Hackers behind the $1.4 billion Bybit theft have begun using multiple crypto mixers to obscure their tracks, according to an executive summary released by the exchange’s CEO Ben Zhou on Wednesday.

Zhou revealed that the threat actors have employed a combination of Wasabi, CryptoMixer, Railgun, and Tornado Cash to launder portions of the 500,000 ETH stolen last month. Some 193 BTC has already entered mixers, primarily Wasabi, before moving to various peer-to-peer vendors.

"Decoding mixer transactions is the no.1 challenge we face now," Zhou said, noting this trend will likely accelerate as more of the stolen funds enter mixing services.

While 88.87% of stolen assets remain traceable, 7.59% have now "gone dark" and are likely unrecoverable, Zhou said. An additional 3.54% of funds have been frozen through coordination with exchanges.

The majority of stolen ETH—86.29% (440,091 ETH, ~$1.23B)—has been converted to Bitcoin and distributed across 9,117 wallets, averaging 1.41 BTC each, according to data from Lazarus Bounty, the exchange's bounty program.

Two days after the hack, blockchain intelligence firm Elliptic tracked that the funds had moved and were headed to Bitcoin mixers next.

At the time, anonymous crypto exchange eXch was cited by Elliptic and on-chain sleuths such as ZachXBT as one of the destinations for stolen funds.

The accusation was denied by eXch CEO Johann Roberts, who told Decrypt in an emailed statement that "some deposits" were processed on their platform, but that those were a "minor part of the total amount.”

Lazarus Group and crypto mixers

The Bybit hack, attributed to North Korea's Lazarus Group by the FBI in February, remains the largest single crypto theft in history.

Lazarus Group's use of a set of crypto mixers represents an escalation of the laundering tactics employed by the hackers.

But the use of crypto mixers also presents a dilemma for the Lazarus Group, according to blockchain forensics firm Chainalysis.

More transactions through mixers would “come with associated fees,” Andrew Fierman, head of national security intelligence at the firm, told Decrypt.

“The more a mixer is used, the higher the associated costs in laundering can become,” Fierman explained.

While each additional mixing layer exponentially increases the complexity of following transaction trails, larger transactions could make the laundering method cost-prohibitive.

“The larger the transaction, the easier they can be to trace,” Fierman told Decrypt.

Fierman believes that blockchain’s immutability could help trace the funds.

As long as the funds remain on-chain and have not been off-ramped to fiat, “there will continue to be opportunities to trace funds,” Fierman said, responding to Decrypt.

Despite the challenges, recovery efforts continue.

Bybit's bounty program, launched shortly after the February 21 attack, has received 5,012 reports in the past 30 days, with 63 validated as legitimate tips.

The exchange continues to seek assistance from security experts who could help decode mixer transactions, with Zhou saying they would “need a lot of help there down the road.”

This article was updated on March 20 with additional comments from Chainalysis.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.