Bybit Stolen Funds May Now Be Routed Through Crypto Mixers: Elliptic

Highlights:

• Elliptic said hackers of the Bybit exchange may use mixers to launder $1.4B stolen crypto. 
• Lazarus Group follows a distinct laundering pattern, starting with exchanging stolen tokens for ETH.
• Elliptic reports Lazarus is now in the “second stage,” layering stolen funds to hide transaction trails.

Elliptic, a blockchain security firm, stated that the cryptocurrency stolen in the $1.4 billion hack of the Bybit exchange is expected to be laundered through mixers, making tracking difficult. On Feb. 21, hackers exploited a flaw in Bybit’s Ethereum cold wallet during a routine transfer to a warm wallet. CEO Ben Zhou said attackers manipulated the UI and used social engineering to trick signers, enabling undetected fund siphoning.

 Recently, Blockchain investigators like ZachXBT and Arkham Intelligence blame North Korea’s Lazarus Group for the attack. Elliptic stated that North Korea’s Lazarus Group often uses crypto mixers to launder stolen money. However, the firm also highlighted that laundering such a large amount of stolen assets could prove difficult due to the sheer volume involved. 

Elliptic said Lazarus Group follows a clear money-laundering strategy, starting with converting stolen tokens into native blockchain assets such as ETH. Some tokens can be frozen, but Ether and Bitcoin can’t due to decentralization, aiding laundering. After the Bybit theft, hackers swapped stolen tokens such as stETH and cmETH for Ether on DEXs to avoid freezes.

Elliptic noted that the group has now entered the second stage of laundering, called “layering,” where hackers obscure the transaction trail of stolen funds. This process involves moving funds through multiple crypto wallets and using cross-chain bridges. It includes exchanging assets on decentralized platforms and hiding transactions with mixers like Tornado Cash.

The fantastic @elliptic team have been working around the clock to trace the $1.46Bn Bybit theft proceeds. This combined with our automated cross-chain tracing capabilities, is helping to counter the laundering efforts of NK's Lazarus Group. https://t.co/p6ZLu58n1S

— Tom Robinson (@tomrobin) February 23, 2025

Swift Movement of Bybit’s Stolen Funds and eXch’s Role in Laundering Activities

Within just two hours of the theft, the stolen funds were split into 50 wallets, each holding around 10,000 ETH. By Feb. 23, about 10% ($140M) had been moved. The swift and systematic movement of funds highlights the advanced tactics being used to conceal the origin of the stolen cryptocurrency.

Elliptic highlighted that eXch, a crypto exchange, has played a significant role in facilitating the laundering of funds stolen from Bybit despite the exchange receiving explicit requests from Bybit to prevent such activities. Hackers traded stolen crypto assets worth tens of millions of dollars on eXch after the hack.

Elliptic was not alone in its findings. On Feb. 22, ZachXBT reported that eXch laundered $35M from the Bybit hack. Additionally, SlowMist reported that eXch converted significant amounts of Ethereum into other cryptocurrencies. However, on February 23, eXch denied any connection to money laundering activities linked to the North Korean hacking group. 

⚠️Given the significant amount of ETH already laundered through eXch into BTC, XMR, etc., platforms should tighten risk controls on any funds coming from there.

— MistTrack🕵️ (@MistTrack_io) February 23, 2025

Lazarus Group’s Laundering Tactics

According to blockchain investigator ZachXBT, the Lazarus Group laundered over $200 million in stolen cryptocurrency in previous hacks. It used mixers and peer-to-peer (P2P) marketplaces for laundering. Chainalysis highlighted a change in strategy, indicating that groups like Lazarus are now turning to cross-chain bridges to launder their stolen funds. Ultimately, it decreases their dependence on mixers.