On February 22, according to analysis by Eric Wall, co-founder of Taproot Wizards, the Bybit theft has been basically confirmed to be the work of the North Korean hacker organization Lazarus Group. According to Chainalysis's 2022 report, the organization usually follows a fixed pattern of disposing of stolen funds, and the entire process may last for years. Data for 2022 shows that the organization still holds $55 million from the 2016 attack, indicating that it is in no hurry to cash in quickly. Regarding the disposal process of stolen funds: Step 1: Transfer all ERC20 tokens (Including liquid derivatives such as stETH) to ETH; Step 2: Convert all ETH obtained into BTC; Step 3: Gradually convert BTC into RMB through Asian exchanges; End use: These funds are said to be used to support North Korea's nuclear weapons and ballistic missile programs; Analysts pointed out that Bybit is currently borrowing to replenish the ETH gap of approximately US$1.5 billion, a strategy that may be based on the expectation of recovering stolen funds. However, given that it was confirmed that Lazarus Group was responsible, the possibility of recovery is extremely low, and Bybit will have to purchase ETH to repay the loan. In the long run, Bybit's purchase of ETH and Lazarus Group's sale of ETH in exchange for BTC may cancel each other out, and the BTC acquired by Lazarus Group will gradually convert into selling pressure in the next few years.