Greece has frozen digital assets connected to the Lazarus hack, marking its first official crypto-related seizure.
The freeze targets Ethereum stolen in the $1.46 billion Bybit hack, which took place in February 2025.
Greece’s Hellenic Anti-Money Laundering Authority (HAMLA) led the operation and confirmed it was tied to North Korea’s Lazarus Group.
According to investigators, the funds were traced to a wallet linked to a Greek crypto platform.
The operation was completed in collaboration with Chainalysis, which provided real-time blockchain tracking.
HAMLA used that data to identify the assets and issue an official freeze.
Greece’s Minister of National Economy and Finance, Kyriakos Pierrakakis, highlighted that blockchain records supported the freeze.
The seizure shows how small jurisdictions now use global tools to respond to crypto crimes.
The Greece crypto seizure follows months of investigation after the Bybit hack drew global attention.
Chainalysis Tracks Ethereum From Bybit Hack to Greece
Chainalysis helped trace the stolen funds to specific wallets after the Bybit security breach.
The team followed Ethereum transfers that moved quickly through decentralized platforms and mixers.
They eventually found a wallet linked to a local exchange in Greece.
The hackers used complex transfer patterns to avoid detection, but the transactions remained visible on-chain.
Chainalysis flagged the wallets, tagged the flows, and shared the data with HAMLA.
That data helped Greece issue the crypto freeze without delay.
Investigators said the seized Ethereum came from one of the largest single-platform thefts ever recorded.
Before this, North Korea hacking group Lazarus had already carried out multiple crypto thefts in past years.
The $1.46 billion Ethereum theft now surpasses Lazarus’ total crypto theft in 2024, which was $1.34 billion.
TRM Labs: Lazarus Used ‘Flood the Zone Tactic’ to Move Funds Fast
After the Bybit hack, the Lazarus Group moved assets using a method known as the flood the zone tactic.
According to TRM Labs, the group executed high-speed, multi-platform transactions in under 48 hours.
This tactic aimed to confuse tracking systems and delay seizures.
“The Bybit exploit indicates that the regime is intensifying its ‘flood the zone’ technique—overwhelming compliance teams, blockchain analysts, and law enforcement agencies with rapid, high-frequency transactions across multiple platforms, thereby complicating tracking efforts,”
TRM stated.
The flood the zone tactic created thousands of alerts that compliance teams had to review manually.
It involved splitting stolen crypto into many smaller transactions to different addresses and services.
These methods delayed enforcement efforts, but investigators were able to act before full laundering occurred.
TRM Labs noted that exchanges face more pressure to flag suspicious activity in real time.
Rapid coordination between tools like Chainalysis and national agencies like HAMLA allowed the freeze.
This example adds to a growing list of confirmed hacks linked to the North Korea hacking group.
Greece’s Seizure Follows Growing Security Concerns After Bybit Breach
The Bybit hack raised wider concerns about centralized exchange security.
As of July 2025, DeFiLlama data shows that total value locked (TVL) in DeFi and CeFi platforms reached $121 billion.
This number indicates increased user activity across both decentralized and centralized platforms.
Security teams and regulators continue to study the root causes of the Bybit security breach.
The FBI named it “TraderTraitor” and confirmed Lazarus was responsible for the attack.
In previous attacks, such as the 2022 Axie Infinity breach, Lazarus used similar entry methods.
The size of the $1.46 billion Ethereum theft has drawn attention from multiple jurisdictions.
Authorities in countries like South Korea and the United States may explore similar actions as Greece’s crypto seizure.
Still, experts say the pseudonymous nature of blockchain makes it harder to stop funds once they leave compliant platforms.
