The North Korean-linked hackers responsible for the Bybit attack are nearing the final phase of laundering the 499,000 ETH they stole, valued at approximately $1.5 billion. At their current pace, experts estimate they could complete the process within three days.

Amid this rapid movement of funds, criticism has mounted against USDC stablecoin issuer Circle for allegedly delaying action in blacklisting wallets associated with the heist, allowing the stolen funds to move further beyond recovery.

On March 1, the hackers transferred another 62,200 ETH, worth around $138 million, reducing their remaining unlaundered balance to 156,500 ETH. Crypto investigator EmberCN, who has been closely monitoring the transactions, noted that the accelerated pace suggests the process will be finalized imminently.

“Since the hacker resumed money laundering yesterday at 3 PM, they have laundered 62,200 ETH (worth $138 million). Out of the 499,000 ETH stolen from Bybit, only 156,000 ETH (worth $346 million) remain unlaundered. In about three more days, all of it should be fully laundered,” EmberCN wrote on X.

This aligns with findings from blockchain intelligence firm TRM Labs, which reported that the attackers are demonstrating an “unprecedented level of operational efficiency.” The firm highlighted the hackers’ sophisticated laundering techniques, which include the use of intermediary wallets, decentralized exchanges, and cross-chain bridges to obscure transaction trails. These methods complicate efforts by investigators attempting to track and recover the stolen assets.

Authorities have taken note of the attack. On February 27, the FBI identified the North Korean-affiliated hacking group TraderTraitor as the perpetrators of the Bybit breach. In response, Bybit launched a $140 million bounty program, offering rewards to those who assist in tracking and freezing the stolen funds. To date, 16 individuals have collectively received $4.2 million in payouts for their contributions.

The escalating situation has also reignited concerns over Circle’s handling of stolen funds. On-chain analyst ZachXBT criticized the company for its slow response in blacklisting hacker-controlled wallets, arguing that its inaction gave the attackers ample time to move the assets beyond reach.

He pointed out that Circle took over 24 hours to respond, and referenced previous security breaches, such as the Ledger and Nomad Bridge hacks, where similar delays allegedly allowed illicit funds to be laundered.

As a key stablecoin issuer, ZachXBT believes Circle should take a more proactive approach rather than waiting for law enforcement directives. However, Circle’s CEO, Jeremy Allaire, defended the company’s position, stating that the firm only acts on direct requests from authorities.

“We will share a post on how we immediately respond to law enforcement and not front-run the law with our own or market intelligence. I don’t think the market or users benefit if a private company makes their own judgments to seize funds without a direct law enforcement request,” Allaire explained.

ZachXBT was quick to counter, arguing that waiting for legal clearance creates unnecessary delays, giving hackers the advantage. “An ongoing attack impacting the entire ecosystem only has minutes for a blacklist. You know this and then push back for a court order from law enforcement, which takes multiple days in a best-case scenario. Your team completely made up this internal policy, and it’s not required by law,” he stated.

Security expert Taylor Monahan echoed these frustrations, calling Circle’s approach inefficient. She argued that delays in freezing stolen funds increase the likelihood of assets becoming untraceable.

“You have a blocklist function because you have to. Grow up and use it. Freeze criminal funds, establish checks and balances, create accessible paths of recourse if it turns out bad and fix it quickly. This is dead simple,” Monahan emphasized.

She also pointed out that victims of mistaken freezes often endure lengthy legal battles to reclaim their assets due to Circle’s rigid policies. As the laundering operation nears its conclusion, the broader crypto community remains divided on how centralized entities should handle illicit transactions in real-time. Meanwhile, the hackers continue to move swiftly, testing the limits of global cybersecurity measures.

By Alejandro Silva Ramírez, Crypto Analyst & Columnist