North Korean hackers have started laundering stolen Bybit funds, with blockchain intelligence firm Elliptic tracking over $140 million in initial transactions designed to obscure the money trail.
The stolen funds are being systematically moved through anonymous exchanges before being converted to Bitcoin, a process that makes it harder to trace and recover the assets, the firm wrote in a blog post on Saturday.
“The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” Elliptic wrote. “This transaction trail can be followed, but these layering tactics can complicate the tracing process, buying the launderers valuable time to cash out the assets.”
The $1.46 billion social engineering attack, which took place on Friday and consisted mostly of Ethereum, is the most significant theft in crypto history, surpassing the $611 million stolen from Poly Network in 2021.
Elliptic and Arkham Intelligence have linked the attack to North Korea’s Lazarus Group, citing the use of decentralized exchanges and other services, including cross-chain bridges and coin swap services in a bid to throw off the scent.
“If previous laundering patterns are followed, we might expect to see the use of mixers next to further obfuscate the transaction trail,” it said. However, that may prove challenging due to the “sheer volume of stolen assets.”
Within hours of the theft, attackers distributed the stolen assets across 50 different wallets, each holding approximately 10,000 ETH. The funds are now being systematically emptied and converted to Bitcoin, according to Elliptic.
The attackers first converted stolen tokens like stETH and cmETH to Ethereum using decentralized exchanges, likely to avoid potential asset freezes.
This matches Lazarus Group’s typical laundering playbook of converting stolen tokens to “native” blockchain assets before further obfuscation, Elliptic wrote.
To date, the group has stolen over $3 billion in crypto assets since 2017, reportedly funding North Korea’s ballistic missile program with the proceeds, according to a UN report last year, though that figure is suspected to be much higher, Elliptic noted.
As a result of the theft on Sunday, Bybit is now facing pressure from users’ withdrawals, who have since pulled roughly 23,000 BTC from Bybit’s hot wallet, data from Arkham Intelligence shows.
The exchange’s main wallets show its Bitcoin balance has dropped from 70,000 BTC to just over 52,000 BTC, indicating an outflow of roughly $1.7 billion since Friday afternoon.
Further analysis suggests Bybit has seen outflows totaling $6 billion across various crypto.
Anonymous crypto exchange blamed
Elliptic and others, including ZachXBT, have also pointed to anonymous crypto exchange eXch as having processed “tens of millions of dollars” in stolen assets from the hack despite direct requests from Bybit to block the activity.
“The stolen Ethereum is steadily being converted to Bitcoin, using eXch and other services,” Elliptic wrote Sunday.
A purported emailed response from eXch, archived on X on Saturday and cited by Elliptic, alleges the crypto exchange chose not to acknowledge requests from Bybit, claiming the latter has made “direct attacks on the reputation” against the former in the past.
“It is difficult for us to understand the expectation of collaboration” from an organization that has “actively undermined our reputation,” the email from eXch reads.
The exchange did not immediately respond to Decrypt’s request for comment.
In a post to a Bitcoin forum on Sunday, eXch claimed allegations it was facilitating money laundering were untrue.
“We are not laundering money for Lazarus/DPRK,” eXch wrote, claiming that such an allegation was the “perspective of some people that wish decentralized coins’ fungibility and on-chain privacy to vanish.”
It added: “The insignificant part of funds that was processed by us from the Bybit hack in an isolated case will be donated to various open-source initiatives dedicated to privacy and security both inside and outside crypto space.”
Edited by Sebastian Sinclair
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
