Greece’s Historic Crypto Seizure: A Blow to Lazarus Group’s $1.5 Billion Bybit Heist

July 10, 2025

In a landmark achievement, Greece’s Hellenic Anti-Money Laundering Authority has executed the country’s first-ever cryptocurrency seizure, targeting funds linked to the infamous $1.5 billion Bybit hack orchestrated by North Korea’s Lazarus Group in February 2025. This operation, which froze approximately $72 million in stolen Ethereum (ETH)—representing 5% of the pilfered assets—marks a significant milestone in the global fight against cybercrime. However, with over $870 million still unaccounted for, the case underscores both the progress and challenges in combating sophisticated cryptocurrency theft.

The Bybit Hack: A Record-Breaking Heist

On February 21, 2025, Bybit, a Dubai-based cryptocurrency exchange, fell victim to the largest crypto heist in history, losing 401,000 ETH valued at approximately $1.5 billion. The attack, attributed to the North Korean state-sponsored Lazarus Group, exploited vulnerabilities in Bybit’s multisignature wallet system, Safe{Wallet}, through a supply chain compromise involving malicious JavaScript code. This allowed hackers to redirect funds during a routine transfer from Bybit’s cold wallet to its warm wallet, bypassing security measures with alarming precision.

The Lazarus Group, known for its sophisticated cyberattacks and ties to North Korea’s Reconnaissance General Bureau, has a long history of targeting crypto platforms, stealing over $6 billion since 2017 to fund the regime’s nuclear and ballistic missile programs. The Bybit hack alone surpassed the group’s entire 2024 haul of $1.34 billion, highlighting their evolving capabilities and the growing threat to the crypto industry.

Greece’s Breakthrough: First Crypto Seizure

The Hellenic Anti-Money Laundering Authority’s seizure marks a pivotal moment for Greece and the global fight against crypto-related crime. The operation, announced on July 9, 2025, was enabled by advanced blockchain analysis tools from Chainalysis, specifically the Chainalysis Reactor, acquired in 2023 through regional partner Performance Technologies. Months after the Bybit hack, Greek authorities detected a suspicious transaction linked to a wallet on a Greek exchange platform. Using Chainalysis tools, they traced the funds to primary wallets involved in the hack, providing irrefutable on-chain evidence to issue a freezing order.

The seizure locked approximately $72 million in stolen ETH, representing 5% of the total haul, with around $11.7 million already returned to victims, though it’s unclear if this is directly tied to the frozen assets. Greek Economy and Finance Minister Kyriakos Pierrakakis emphasized the operation’s significance, noting that the suspect wallet was tied to a “Greek platform providing exchange services.” This success highlights Greece’s strategic investment in blockchain forensics and its commitment to combating financial crime in the digital age.

Lazarus Group’s Sophisticated Laundering Tactics

The Lazarus Group’s ability to launder vast sums of cryptocurrency at unprecedented speed sets this heist apart. Within 48 hours of the attack, hackers funneled $160 million through illicit channels, and by February 26, over $400 million had been laundered using a complex web of decentralized exchanges (DEXs), cross-chain bridges, and mixers like Wasabi, CryptoMixer, Railgun, and Tornado Cash. The group converted 86.29% of the stolen ETH into 12,836 Bitcoin (BTC) across 9,117 wallets, leveraging Bitcoin’s Unspent Transaction Output (UTXO) model to obscure the money trail.

Despite these efforts, blockchain transparency has proven to be a double-edged sword for the hackers. Bybit’s public LazarusBounty dashboard reports that 32.78% of the stolen funds remain traceable, while 62.04%—approximately $870 million—have “gone dark” through anonymity-preserving tools. The exchange’s bounty program, offering 10% rewards for recovered or frozen assets, has mobilized global blockchain investigators, with 12 organizations, including Mantle and Paraswap, earning $2.2 million in bounties for assisting in tracking $72 million in frozen assets.

Global Efforts to Combat Crypto Crime

Greece’s seizure is part of a broader international crackdown on the Lazarus Group’s laundering operations. In May 2025, German authorities seized €34 million ($38 million) from the eXch platform, a privacy-centric exchange implicated in laundering $1.9 billion in illicit funds, including those from the Bybit hack. This marked Germany’s third-largest crypto confiscation, effectively dismantling eXch’s operations. However, TRM Labs revealed that eXch continued to facilitate laundering through active APIs, underscoring the difficulty of fully shutting down such platforms.

The FBI has also taken decisive action, labeling the Bybit hack as part of the “TraderTraitor” campaign and releasing 51 Ethereum addresses linked to the Lazarus Group for crypto firms to block. Collaborative efforts involving blockchain analysis firms like Elliptic, Chainalysis, and TRM Labs have been critical in tracing funds and freezing assets, with Elliptic facilitating the seizure of $243,000 shortly after the hack. Despite these successes, experts warn that North Korea’s expertise in laundering—potentially operating 24/7 in shifts with automated tools—poses an ongoing challenge.

Challenges and the Road Ahead

While Greece’s seizure and global recovery efforts are significant, the fact that $870 million remains unaccounted for highlights the scale of the challenge. The Lazarus Group’s use of mixers, cross-chain bridges, and decentralized platforms makes tracing funds increasingly difficult. Moreover, North Korea’s closed economy and disregard for international sanctions allow it to operate with impunity, funneling proceeds into its military programs

The Bybit hack has also raised concerns about the crypto industry’s vulnerabilities. The attack exploited a supply chain compromise in Safe{Wallet}, underscoring the need for robust cybersecurity measures, including regular audits, multi-signature wallets, and secure coding practices. Bybit has since secured emergency loans from firms like Galaxy Digital and Wintermute to maintain liquidity and has implemented stricter security protocols, but the incident has dented trust in the sector.

Conclusion

Greece’s first crypto seizure is a testament to the power of blockchain transparency and international cooperation in combating cybercrime. By leveraging advanced tools and partnerships, the Hellenic Anti-Money Laundering Authority has set a precedent for other nations in the fight against sophisticated actors like the Lazarus Group. However, with $870 million still unaccounted for and North Korea’s hacking capabilities growing, the crypto industry and global regulators must intensify efforts to close loopholes, enhance security, and disrupt illicit financial flows.

As the battle against crypto theft continues, Greece’s success serves as both a victory and a reminder of the work ahead. The Lazarus Group’s $1.5 billion Bybit heist may be the largest in history, but collaborative efforts across borders and blockchains are proving that even the most elusive hackers can be challenged.