After stealing $1.46 billion from Bybit, Lazarus Group ran the most sophisticated multi-chain laundering operation ever documented. Every move was visible on-chain. Not a single dollar was recovered.
On 21 February 2025, Lazarus Group stole 499,395 ETH from Bybit in 90 seconds. The harder problem was what came next. Converting $1.46 billion in stolen, publicly-flagged Ethereum into usable state revenue, without a single centralised exchange, custodian, or government able to freeze it, required eight months, six blockchains, over 500 wallets, and a laundering strategy that is now the defining case study in post-theft cryptocurrency obfuscation.
Every phase of the laundering operation was visible in real time to blockchain analytics firms. The chain is public. The constraint was not observation. It was intervention. Every tool watching could see. None could act before settlement.
Within hours of the theft, 53 staging wallets began disbursing to hundreds of secondary addresses using a fanning technique, with each wallet sending to multiple sub-wallets, creating a tree structure computationally expensive to track comprehensively in real time. By day three, the stolen ETH had touched over 400 wallet addresses. The goal was not invisibility. The chain showed everything. The goal was width: making comprehensive simultaneous tracking exceed available analytical resources.
THORChain is a decentralised cross-chain protocol enabling direct swaps between native assets, such as ETH to BTC, without wrapping or centralised intermediaries. It has no AML controls and no sanctions screening list. Lazarus used it to convert stolen ETH to native Bitcoin, the critical transformation from Ethereum, where tracking is most sophisticated, to Bitcoin, where UTXO-based structure provides different obfuscation opportunities.
TRM Labs and Chainalysis tracked the conversions in near real-time. THORChain's governance community debated blocking Lazarus-attributed addresses; validators ultimately did not implement blocking. Over eight weeks, Lazarus converted approximately $480 million in ETH to native BTC, averaging $60 million per week.
Fixed-rate exchanges offering guaranteed conversion rates without KYC requirements became central laundering infrastructure. eXch became particularly prominent in post-theft tracing reports. Operating across hundreds of accounts simultaneously, Lazarus processed hundreds of millions through these services before restrictions were eventually applied under regulatory pressure, after the majority of flows had already settled.
The final phase used coinjoin transactions, peel chains, and OTC desks in low-enforcement jurisdictions to convert BTC into fiat. By October 2025, the unrecovered funds had been absorbed into DPRK state finances, linked by the UN Panel of Experts to ballistic missile and nuclear programme funding.
"The entire eight-month operation was a consequence of twelve seconds of inaction in the Ethereum mempool. The theft was the root cause. The laundering was the symptom."
Praveen Giri, Founder · QuantChainAnalysis| Phase | Method | Est. Volume | Enforcement Response |
|---|---|---|---|
| Dispersal (Days 1 to 3) | Wallet fanning to 400+ addresses | $1.46B ETH | None possible, already settled |
| THORChain (Wks 1–8) | ETH → native BTC, no-KYC | ~$480M | Validators declined to block |
| Fixed-rate exchanges (Mo. 2–5) | eXch and no-KYC services | ~$300M+ | Restrictions applied after most flows processed |
| OTC + mixing (Mo. 5–8) | Coinjoin, peel chains, OTC | Remainder | Absorbed into DPRK state finances |
Every phase of Lazarus Group's post-theft laundering was publicly visible and analytically well-documented. The reason $0 was recovered is not a failure of blockchain analytics. It is a failure of pre-broadcast enforcement. Once 499,395 ETH settled on-chain at block #21888239, no subsequent action could undo it. The entire operation was the consequence of twelve seconds of inaction in the mempool.