On 21 February 2025, Lazarus Group — North Korea's state-sponsored hacking apparatus, operating under the FBI's TraderTraitor designation — drained approximately $1.5 billion in Ethereum from Bybit exchange. The mechanism was a compromised signing-UI on a developer's laptop: a targeted intervention that manipulated a routine transaction approval process and redirected the funds in a single operation. It is the largest single theft in financial history. Not the largest cryptocurrency theft. The largest theft of any kind, anywhere, by any documented means.
Within 48 hours of the transfer, at least $160 million had already moved through dozens of wallets, across cross-chain bridges, and through decentralised exchanges. TRM Labs tracked the initial movement in near-real time. The speed of dispersal was not accidental. Lazarus operates a laundering methodology that has been refined across years of large-scale operations: immediate native-asset swaps on decentralised exchanges to break the original token denomination, followed by bridging to Bitcoin and Tron networks to change chain provenance, followed by layered mixing using services whose legal status has been in flux, concluding with Chinese-language over-the-counter desks for final off-ramping to fiat currency.
The speed matters because blockchain forensics operates on a time sensitivity that most financial investigations do not face. An exchange can freeze a fiat wire within hours. A blockchain transaction is irreversible. What tracing tools can do is follow — not intercept — the movement, identifying probable destinations and flagging receiving addresses for exchanges and compliance programmes that might refuse to settle the funds. At scale, at the velocity Lazarus operates, the window between theft and effective dispersal can be measured in days rather than weeks.
The $1.5 billion Bybit theft sits atop a sustained operational programme. Lazarus stole $1.34 billion in 2024 across 47 discrete incidents — a 102.88% increase from 2023's $660.5 million — representing 61% of all cryptocurrency stolen globally in that year. Their all-time total, across every documented operation, is approximately $6.75 billion. This is not a criminal enterprise funded by proceeds. It is the proceeds funding a state.
Mixer Sanctions and Their Limits
The primary tool Lazarus used for laundering before 2022 was Tornado Cash — an Ethereum mixing protocol that pools deposits from multiple users and returns equivalent amounts to specified addresses, breaking the on-chain link between source and destination. OFAC sanctioned Tornado Cash in August 2022, citing over $7 billion laundered since 2019, including $455 million stolen by Lazarus Group. The sanctions made it a compliance violation for US persons to interact with the protocol.
Lazarus moved to Sinbad.io after the Tornado Cash sanctions. US authorities seized Sinbad in November 2023 and indicted three Russian nationals for operating it, alongside its predecessor Blender.io, to launder ransomware and theft proceeds. Within months, Lazarus returned to Tornado Cash — laundering over $100 million from the November 2023 HTX/HECO bridge theft through the protocol in March 2024. This was not an act of defiance. Tornado Cash is smart-contract infrastructure; it does not require operator permission to use. The sanctions had removed the compliance deterrent for US persons. For an actor operating under state sanction regardless, they had removed nothing.
On 21 March 2025, the Trump Treasury lifted the Tornado Cash sanctions, following a November 2024 federal appeals court ruling that OFAC had exceeded its statutory authority by sanctioning immutable smart contracts — code, rather than persons or entities. Criminal charges against co-founder Roman Storm remain pending as of mid-2026. The regulatory framework for privacy-preserving blockchain infrastructure remains unresolved, and the practical effect of the de-listing is that Tornado Cash is once again a permissible tool for US compliance purposes — while remaining the instrument of choice for the most consequential cryptocurrency launderers operating.
Sanctioning a mixer removes the legal deterrent for compliant actors. It removes nothing for actors who are already sanctioned, operating under state cover, and funded by the proceeds of theft.
The Infrastructure Behind the Numbers
The broader 2024 cryptocurrency theft picture — $2.2 billion across 303 hacking incidents, a 21% year-over-year increase — is dominated by private key compromises, which accounted for 43.8% of stolen cryptocurrency. The private key compromise vector represents a fundamental shift from protocol-level exploits toward operational security failures: individuals or teams with custody of signing keys targeted through social engineering, malware, or physical access rather than smart contract exploitation.
The DMM Bitcoin theft of May 2024 illustrates this pattern. North Korean-affiliated actors stole $305 million in Bitcoin from the Japanese exchange, then moved the funds through CoinJoin mixing services, bridging infrastructure, and ultimately into Huione Guarantee — a Cambodian over-the-counter marketplace that has been separately identified by Chainalysis as a significant node in regional cybercrime money flows. The WazirX theft of July 2024 — approximately $235 million, North Korean-linked — forced the Indian exchange to halt all withdrawals. The operational footprint across these incidents is consistent: state-sponsored actors exploiting private key vulnerabilities, dispersing immediately, and routing through a stable set of off-ramping infrastructure that represents the persistent weak points in the system.
Ransomware actors, operating at a lower level of technical sophistication than Lazarus, have also shifted their laundering behaviour. In 2024, ransomware groups moved away from mixing services — historically accounting for 10–15% of quarterly flows — toward cross-chain bridges to obscure fund movement. Centralised exchanges remained the dominant off-ramping channel at 39% of flows, representing both the persistence of regulatory blind spots and the continued willingness of some exchanges to settle funds without adequate provenance checks.
What $51 Billion Looks Like
Chainalysis's initial estimate for illicit cryptocurrency volume in 2024 was $40.9 billion. Subsequent identification of previously unattributed illicit addresses has pushed that figure toward an estimated $51 billion as more complete data has been processed. Stablecoins now represent 63% of all illicit crypto transactions — a figure that reflects both the growth of stablecoin adoption generally and the specific utility of dollar-denominated, blockchain-native instruments for moving value across jurisdictions without the volatility of native cryptocurrencies.
The stablecoin concentration has regulatory implications. The issuers of major stablecoins have demonstrated willingness to freeze addresses flagged by law enforcement, but the threshold for freezing, the speed of action, and the coverage across jurisdictions remain inconsistent. Huione Guarantee and similar regional OTC networks operate in jurisdictions with limited compliance infrastructure and are not meaningfully constrained by issuer-level freezing action at current response times.
Field note — Organisations with cryptocurrency treasury exposure — exchanges, custodians, DeFi protocol operators, and corporate treasury holders — should assess private key management as the primary attack surface rather than protocol-level vulnerabilities. The shift to private key compromise as the dominant theft vector means that the relevant controls are operational: hardware security modules, multi-party computation signing, geographically separated key material, and transaction approval processes that cannot be manipulated through a single compromised endpoint. For organisations with regulatory exposure to illicit crypto flows, continuous blockchain analytics across counterparty wallets and receiving addresses is the minimum standard. Tornado Cash's de-sanctioning does not reduce the compliance risk of receiving funds traced to its outputs; the source of funds obligation persists regardless of the protocol's regulatory status.
The Bybit theft established a new threshold for what a state-sponsored actor can extract from a single target in a single operation. The laundering infrastructure that processed the proceeds was operational and tested before the theft occurred — not assembled in response to it. The trajectory from 2023 to 2025 is not a series of isolated incidents. It is a programme, funded by each prior operation, directed by a state with a specific strategic need for hard currency, and constrained only by the quality of the targets it can reach. That constraint is narrowing.
Sources & further reading
- Chainalysis — $2.2B Stolen in Crypto 2024: https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/
- Chainalysis — Bybit Hack Analysis: https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/
- TRM Labs — The Bybit Hack: https://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploit
- Elliptic — North Korea Returns to Tornado Cash: https://www.elliptic.co/blog/north-korean-hackers-return-to-tornado-cash-despite-sanctions
- U.S. Treasury — Tornado Cash Original Sanctions (2022): https://home.treasury.gov/news/press-releases/jy0916
- U.S. Treasury — Tornado Cash Delisting (2025): https://home.treasury.gov/news/press-releases/sb0057
- Reuters — Tornado Cash Sanctions Scrapped: https://www.reuters.com/business/finance/us-scraps-sanctions-tornado-cash-crypto-mixer-accused-laundering-north-korea-2025-03-21/
- Chainalysis — Ransomware Laundering Shift (2024): https://www.chainalysis.com/blog/crypto-ransomware-victim-extortion-2025/
- Chainalysis 2025 Crypto Crime Report (PDF): https://www.chainalysis.com/wp-content/uploads/2025/02/the-2025-crypto-crime-report-release.pdf