North Korean hackers have begun laundering stolen funds from Bybit, with blockchain intelligence firm Elliptic tracking over $140 million in initial transactions aimed at obscuring the money trail. The stolen funds are being moved through anonymous exchanges and converted to Bitcoin, complicating traceability, as outlined in a Saturday blog post by Elliptic. “The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” the firm explained. This method makes tracing more difficult, giving launderers time to cash out. The $1.46 billion theft, primarily in Ethereum, is the largest in crypto history, surpassing the $611 million Poly Network heist in 2021.
Elliptic and Arkham Intelligence attribute the attack to North Korea’s Lazarus Group, citing the use of decentralized exchanges, cross-chain bridges, and coin swap services to evade detection. “If previous laundering patterns are followed, we might expect to see the use of mixers next to further obfuscate the transaction trail,” Elliptic noted, though the scale of stolen assets may pose challenges. Within hours, attackers distributed the stolen assets across 50 wallets, each holding approximately 10,000 ETH, and are now systematically converting them to Bitcoin.
The attackers initially converted tokens like stETH and cmETH to Ethereum using decentralized exchanges, likely to avoid asset freezes. This aligns with Lazarus Group’s typical laundering methods, as per Elliptic. Since 2017, the group has stolen over $3 billion in crypto assets, reportedly funding North Korea’s ballistic missile program, according to a UN report.
Following the theft, Bybit faces pressure from user withdrawals, with Arkham Intelligence data showing roughly 23,000 BTC removed from its hot wallet. The exchange’s Bitcoin balance dropped from 70,000 BTC to just over 52,000 BTC, reflecting outflows of approximately $1.7 billion since Friday. Further analysis indicates Bybit has seen total outflows of $6 billion across various cryptocurrencies.
Anonymous crypto exchange eXch has been criticized for processing “tens of millions of dollars” in stolen assets despite requests from Bybit to block the activity. “The stolen Ethereum is steadily being converted to Bitcoin, using eXch and other services,” Elliptic stated. A purported email from eXch claims it ignored Bybit’s requests due to past reputational attacks. eXch denied facilitating money laundering in a Bitcoin forum post, stating that funds processed from the hack would be donated to open-source privacy and security initiatives.
— news from Decrypt