Update from the T3 Financial Crime Unit (T3FCU)

The T3 Financial Crime Unit (T3FCU) has provided an update about the $1.5B North Korean hackers reportedly stole during the Bybit exploit. The crypto crime-fighting team announced that they have successfully frozen $9M of the stolen funds.

Formation of T3FCU

TRON, Tether, and TRM Labs came together to set up the T3 Financial Crime Unit in August 2024. The initiative focuses on identifying and disrupting illicit activities within the cryptocurrency space.

The unit works closely with global law enforcement agencies and has played a vital role in freezing significant assets tied to various financial crimes.

Altogether, T3FCU has frozen about $36M linked to fraudulent investment schemes and $65M associated with money laundering operations. The collaborative crypto crime monitoring unit has also addressed cases involving blackmail and illicit drug transactions.

Recent Investigation and Recovery

T3FCU’s most recent investigation led to the successful freezing of $9M related to the Bybit hack. The unit announced the recovery on X, and the official TRON account hinted that further details will be discussed in person at the Digital Chamber blockchain summit on March 26, 2025.

The announcement also acknowledged the contributions of blockchain analysts ZachXBT and ZeroShadow, with Zhou previously thanking ZeroShadow for assistance in blockchain forensics.

The T3FCU is establishing its reputation as a formidable force against crypto-related crime. Tracking crypto transactions poses significant challenges due to the anonymous nature of DeFi, which becomes even more complex when tracking and recovering stolen assets.

Crime Report Insights

TRM shared a crypto crime report indicating that attackers stole $2.2B through hacks and exploits in 2024, marking a 17% increase from the previous year. It was noted that the North Korean hackers involved in the Bybit heist were responsible for approximately 35% of all stolen funds last year, with $800M stolen in cryptocurrency in 2024.

Bybit’s Response to the Hack

Observers praised the Bybit team’s response as swift after the exchange suffered a security breach in February 2025, resulting in the loss of approximately $1.5B worth of Ethereum (ETH). On-chain analyses connected the breach to the Lazarus Group, a well-known state-sponsored hacking organization from North Korea. As with prior attacks, the hackers quickly laundered the stolen funds using mixers and masking techniques to complicate recovery efforts.

Bybit launched a bounty program, offering up to 10% of recovered funds to individuals or entities that assist in recovery. However, Zhou revealed that over a month after the heist, only 63 of the 5012 bounty reports were valid.