings.