Bybit At 15 Months — The $280M Untraceable Half And The Bounty That Stays Unclaimed

The most detailed public breakdown of the Bybit fund recovery status came from CEO Ben Zhou's April 21, 2025 executive summary. As of that date:

- **68.57 percent** of stolen funds remained traceable on-chain - **27.59 percent** had gone dark via mixers, P2P, OTC - **3.84 percent** had been frozen across various venues

Of the converted-to-BTC portion: 86.29 percent of stolen ETH had been converted to BTC by March 20, 2025, distributed across approximately 6,954 BTC wallets per Elliptic. THORChain processed approximately $1 billion-plus of the laundering — 93 percent of THORChain ETH deposits in week one were Bybit-tainted per Elliptic.

eXch — the no-KYC instant-swap exchange — processed at least $200 million of Bybit funds per Elliptic's estimate. ZachXBT's separate accounting put the eXch share at a minimum of $35 million. SlowMist and Nick Bax independently estimated approximately $30 million.

Then the second laundering phase: Wasabi, CryptoMixer, and additional BTC dispersion. Per Ben Zhou's April 2025 statement, approximately 944 BTC — around $90 million at the time — was laundered through Wasabi specifically. (An earlier figure of 193 BTC / $16 million was revised upward as tracing continued.)

The structural answer is: not much, and the share that has gone dark has crept upward.

**Elliptic's 12-month anniversary post (February 21, 2026)** framed the recovery as "the vast majority of the stolen funds have been processed" — meaning passed through laundering infrastructure to the point where further on-chain tracing produces diminishing returns. Elliptic stopped publishing a Bybit-specific recovery split, instead framing it within the broader DPRK 2025 haul of approximately $2.02 billion per Chainalysis' annual report.

**Chainalysis 2026 Crypto Crime Report** put the post-laundering recovery share at "well below 5 percent" of the original theft amount. The figure includes funds frozen, funds returned via white-hat negotiation, and funds re-tagged after secondary laundering.

**Net 15-month estimate (May 2026)**: the untraceable share has crept upward from the April 2025 27.59 percent figure. No source has published a clean tri-split for May 2026. The conservative read is approximately 28 to 32 percent untraceable, with the increase coming from continued laundering against a static recovery base.

In absolute dollar terms: of the original $1.46 billion, approximately $280 million is now genuinely beyond on-chain reach. The funds are in BTC wallets that have passed through mixers and then through P2P or OTC channels that the public chain analytics cannot follow.

eXch announced shutdown on May 1, 2025, after the public attribution as the second-largest Bybit laundromat. The public-facing domains were pulled on April 30, 2025. Industry reporting (cited but not directly confirmed via primary source in our research) describes German police seizure of 8TB of data plus $38.2 million in funds; this figure is widely circulated but not appearing in Elliptic's April 30, 2025 primary post — treat as UNVERIFIED at that precision.

What IS confirmed by TRM Labs' May 2, 2025 post-shutdown analysis: eXch continued offering API access to "business partners" — meaning mixers and on-chain privacy services that had previously been eXch customers. The "shutdown" was a public-facing event; the operational infrastructure persisted under a "new team" with the original operators in "consulting" roles.

As of May 2026, no formal successor brand to eXch has been publicly identified. TRM has warned that eXch may rebrand via "dedicated liquidity pools" that break on-chain continuity with the historical eXch wallet cluster. No 2026 enforcement update on the original eXch operators has been published.

The structural takeaway: the German seizure produced a brand-level disruption. The operational laundering capacity persisted via the API-access-to-business-partners route. The Bybit funds that flowed through eXch in 2025 went somewhere; that "somewhere" has not been operationally severed.

Both Elliptic and Chainalysis maintain that the bulk of Bybit's untraceable funds — the $280 million-plus that left no further on-chain trail — laundered through Chinese-language Money Laundering Networks (CMLNs).

CMLN architecture: Chinese-speaking OTC desks operating in informal markets, often via WeChat and Telegram, accepting BTC/USDT and converting to CNY cash or to RMB-denominated bank deposits via mule accounts. The networks are not exchanges in the regulated sense; they operate as broker-dealer arrangements where the operator takes a percentage and the underlying flow is between counterparties who never directly transact.

Chainalysis' 2026 Crypto Crime Report estimates CMLNs processed $16.1 billion in 2025 — approximately $44 million per day across 1,799 active wallets. CMLNs launder approximately 10 percent of pig butchering proceeds in addition to the Lazarus/DPRK flow.

The structural problem: CMLNs are operated in a jurisdiction (China) that does not coordinate with US/EU enforcement on crypto recovery. No public DOJ indictment of CMLN operators specifically tied to Bybit laundering has been filed as of May 15, 2026. Tether and Chinese law enforcement do not have a publicly-announced joint working relationship on Bybit-class cases; the political climate — US-China crypto tensions, China's December 2025 counter-accusation of a $13 billion BTC theft against US sources — makes such coordination unlikely.

The $280 million is, in practical terms, in CNY-denominated bank deposits and informal cash positions in Chinese-speaking criminal economies. The funds are spendable. They are not, on-chain, traceable beyond the point of conversion.

The T3 Financial Crimes Unit (Tether + TRON Foundation + TRM Labs, launched September 2024) has cumulatively frozen $450 million-plus in illicit USDT since launch per the May 14, 2026 milestone announcement.

Of that, Bybit/Lazarus-specifically: $19 million frozen (cumulative figure from April 2025). The Bybit-specific figure has not been publicly updated since April 2025. T3's overall growth has come from Iran, Turkey, pig butchering, and other categories — not from incremental Bybit recovery.

This is the structural read: Tether's freeze tooling works against actively-moving funds. By the time Bybit funds reached the Chinese OTC layer, they were no longer in addresses that Tether could freeze — they were converted out of USDT into BTC, then out of BTC into CNY cash equivalents. The freeze tooling has a temporal window. Bybit funds passed through the window in late February through March 2025; once past, the tooling is structurally unable to pull them back.

THORChain processed approximately $1 billion of the Bybit ETH-to-BTC conversion. The protocol is governance-light by design — no operator can freeze a swap mid-route. The node operators are publicly known per DL News reporting, many are US-resident, and the consensus framing in industry coverage is that they "knowingly kept the network running" during the most acute Bybit laundering window.

No enforcement actions against THORChain or its node operators have been reported as of May 2026. The protocol was again used in the KelpDAO laundering operation in April 2026. THORChain's legal exposure is significant in theory; the operational consequence has been zero in practice.

This is the pattern for governance-light cross-chain infrastructure: the legal status is unsettled, the practical enforcement is absent, and the laundering volume continues. Until a court rules on operator liability or an OFAC designation lands on the THORChain protocol contract, the rail remains operational.

$140 million offered. $2.3 million paid to 13 hunters across 70 valid reports of 5,443 submissions.

The 99.8-percent unpaid share is the structural read on how on-chain bounty pools work in 2026. The bounty rewards proportional to **recovered** funds, not to **identified** funds. Bounty hunters who can produce on-chain trails to addresses Bybit can recover from — frozen by Tether, captured by law enforcement, or returned by counterparty exchanges — get paid. Bounty hunters who can produce trails to addresses where the funds have moved beyond reach (Chinese OTC, Wasabi-cleaned BTC, P2P fiat) do not get paid.

The bounty hunters who submitted the 70 valid reports likely include the bulk of the on-chain forensic tracing community — Elliptic, TRM, Chainalysis individuals, ZachXBT-style independents, and SlowMist's Nick Bax. Their work produced the public reporting that quantifies what was lost. Their work also produced very little recovery.

This is not a critique of the bounty model. It is an observation about the limits of on-chain forensics against state-actor laundering with jurisdictional escape routes. The chain is public; the cash-out is not.

For Sanctuary's purposes, the 15-month Bybit update produces three operational lessons.

**First**, the early window matters. Of the funds that Tether froze, almost all were frozen within the first 30 days. The freeze rate dropped to near zero after that. Compliance teams at venues that receive Bybit-tainted deposits — directly or via THORChain — should expect Tether intervention if they alert within the first month, not after.

**Second**, the Chinese OTC layer is not screenable. Sanctuary tags BTC addresses with `chinese_otc_cluster` based on TRM and Elliptic clustering, but the tag does not extend into off-chain CNY positions. Once funds reach the CMLN cash layer, on-chain attribution stops mattering for recovery purposes; it continues mattering only for forward-flow risk (any new on-chain inflows from CMLN-attributed wallets should be screened).

**Third**, the THORChain rail is a permanent feature. THORChain's legal status may eventually change, but for compliance-screening purposes today, THORChain inflows should be screened at the cluster level. Sanctuary's tag `thorchain_inflow_high_risk_origin` applies to inflows that trace within seven hops to designated origin clusters.

A $1.5 billion theft, fifteen months later, produces $19 million in Tether freezes, $30 million in bounty-driven recovery, and $280 million genuinely beyond reach.

The chain is public. The cash-out is not. State-actor laundering with Chinese OTC exit routes is the structural limit of on-chain forensics in 2026.

For Bybit specifically: the reserves are restored, the customers are whole, the operational impact has been absorbed. For the industry: the Bybit case is the case study for how much of a major state-actor theft is actually recoverable. The answer, fifteen months in, is approximately 3 percent.

Screen the wallets that remain in scope. The ones that aren't, aren't.