Conversion of RapidBTC, North Korea-linked actor accused of $14 million Woo x theft, reported

On July 24, 2025, Taiwan-based trading platform Woo

New chain analysis shared by Yehor Rudytsia, Hakken’s head of forensics and head of incident response, paints a picture of a Hist far more organized than a one-off theft. According to Rudytsia, the exploit, which Hacken dates back to July, resulted in losses totaling $14 million and was carried out by a DPRK-affiliated actor tracked in law enforcement circles as a “Tradertraitor.”

Hacken says it is actively monitoring chain activity and supporting recovery efforts by flagging malicious addresses to the broader security community. The laundry choreography mapped by Hacken left half of the stolen funds in the EVM network, and the rest in Tron and Bitcoin.

In the past 24 hours, on-chain traces show that the majority of EVM-side revenue of over $7 million was routed through Thorchain and exchanged into Bitcoin. Rudytsia noted that Thorchain’s native cross-chain swap functionality has been repeatedly used to convert large amounts of ETH and ERC-20 tokens into BTC, making it attractive to sophisticated operators who move stolen assets throughout the ecosystem.

On-chain evidence

Hacken’s report also documents the handling of Tron’s denominated portion (approximately $2.5 million in TRX). These funds, the team discovered, were converted to USDT and bridged to Ethereum via the Layerzero infrastructure, and from there, a portion of the bridged USDT was pushed back into Bitcoin via Thorchain.

On-chain evidence of the 9-digit USDT transfer arriving on Ethereum from Layerzero’s enforcers will appear in the public transaction record starting October 1, 2025.

Complicating the trail, some of the funds that surfaced on Ethereum were sent to wallets previously tied to the BINGX hot wallet exploit in 2024.

The addresses that received these transfers are publicly available on Ethereum Explorer Records, and investigators say the links deepen the picture of an organized laundry chain connecting multiple high-profile incidents.

Collectively, this move indicates that approximately $8-9 million from the Woo

Security teams monitoring flows warn that once funds are consolidated in Bitcoin, traditional tracing and intervention becomes more difficult, increasing the risk of an eventual cashout. Rudytsia told Blockchain Reporter that Hacken continues to monitor accounts and will push flagged addresses to exchanges and compliance partners in hopes of freezing or freezing flotchipaths where possible.

For now, this case is yet another reminder to turn stolen tokens into harder token assets as cross-chain tools become more powerful, providing a faster, lower-friction route to turning stolen tokens, and forensic work across multiple chains, along with cooperation from on-ramp services, remains the only line of defense today.