BitOK's hypothesis is based on three major incidents: the Bybit exchange hack (~$1.5 billion, February 2025), the Kelp DAO exploit (~$292 million, April 2026), and the Humanity Protocol wallet compromise (June 2026).
In this context, an exploit refers to the use of a software vulnerability or stolen credentials to drain funds from a crypto project.
BitOK investigators believe that all three incidents are linked either to the North Korean Lazarus Group or to a laundering infrastructure associated with it.
A key finding is the connection between the Bitcoin laundering infrastructure and Kraken Market, a Russian-language darknet marketplace. A portion of the funds flowing through the cluster consistently ends up in its ecosystem.
Once stolen assets enter this environment, they become commingled with proceeds from drug trafficking, darknet marketplace transactions, and other illicit activity. As a result, tracing subsequent fund movements becomes significantly more difficult. It is no longer possible to reliably distinguish wallets controlled by the hackers from those belonging to marketplace vendors, service operators, or the platform's own internal settlement infrastructure.
This suggests that Kraken Market may be more than just the destination of isolated transfers. Instead, it could represent part of a broader laundering infrastructure designed to obscure the trail of funds stolen in major cryptocurrency hacks.