Bybit linked to $2B in illicit Iranian cash flow through crypto exchange

Bybit linked to $2B in illicit Iranian cash flow through crypto exchange

North Korean hackers used the Dubai-based exchange as a conduit for stolen funds, helping Iran sidestep US sanctions through crypto.

Share

Add us on Google
by Editorial Team

The largest crypto exchange hack in history turned out to be more than a theft. It became a blueprint for how sanctioned nations move money in the open.

Bybit, the Dubai-based crypto exchange, has been linked to roughly $2 billion in illicit financial flows connected to Iran, with investigators tracing the movement of funds stolen by North Korean state-sponsored hackers through the platform. The Wall Street Journal reported on the connection, painting a picture of a digital financial underground where Pyongyang’s cybercriminals and Tehran’s sanction-evaders found common cause on the same infrastructure.

How the money moved

On February 21, 2025, hackers linked to North Korea’s Lazarus Group pulled off what is now the largest single crypto exchange hack ever recorded, lifting $1.5 billion worth of ether from Bybit.

Advertisement

The FBI and blockchain analytics firm Chainalysis both attributed the attack to Lazarus, a state-sponsored hacking unit that has spent years turning cybercrime into a revenue stream for the North Korean government.

North Korean hackers stole over $2 billion in crypto in 2025 in total, with the Bybit heist accounting for the bulk of that figure.

Chainalysis identified approximately $500 million in USDT flows tied to proceeds from the hack. After stealing billions in ether, the attackers converted a significant portion into Tether, a dollar-pegged stablecoin, to make the funds easier to move and harder to freeze.

Iran’s role in this scheme involves accessing those stolen and laundered funds to get around US sanctions that have cut the country off from the conventional financial system for decades. Bybit explicitly prohibits service to Iran. That restriction did not prevent the exchange from becoming a transit point for funds that ultimately benefited Iranian entities.

A broader sanctions evasion playbook

The Bybit hack sits at the center of this arrangement because the scale of the theft, $1.5 billion in a single operation, generated a surplus of digital assets that needed to be laundered and deployed. The Lazarus Group has a well-documented history of using crypto mixers, chain-hopping, and stablecoin conversions to obscure the trail.

The broader crypto theft landscape in 2025 has been severe. The $3.4 billion in total crypto thefts reported illustrates that this is not a one-off problem.

In June 2025, Nobitex, Iran’s largest domestic crypto exchange, was itself hit by a cyberattack that resulted in roughly $90 million in losses.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
MACRO

Bybit linked to $2B in illicit Iranian cash flow through crypto exchange

Bybit linked to $2B in illicit Iranian cash flow through crypto exchange

North Korean hackers used the Dubai-based exchange as a conduit for stolen funds, helping Iran sidestep US sanctions through crypto.

by Editorial Team

Share

Add us on Google

The largest crypto exchange hack in history turned out to be more than a theft. It became a blueprint for how sanctioned nations move money in the open.

Bybit, the Dubai-based crypto exchange, has been linked to roughly $2 billion in illicit financial flows connected to Iran, with investigators tracing the movement of funds stolen by North Korean state-sponsored hackers through the platform. The Wall Street Journal reported on the connection, painting a picture of a digital financial underground where Pyongyang’s cybercriminals and Tehran’s sanction-evaders found common cause on the same infrastructure.

How the money moved

On February 21, 2025, hackers linked to North Korea’s Lazarus Group pulled off what is now the largest single crypto exchange hack ever recorded, lifting $1.5 billion worth of ether from Bybit.

Advertisement

The FBI and blockchain analytics firm Chainalysis both attributed the attack to Lazarus, a state-sponsored hacking unit that has spent years turning cybercrime into a revenue stream for the North Korean government.

North Korean hackers stole over $2 billion in crypto in 2025 in total, with the Bybit heist accounting for the bulk of that figure.

Chainalysis identified approximately $500 million in USDT flows tied to proceeds from the hack. After stealing billions in ether, the attackers converted a significant portion into Tether, a dollar-pegged stablecoin, to make the funds easier to move and harder to freeze.

Iran’s role in this scheme involves accessing those stolen and laundered funds to get around US sanctions that have cut the country off from the conventional financial system for decades. Bybit explicitly prohibits service to Iran. That restriction did not prevent the exchange from becoming a transit point for funds that ultimately benefited Iranian entities.

A broader sanctions evasion playbook

The Bybit hack sits at the center of this arrangement because the scale of the theft, $1.5 billion in a single operation, generated a surplus of digital assets that needed to be laundered and deployed. The Lazarus Group has a well-documented history of using crypto mixers, chain-hopping, and stablecoin conversions to obscure the trail.

The broader crypto theft landscape in 2025 has been severe. The $3.4 billion in total crypto thefts reported illustrates that this is not a one-off problem.

In June 2025, Nobitex, Iran’s largest domestic crypto exchange, was itself hit by a cyberattack that resulted in roughly $90 million in losses.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.