North Korean hackers have started laundering stolen Bybit funds, with blockchain intelligence firm Elliptic tracking over $140 million in initial transactions designed to obscure the money trail.
The stolen funds are being systematically moved through anonymous exchanges before being converted to Bitcoin, a process that makes it harder to trace and recover the assets, the firm wrote in a blog post on Saturday.
“The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” Elliptic wrote. “This transaction trail can be followed, but these layering tactics can complicate the tracing process, buying the launderers valuable time to cash out the assets.”
The $1.46 billion social engineering attack, which took place on Friday and consisted mostly of Ethereum, is the most significant theft in crypto history, surpassing the $611 million stolen from Poly Network in 2021.
Bybit Offers Bounty After $1.4 Billion in Ethereum Swiped in Biggest Crypto Hack Ever
One day after losing more than $1.4 billion worth of Ethereum and related tokens in a sophisticated hack, crypto exchange Bybit said early Saturday that it will offer 10% of recovered funds—up to $140 million—to any on-chain security experts that help the firm get its assets back. “Within 24 hours of the event, we were overwhelmed with support from some of the best people and organizations in the industry, and we do not take it for granted. We have shared in a dark moment of crypto history, and...
Elliptic and Arkham Intelligence have linked the attack to North Korea’s Lazarus Group, citing the use of decentralized exchanges and other services, including cross-chain bridges and coin swap services in a bid to throw off the scent.
“If previous laundering patterns are followed, we might expect to see the use of mixers next to further obfuscate the transaction trail,” it said. However, that may prove challenging due to the “sheer volume of stolen assets.”
Within hours of the theft, attackers distributed the stolen assets across 50 different wallets, each holding approximately 10,000 ETH. The funds are now being systematically emptied and converted to Bitcoin, according to Elliptic.
The attackers first converted stolen tokens like stETH and cmETH to Ethereum using decentralized exchanges, likely to avoid potential asset freezes.
This matches Lazarus Group's typical laundering playbook of converting stolen tokens to "native" blockchain assets before further obfuscation, Elliptic wrote.
North Korea's Lazarus Group Behind Bybit's $1.4 Billion Ethereum Hack: Arkham
Blockchain data platform Arkham Intelligence says that the North Korean state-sponsored Lazarus hacking group is responsible for swiping over $1.4 billion worth of Ethereum (ETH) and related tokens from crypto exchange Bybit on Friday. The connection to Lazarus was made via on-chain data that linked activity to previous attacks tied to Lazarus, a group that has been tied to numerous other industry hacks and exploits. The connection was made by pseudonymous on-chain sleuth ZachXBT, who has helped...
To date, the group has stolen over $3 billion in crypto assets since 2017, reportedly funding North Korea's ballistic missile program with the proceeds, according to a UN report last year, though that figure is suspected to be much higher, Elliptic noted.
As a result of the theft on Sunday, Bybit is now facing pressure from users' withdrawals, who have since pulled roughly 23,000 BTC from Bybit's hot wallet, data from Arkham Intelligence shows.
The exchange’s main wallets show its Bitcoin balance has dropped from 70,000 BTC to just over 52,000 BTC, indicating an outflow of roughly $1.7 billion since Friday afternoon.
Further analysis suggests Bybit has seen outflows totaling $6 billion across various crypto.
Bybit Seeing 'Massive Withdrawals' After $1.4 Billion Ethereum Theft: CEO
Centralized cryptocurrency exchange Bybit is struggling to keep up with withdrawals following a hack that saw over $1.4 billion worth of Ethereum and related assets swiped early Friday. In a livestream following the incident, Bybit co-founder and CEO Ben Zhou said that the firm has "experienced massive withdrawals in the last two hours." However, he added that there are thousands of pending withdrawals that the firm is still working through because it needs to move liquidity around. Zhou told vi...
Anonymous crypto exchange blamed
Elliptic and others, including ZachXBT, have also pointed to anonymous crypto exchange eXch as having processed "tens of millions of dollars" in stolen assets from the hack despite direct requests from Bybit to block the activity.
“The stolen Ethereum is steadily being converted to Bitcoin, using eXch and other services,” Elliptic wrote Sunday.
A purported emailed response from eXch, archived on X on Saturday and cited by Elliptic, alleges the crypto exchange chose not to acknowledge requests from Bybit, claiming the latter has made "direct attacks on the reputation" against the former in the past.
"It is difficult for us to understand the expectation of collaboration" from an organization that has "actively undermined our reputation," the email from eXch reads.
In a statement to Decrypt, eXch acknowledged that it had received a request from Bybit to blacklist some addresses, and that, "There were indeed some deposits processed by us, which was vastly a minor part of the total amount of stolen 90000 ETH." The exchange explained that "our AML screening provider, which is a third-party service, had outdated data on the ByBit exploiter addresses for approximately around 12 hours."
eXch went on to argue that this was as a result of Elliptic having refused it as a customer "due to the fact that we are a non-KYC accountless exchange aiming to preserve privacy of our users," accusing the tracking firm of having "elitist policies." The exchange further claimed that it had "implemented comprehensive measures to actively combat money laundering and terrorism financing."
In a post to a Bitcoin forum on Sunday, eXch claimed allegations it was facilitating money laundering were untrue.
“We are not laundering money for Lazarus/DPRK,” eXch wrote, claiming that such an allegation was the “perspective of some people that wish decentralized coins' fungibility and on-chain privacy to vanish.”
It added: “The insignificant part of funds that was processed by us from the Bybit hack in an isolated case will be donated to various open-source initiatives dedicated to privacy and security both inside and outside crypto space.”
Edited by Sebastian Sinclair. Updated on February 24 to include responses from eXch.
