Bybit Hack Fund Flow Analysis: How $1.5B Moves Through the Blockchain

On February 21, 2025, $1.5 billion disappeared from Bybit in minutes. More than a year later, only 3% has been frozen. The rest is still moving.

This is not a post-mortem. This is a live fund flow analysis — showing exactly how the stolen funds moved, where they went, and what blockchain forensics tools can (and cannot) tell you about Lazarus Group's laundering operation.

What Actually Happened: The Attack Vector

The Bybit hack was not a smart contract exploit. It was a supply chain attack targeting the signing interface.

Here is the technical chain of events:

Two days before the attack, hackers compromised Safe{Wallet}'s AWS S3 bucket and injected malicious JavaScript into the platform's frontend. The code was dormant, waiting.

On February 21, Bybit employees initiated a routine cold-to-hot wallet transfer. The UI displayed a legitimate transaction. Behind the scenes, the injected code was doing something else: it overwrote the proxy contract's implementation address (stored in slot zero of the Gnosis multisig) with an attacker-controlled contract.

The signers approved what they thought was a normal transfer. What they actually signed gave the attacker full control of the cold wallet.

The attacker contract contained two functions:

• sweepERC20(address token, address to) — drain ERC-20 tokens
• sweepETH(address receiver) — drain ETH

Within minutes, 401,000 ETH was gone.

The Fund Flow: Address by Address

This is where blockchain forensics becomes critical — and where ChainHint's tracing pipeline makes the invisible visible.

Stage 1: Consolidation

All stolen assets initially landed at the primary exploit address 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e. This is the address we use as ChainHint's test case — it's one of the most documented malicious addresses in Ethereum history.

From there, assets moved to 0x4766...e2, where stETH and mETH were converted to ETH via decentralized exchanges. This step was critical: stETH and mETH are less liquid and harder to move at scale. Converting to ETH increased mobility.

Stage 2: Fragmentation

Rather than moving $1.5B as a single transaction, the attacker distributed funds in 10,000 ETH increments across 48 separate addresses. One of the primary distribution hubs, 0xdd90...f92, received 98,048 ETH before sending 90,000 ETH onward to further wallets.

This fragmentation strategy serves a specific purpose: it overwhelms manual analysis. Tracking 48 wallets simultaneously requires automated tooling. Without it, investigators lose the thread within the first two hops.

Stage 3: Chain Bridging

By March 20, 2025, Bybit CEO Ben Zhou confirmed that 86.29% of the stolen ETH had been converted to BTC. This cross-chain move is the most dangerous moment in any laundering operation — it breaks the on-chain trail between networks and requires investigators to maintain context across both chains simultaneously.

The bridging happened through multiple decentralized exchanges and cross-chain bridges, deliberately avoiding centralized infrastructure that could freeze funds.

Stage 4: Obfuscation

After cross-chain conversion, Lazarus Group deployed their standard playbook:

• BTC and ETH mixers to break transaction links
• Peer-to-peer (P2P) vendor networks to convert to fiat
• Money laundering-as-a-service via organized crime syndicates

As of March 2026, approximately $400 million has been traced through laundering channels. The remaining $1.1 billion remains in active wallet clusters under ongoing monitoring.

Tracing This in ChainHint

We ran the Bybit exploiter address through ChainHint's fund flow graph. Here is what the visualization surfaces immediately:

The root node 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e shows a Sanctioned status badge — it appears on the OFAC SDN list. Entity labels identify it as "Bybit Exploiter" across our 44M+ address database.

The outbound edges fan out across 48 child nodes within the first two hops, each tagged with the 10,000 ETH amounts. Entity resolution flags several of these as Lazarus Group-associated wallets based on cross-referencing against Arkham Intelligence data.

At hop 3, cross-chain bridge contracts appear — Chainflip, THORChain nodes — marking the transition point where ETH flows leave Ethereum and the trail splits into BTC.

The OFAC badge on the root node triggers automatically. Any funds that touched 0xa4b2...449e carry sanctions risk for downstream recipients.

Why Only 3% Was Frozen

The math is simple and brutal.

The optimal windows to freeze funds are three: when converted to BTC, when converted to a stablecoin, and when deposited at a centralized exchange. Each window is measured in hours.

By the time blockchain analysts mapped the full fund flow, coordinated with exchanges in multiple jurisdictions, and submitted freeze requests — the funds had already moved past the first two windows for most of the $1.5B.

The $42 million that was frozen came from the first hours of the investigation, when Elliptic and ZachXBT identified initial deposit addresses at centralized exchanges before those exchanges processed the deposits.

The lesson: forensic response speed is measured in minutes, not days.

What Chainalysis-Level Tools Cost vs. What You Actually Need

Bybit had access to Chainalysis, Elliptic, and TRM Labs — three enterprise platforms with pricing that starts at $25,000/year and scales into six figures.

For individual victims, security researchers, and small forensic firms, these tools are inaccessible. The result: when someone loses $50,000 to a drainer or a compromised wallet, they have no way to trace where the funds went.

ChainHint was built to close this gap. The same fund flow tracing that ran on Bybit's exploiter address — multi-hop BFS traversal, entity resolution against 44M+ labeled addresses, OFAC sanctions checking, cross-chain context — runs on any address for $79/month.

Enterprise forensics. Indie price.

The Bybit Hack in Numbers (March 2026)

• Stolen: $1.5B (401,000 ETH)
• Frozen: ~$42M (3% of total)
• Converted to BTC: 86.29%
• Currently tracked: ~$1.1B in active wallet clusters
• Bounty paid out: $4M+
• Lazarus Group attribution: FBI confirmed (Feb 26, 2025)
• Recovery outlook: Low — Lazarus has held funds for years before laundering

Try It Yourself

The Bybit exploiter address is public. The fund flow is on-chain. Anyone can trace it.

Start with 0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e on ChainHint — free tier gives you three hops. You'll see exactly how $1.5B begins its journey through the blockchain.

If you are investigating your own incident, the same pipeline works. Paste your address, set your hop depth, and let the graph tell the story the blockchain already recorded.

---

ChainHint is a blockchain forensics platform for incident response. 44M+ labeled addresses. 11 chains. Built for investigators who cannot afford enterprise pricing.