https://en.protothema.gr/2025/06/25/how-the-greek-connected-to-the-1-5-billion-crypto-mega-theft-was-identified/

A digital wallet, an invisible transaction, and a Greek at the center of the most spectacular digital theft of all time. A few weeks ago, Greek authorities discovered that a registered user on a cryptocurrency exchange platform in Greece had received a large amount of Ethereum in their account. At first, nothing seemed suspicious. Until the expert analysts of the Anti-Money Laundering Authority noticed that these “digital funds” had followed a strange path: they originated from the largest cryptocurrency theft in history, which took place last February on a platform called Bybit. The user’s wallet was immediately frozen by prosecutorial order. It was the first time that a Greek footprint had appeared so clearly in a digital financial crime case of this scale.

What is Ethereum?

To understand what exactly happened, we must first explain what Ethereum is. Imagine a digital currency like the euro, but which doesn’t exist in physical form (no banknotes or coins) and “lives” only online. Ethereum (ETH) is the second most widespread cryptocurrency in the world, after Bitcoin. But it is not simply a “digital euro.” Ethereum is something far more advanced: a digital platform on which entire applications are built — contracts without lawyers, digital marketplaces, and even banking-type services without banks. Think of it as a smart safe with programming capabilities.

These funds are stored in digital wallets (crypto wallets). It’s like a bank account but without a bank. All that’s needed is a password — the so-called “private key” — and a wallet address. This address is public but doesn’t reveal the holder’s name.

What happened at Bybit and how it connects to Greece

Bybit is one of the largest international cryptocurrency exchanges — a digital “bank” where people buy, sell, and store cryptocurrencies like Ethereum or Bitcoin. In February 2024, Bybit became the target of a massive cyberattack. The hackers managed to breach the company’s so-called “cold wallets” (storage devices typically disconnected from the internet for security) and steal cryptocurrencies worth a total of $1.5 billion. U.S. authorities, particularly the FBI, held the notorious Lazarus Group responsible — a hacker arm of the North Korean government known for involvement in financial crimes to fund its nuclear program. On February 26, the FBI issued a public alert with specific digital wallet addresses, calling on all countries and platforms to track and freeze assets linked to them.

How the Greek link was uncovered

The revelation of the Greek connection began with what seemed like a routine transaction. The Anti-Money Laundering Authority’s systems received a report of a suspicious movement of funds: a large sum of Ethereum credited to a digital wallet of a user on a Greek crypto exchange platform. What at first appeared to be a typical inflow of digital money soon took a different turn. The Authority’s specially trained analysts, using blockchain analysis software, began to “untangle the thread.” Through successive digital checks, they found that the funds didn’t originate from any commercial transaction or crypto purchase but followed a specific transaction trail already flagged by the FBI in the U.S.

This trail led to one of the Ethereum wallets involved in laundering the $1.5 billion stolen from Bybit. The digital currency had been split, moved through multiple intermediary wallets, and part of it ended up in the Greek user’s account. The ability to trace the path of these cryptos is thanks to blockchain transparency, which — though it doesn’t reveal the names of holders — publicly records every transaction: who sent, who received, when, and how much. The tools used by the authorities (such as Chainalysis, Elliptic, or TRM Labs) allow mapping of these fund flows with astonishing precision, even if the paths have been broken into hundreds of small transfers. Through this network, the authorities saw that one of the recipient wallets was linked to a Greek user registered on a VASP (Virtual Asset Service Provider) in Greece. This triggered the Authority’s internal protocol, leading to the wallet being frozen by order, and the investigation report sent to the prosecutor’s office to examine any potential criminal liabilities or collaboration of the user with international networks. So far, there is no evidence the Greek individual knew the precise origin of the digital funds they received, but authorities are considering all possibilities, including whether the person acted as an “intermediary link” in a global chain of digital money laundering.

The Authority’s new “weapons” against money laundering

In the fight against financial crime, technology is now critical. And the Anti-Money Laundering Authority, under Charalambos Vourliotis, is acquiring its own digital “weapons.” The Ministry of National Economy and Finance, recognizing the importance of the Authority’s work, is moving ahead with institutional and technical support to enable monitoring and analysis of the complex moves of modern financial crime — from bank accounts to cryptocurrency wallets.

Specifically:

Legislative initiatives have already been implemented, strengthening the Authority’s role, powers, and independence.

At the same time, an investment of over €1 million is being made to upgrade its infrastructure:

€550,000 to strengthen its IT systems — the core systems that support the inspectors’ work.

€500,000 to fully modernize the Authority’s integrated information system so that it connects with international databases and analysis platforms and enhances its real-time monitoring capability.