Bybit Hack: How Lazarus Group May Launder $1.4B Through Crypto Mixers

Bybit Hack Proceeds May Be Laundered Through Crypto Mixers, Warns Elliptic

Blockchain analytics firm Elliptic has raised concerns that the $1.4 billion stolen in the recent Bybit hack could be laundered through crypto mixers. This laundering tactic, commonly used by cybercriminals, aims to obscure the stolen funds’ trail and make it harder for authorities to track them.

The Bybit Hack: A Major Crypto Heist

On February 21, 2025, Bybit, one of the largest cryptocurrency exchanges, suffered a massive breach. Hackers exploited a vulnerability in the exchange’s Ethereum (ETH) cold wallet system during a routine transfer to a warm wallet. This enabled the attackers to siphon off funds without being detected.

Bybit’s CEO, Ben Zhou, explained that the attackers manipulated the user interface (UI) and used social engineering techniques to deceive the signers involved in the wallet transfer.

Lazarus Group’s Involvement: A North Korean Cybercrime Syndicate

Blockchain forensic firms, including ZachXBT and Arkham Intelligence, have attributed the attack to Lazarus Group, a notorious North Korean hacker collective known for its involvement in high-profile crypto heists. According to Elliptic, Lazarus typically follows a specific laundering process after a successful theft.

How Lazarus Launders Stolen Funds

Elliptic’s investigation shows that Lazarus begins the laundering process by converting stolen tokens into more widely accepted blockchain assets like Ether (ETH). While some tokens can be frozen by their issuers, assets like Ether and Bitcoin, which operate on decentralized networks, remain untraceable and are thus favored for money laundering.

Immediately after the Bybit breach, hackers quickly converted hundreds of millions of dollars in stolen assets—such as stETH and cmETH—into Ether via decentralized exchanges (DEXs). This step was likely aimed at avoiding potential freezes on centralized exchanges, which could have flagged the transactions.

The ‘Layering’ Stage: Stolen Funds Spread Across Multiple Wallets

Elliptic has also identified that the stolen funds have entered the next phase of laundering known as “layering.” Within two hours of the theft, the funds were spread across 50 different wallets, with each holding approximately 10,000 ETH. These wallets are now being systematically emptied.

As of February 23, 2025, around 10% of the stolen funds—roughly $140 million—had already been moved. The funds are now expected to pass through a variety of laundering channels, including DEXs, cross-chain bridges, and centralized exchanges.

The Role of eXch: A Haven for Illicit Transactions

One exchange that has emerged as a key player in facilitating the laundering of the stolen funds is eXch, a platform known for allowing anonymous crypto swaps. This makes it a popular choice for criminals looking to move illicit assets. Despite Bybit’s appeals, eXch has refused to block the suspicious transactions, according to Elliptic’s findings.

Bybit’s Response and Efforts to Regain User Trust

In response to the breach, Bybit has been working to restore confidence among its users. On February 26, CEO Ben Zhou announced that the exchange had fully replenished its Ethereum reserves. Additionally, Bybit is preparing to publish an audited proof-of-reserves (PoR) report, which will confirm that the platform’s client assets are fully backed on a 1:1 basis.

The Bybit hack serves as a stark reminder of the growing risks in the crypto space, highlighting the sophisticated tactics employed by hackers like the Lazarus Group and the challenges involved in tracking stolen funds. As the laundering process unfolds, the role of crypto mixers and anonymous exchanges remains a key concern for regulators and law enforcement agencies.

Source