By Allium Research
Bybit Hack: How the Lazarus Group Exploited DeFi Protocols to Launder $400M
Crosschain analysis shows Lazarus leveraged DeFi protocols to launder funds
Bybit, the world’s second-largest exchange by trading volume, recently suffered the largest crypto hack in history. On February 21, 2025, North Korea’s Lazarus Group stole $1.46 billion in Ethereum tokens from Bybit and immediately began laundering the funds to cash out.
While many reports detailed how THORChain, ParaSwap, and token transfers were used to launder funds, we analyzed cross-chain DeFi & DEX activity to shed light on an untold part of the story: the Lazarus Group used DeFi aggregators to discreetly swap $386 million through DeFi protocols.
Though Lazarus laundered one-fifth of the stolen funds ($263M) through PancakeSwap alone, this is the first report on the Bybit hack to highlight the protocol (at the time of writing) and the role of aggregators. Allium’s cross-chain data enabled our wizards to track and visualize every transaction on Ethereum within five layerur analysis involved:
- 13,000 unique wallets,
- 127,000 transactions,
- With a cumulative volume of $12 billion,
- 5 hops away from the genesis node.
Other reports
Tokenized Equities Onchain: $3.3B and Growing
May 2026
Tokenized stocks, indices, commodities, pre-IPO & FX traded as perps on HL via HIP-3 builder books.
Hyperliquid non-crypto perps
May 2026
Tokenized stocks, indices, commodities, pre-IPO & FX traded as perps on HL via HIP-3 builder books.
Ondo Finance (ONDO)
May 2026
Ondo is the only large-scale RWA-platform issuer with a publicly-tradeable token. The underlying business is real and category-leading: $3.43B platform AUM across USDY ($2.10B, 8 chains), OUSG ($285M), and Tokenized Stocks ($1.04B, 268 symbols), with +$1.4B of net USDY inflows in 2026 H1.