Hackers behind the $1.4 billion Bybit theft have begun using multiple crypto mixers to obscure their tracks, according to an executive summary released by the exchange’s CEO Ben Zhou on Wednesday.
Zhou revealed that the threat actors have employed a combination of Wasabi, CryptoMixer, Railgun, and Tornado Cash to launder portions of the 500,000 ETH stolen last month. Some 193 BTC has already entered mixers, primarily Wasabi, before moving to various peer-to-peer vendors.
"Decoding mixer transactions is the no.1 challenge we face now," Zhou said, noting this trend will likely accelerate as more of the stolen funds enter mixing services.
While 88.87% of stolen assets remain traceable, 7.59% have now "gone dark" and are likely unrecoverable, Zhou said. An additional 3.54% of funds have been frozen through coordination with exchanges.
3.20.25 Executive Summary on Hacked Funds:
Hacker started to use mixers: 1. Wasbi 2. CryptoMixer 3. Railgun 4. TornadoCash
Total hacked funds of USD 1.4bn around 500k ETH. 88.87% remain traceable, 7.59% have gone dark, 3.54% have been frozen.
Breakdown: - 86.29% (440,091 ETH,…— Ben Zhou (@benbybit) March 20, 2025
The majority of stolen ETH—86.29% (440,091 ETH, ~$1.23B)—has been converted to Bitcoin and distributed across 9,117 wallets, averaging 1.41 BTC each, according to data from Lazarus Bounty, the exchange's bounty program.
Two days after the hack, blockchain intelligence firm Elliptic tracked that the funds had moved and were headed to Bitcoin mixers next.
Bybit Funds on the Move, Could be Headed for Bitcoin Mixers ‘Next’: Elliptic
North Korean hackers have started laundering stolen Bybit funds, with blockchain intelligence firm Elliptic tracking over $140 million in initial transactions designed to obscure the money trail. The stolen funds are being systematically moved through anonymous exchanges before being converted to Bitcoin, a process that makes it harder to trace and recover the assets, the firm wrote in a blog post on Saturday. “The second step of the laundering process is to ‘layer’ the stolen funds in order to...
At the time, anonymous crypto exchange eXch was cited by Elliptic and on-chain sleuths such as ZachXBT as one of the destinations for stolen funds.
The accusation was denied by eXch CEO Johann Roberts, who told Decrypt in an emailed statement that "some deposits" were processed on their platform, but that those were a "minor part of the total amount.”
Lazarus Group and crypto mixers
The Bybit hack, attributed to North Korea's Lazarus Group by the FBI in February, remains the largest single crypto theft in history.
Lazarus Group's use of a set of crypto mixers represents an escalation of the laundering tactics employed by the hackers.
But the use of crypto mixers also presents a dilemma for the Lazarus Group, according to blockchain forensics firm Chainalysis.
More transactions through mixers would “come with associated fees,” Andrew Fierman, head of national security intelligence at the firm, told Decrypt.
“The more a mixer is used, the higher the associated costs in laundering can become,” Fierman explained.
While each additional mixing layer exponentially increases the complexity of following transaction trails, larger transactions could make the laundering method cost-prohibitive.
“The larger the transaction, the easier they can be to trace,” Fierman told Decrypt.
Fierman believes that blockchain’s immutability could help trace the funds.
As long as the funds remain on-chain and have not been off-ramped to fiat, “there will continue to be opportunities to trace funds,” Fierman said, responding to Decrypt.
FBI Links North Korea to $1.4 Billion Bybit Crypto Heist
The FBI has officially attributed last week's $1.4 billion crypto theft from Bybit to North Korean hackers, labeling the operation "TraderTraitor" in a public service announcement released Wednesday. These threat actors are working fast to cash in on their plundered crypto, the FBI said, acknowledging that they have since converted some of the stolen assets to Bitcoin and other crypto. Those assets are now dispersed across “thousands of addresses on multiple blockchains,” the agency said. North...
Despite the challenges, recovery efforts continue.
Bybit's bounty program, launched shortly after the February 21 attack, has received 5,012 reports in the past 30 days, with 63 validated as legitimate tips.
The exchange continues to seek assistance from security experts who could help decode mixer transactions, with Zhou saying they would “need a lot of help there down the road.”
This article was updated on March 20 with additional comments from Chainalysis.
