Greece tracks and freezes crypto stolen in $1.5B Bybit hack

Written by

Published 10 Jul 2025

Fact checked by

We maintain a strict editorial policy dedicated to factual accuracy, relevance, and impartiality. Our content is written and edited by top industry professionals with first-hand experience. The content undergoes thorough review by experienced editors to guarantee and adherence to the highest standards of reporting and publishing.

disclosure

chainalysis reactor first crypto seizure

Greece executed its first-ever cryptocurrency asset seizure, freezing funds traced to North Korea’s $1.5 billion Bybit exchange hack through advanced blockchain analysis technology.

The Hellenic Anti-Money Laundering Authority announced July 9 that it froze crypto assets tied to February’s $1.5 billion theft. Months after hackers linked to North Korea’s Lazarus Group robbed the exchange, Greek investigators spotted a suspicious transaction that cracked the case.

    Finance Minister Kyriakos Pierrakakis called the operation “a blueprint for modern financial defense.” The seizure represents a major victory against one of the world’s most dangerous cybercriminal organizations.

    The investigation began when authorities noticed strange crypto activity months after the attack. Greek analysts used Chainalysis Reactor, a blockchain tracking tool purchased in 2023, to trace the suspicious wallet through transactions across more than 25 blockchains.

    Lazarus Group used their “flood the zone” strategy. They quickly moved funds across multiple platforms to confuse tracking systems. The hackers converted most of the funds into Bitcoin, spreading them across 9,117 wallets while using privacy tools to hide their tracks.

    The blockchain analysis showed clear links between the flagged wallet and the original Bybit hack wallets. Authorities issued an emergency freezing order, taking criminal money away from hackers before sending the case to prosecutors.

    The Bybit hack stands as 2025’s largest cryptocurrency theft. North Korean-affiliated groups have stolen an estimated $5 billion since 2017, according to TRM Labs research.

    This seizure is just a small piece of the massive theft. According to Bybit’s tracking dashboard, only 5.18% of the stolen $1.4 billion has been frozen worldwide. About 62% has “gone dark” and 33% remains trackable.

    TRM Labs noted the operation showed North Korea’s growing tactics. “The Bybit exploit indicates that the regime is intensifying its ‘flood the zone’ technique—overwhelming compliance teams with rapid, high-frequency transactions,” the firm said.

    Greece’s success comes with other international efforts. Germany seized 34 million euros from the eXch laundering platform in May. Bybit launched a $140 million bounty program offering 10% rewards for recovered funds.

    The breakthrough shows how blockchain’s permanent record, combined with analysis tools and international cooperation, can beat sophisticated criminals. For Lazarus Group, which has stolen about $5 billion since 2017, the seizure means their digital hiding spots are disappearing.

    The case proves that even the most advanced crypto thieves leave digital footprints that trained investigators can follow.