DeFi protocols are ignoring DPRK-linked transactions: ZachXBT

Blockchain investigator ZachXBT has voiced serious concerns about cryptocurrency platforms ignoring transactions linked to North Korean hackers following the historic $1.4 billion Bybit hack.

In a Telegram announcement, the researcher described his efforts to help freeze funds from the February 21, 2025 attack as “eye-opening.” He also revealed the troubling practices across both decentralized and centralized crypto platforms.

ZachXBT’s crucial role in hack response efforts

According to ZachXBT, several “decentralized” protocols have recently derived “nearly 100% of their monthly volume/fees” from North Korean entities. However, according to him, they “refuse to take any accountability” for their role in potentially allowing the money laundering. The investigator’s claims come as he actively participates in the ongoing effort to trace and recover funds from the hack.

“This industry is unbelievably cooked when it comes to exploits/hacks and sadly idk if the industry is going to fix this itself unless the government forcibly passes regulations that hurt our entire industry,” ZachXBT stated in his message.

ZachXBT has been an important person in the effort to recover funds from the Bybit hack as per the LazarusBounty program. According to the bounty hunter leaderboard, ZachXBT ranks third among contributors. He has helped to verify three reports that led to the identification and freezing of $625,610 in stolen assets.

For his work, ZachXBT has earned an estimated bounty of $31,280. The bounty program, which offers a total of $140 million (10% of recovered funds), has awarded $2,233,947 to 13 hunters thus far.

Despite these efforts, ZachXBT’s frustration comes from the slow response times from many crypto platforms. “Centralized exchanges end up being worse as when illicit funds flow through them, a few take multiple hours to respond when it only takes minutes to launder,” he noted in his Telegram message.

He specifically criticized Know Your Transaction (KYT) systems as “completely flawed and easily evadable.” ZachXBT also described Know Your Customer (KYC) requirements as “just a honeypot for regular users bc of breaches/insiders and is useless in majority of cases due to purchased accounts.”

Limited recovery progress despite massive bounty

According to the program’s dashboard, it has only frozen 3.22% of the overall hacked money (about $44.37 million). The exchange has offered a bounty of $140 million for recovery support.

The information indicates that although 89.96% of the stolen assets (approximately $1.26 billion) are being traced at present, the overwhelming majority are still out of the reach of recovery efforts. Another 6.80% of funds (approximately $94.87 million) are in a status called “Awaiting Response.”

This rate of slow recovery corroborates ZachXBT’s attacks on industry reaction times. LazarusBounty statistics indicate that even when it is possible to identify and track stolen funds, translating that knowledge into actual freezes on assets remains difficult.

The hack itself involved a social engineering attack that exploited vulnerabilities in the Safe Wallet software used by Bybit for its multi-signature transaction process. According to reports, the Lazarus Group hackers hacked a routine transaction, altered the code to make it appear legitimate, and redirected funds to their control.

North Korean hacking highlights industry vulnerabilities

The Bybit hack attributed to North Korea’s Lazarus Group has exposed fundamental weaknesses in the cryptocurrency ecosystem’s ability to fight state-sponsored financial crimes. According to research from the Center for Strategic & International Studies, the attack fits into a large pattern of North Korean cyber operations targeting digital assets to generate funds for the country’s nuclear and missile programs.

ZachXBT’s observations about DeFi protocols deriving nearly their entire monthly volume from transactions linked to North Korea raise serious questions about the sector’s commitment to security and compliance. The speed at which the hackers moved to launder the stolen funds shows their technical experience.

Reports show that at least $160 million of the stolen assets were laundered within the first 48 hours following the attack. ZachXBT specifically called out platforms that continued processing transactions despite being notified of their connection to the hack.

The effect of the hack goes beyond Bybit itself, being part of an overall crypto market decline. The bearish market reaction even after the Trump administration made efforts to make the United States a hub for crypto. This includes a recent executive order to develop a strategic Bitcoin reserve.

As ZachXBT summed up in his Telegram post, the sector might not be able to solve these weaknesses on its own. This might pave the way for regulations that could have broader effects on the cryptocurrency industry as a whole.

Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More