Crypto Heist: Bybit Hackers and the Maze of Laundering

In recent developments, a blockchain security company has unveiled that funds pilfered from the Bybit cryptocurrency exchange are being funneled through crypto mixers. This maneuver is designed to convert the stolen assets into Bitcoin, thereby obscuring the transaction trail and complicating efforts to trace the illicit funds.

The Infiltration by the Lazarus Group

The blockchain security experts, Elliptic, have identified the perpetrators as the infamous Lazarus Group, a hacker consortium reputedly aligned with North Korea. Their modus operandi involves laundering these assets through crypto mixers, thereby muddying the transactional waters and evading detection from regulatory authorities.

Advertisement Banner

The Movement of Stolen Assets

According to Elliptic, an estimated $1.4 billion in digital currencies, illicitly acquired from Bybit, is on the move. The hackers are channeling these funds into crypto mixers, aiming to obscure their tracks and thwart efforts by global authorities to pinpoint the origin of the funds.

Elliptic’s Insights

Elliptic has highlighted that if the hackers adhere to previous laundering patterns, the use of mixers is a likely next step. The firm attributes this monumental crypto theft to the Lazarus Group, although they caution that the scale of this heist presents significant challenges in executing a seamless laundering operation.

Complex Laundering Techniques

The sophisticated laundering process typically employed by the Lazarus Group follows a distinct pattern. Initially, any purloined tokens are converted into native blockchain assets like Ether. This strategic move is because tokens often have issuers who can freeze wallets containing stolen assets, whereas native assets like Ether or Bitcoin lack such central oversight.

Converting and Moving Assets

During the Bybit heist, this conversion process occurred almost instantaneously, with hundreds of millions in stolen tokens, such as stETH and cmETH, exchanged for Ether. The hackers deftly utilized decentralized exchanges (DEXs) to execute these transactions, evading the asset freezing that can occur on centralized platforms.

The Layering Strategy

The next phase involves “layering” the funds to further obfuscate the transaction trail. Despite the inherent transparency of blockchain technology, these layering tactics can significantly complicate tracing efforts, granting the launderers precious time to cash out their illicit gains.

Dispersing and Laundering Assets

Currently, the Lazarus Group is engaged in the layering stage, having dispersed the stolen funds across 50 distinct wallets within hours of the heist. Each wallet initially contained around 10,000 ETH, and these wallets are now being systematically drained. As of late February, 10% of the assets, valued at approximately $140 million, have been moved, with the funds laundered through various services, including DEXs, cross-chain bridges, and centralized exchanges.

The Unprecedented Bybit Heist

The February 2025 attack on Bybit, a Dubai-based crypto exchange, resulted in the largest crypto heist recorded to date, surpassing the $611 million theft from Poly Network in 2021. Investigations indicate that malware was deployed to manipulate the exchange into authorizing unauthorized transactions, allowing the funds to be misappropriated by the thieves.