Bybit Hackers Turn to Crypto Mixers After $1.4B Theft, 7.6% of Funds ‘Gone Dark’: CEO

Hackers behind the $1.4 billion Bybit theft have begun using multiple crypto mixers to obscure their tracks, according to an executive summary released by the exchange’s CEO Ben Zhou on Wednesday.

Zhou revealed that the threat actors have employed a combination of Wasabi, CryptoMixer, Railgun, and Tornado Cash to launder portions of the 500,000 ETH stolen last month. Some 193 BTC has already entered mixers, primarily Wasabi, before moving to various peer-to-peer vendors.

“Decoding mixer transactions is the no.1 challenge we face now,” Zhou said, noting this trend will likely accelerate as more of the stolen funds enter mixing services.

While 88.87% of stolen assets remain traceable, 7.59% have now “gone dark” and are likely unrecoverable, Zhou said. An additional 3.54% of funds have been frozen through coordination with exchanges.

The majority of stolen ETH—86.29% (440,091 ETH, ~$1.23B)—has been converted to Bitcoin and distributed across 9,117 wallets, averaging 1.41 BTC each, according to data from Lazarus Bounty, the exchange’s bounty program.

Two days after the hack, blockchain intelligence firm Elliptic tracked that the funds had moved and were headed to Bitcoin mixers next.

At the time, anonymous crypto exchange eXch was cited by Elliptic and on-chain sleuths such as ZachXBT as one of the destinations for stolen funds.

The accusation was denied by eXch CEO Johann Roberts, who told Decrypt in an emailed statement that “some deposits” were processed on their platform, but that those were a “minor part of the total amount.”

Lazarus Group and crypto mixers

The Bybit hack, attributed to North Korea’s Lazarus Group by the FBI in February, remains the largest single crypto theft in history.

Lazarus Group’s use of a set of crypto mixers poses a point of escalation of the laundering tactics employed. Each additional mixing layer exponentially increases the complexity of following transaction trails, creating unprecedented challenges for recovery efforts.

Despite these challenges, recovery efforts continue.

Bybit’s bounty program, launched shortly after the February 21 attack, has received 5,012 reports in the past 30 days, with 63 validated as legitimate tips.

The exchange continues to seek assistance from security experts who could help decode mixer transactions, with Zhou stating that, “We need a lot of help there down the road.”