On February 22nd, according to the analysis of Eric Wall, co-founder of Taproot Wizards, the Bybit theft incident has been basically confirmed to be the work of the North Korean hacking group Lazarus Group. According to Chainalysis 2022 report, the organization usually follows a fixed pattern in disposing of stolen funds, and the whole process may last for several years. Data from 2022 shows that the group still holds $55 million of funds from the 2016 attack, indicating that it is not in a hurry to cash out quickly. Regarding the disposal process of stolen funds: The first step is to convert all ERC20 tokens (including liquid derivatives such as stETH) into ETH. Step 2: Convert all the ETH obtained into BTC. Step 3: Gradually convert BTC into RMB through Asian exchanges. End Use: The funds are said to be used to support North Korea's nuclear weapons and ballistic missile programs. The analysis points out that Bybit is currently borrowing to replenish the ETH gap of about 1.50 billion US dollars, a strategy that may be based on the expectation of recovering the stolen funds. However, given that it is confirmed that the Lazarus Group did it, the possibility of recovery is extremely low, and Bybit will have to buy ETH to repay the loan. In the long run, Bybit's purchase of ETH and Lazarus Group's selling of ETH in exchange for BTC may cancel each other out, and the BTC acquired by Lazarus Group will gradually convert into selling pressure in the next few years.