Hackers from North Korea have commenced the laundering of funds stolen from Bybit, with the blockchain analytics firm Elliptic monitoring over $140 million in preliminary transactions aimed at obscuring the flow of money.
The misappropriated assets are being methodically transferred through untraceable exchanges before being converted into Bitcoin, a method that complicates the recovery efforts, as noted by Elliptic in a
blog post
on Saturday.
“The next phase of the laundering process involves ‘layering’ the stolen assets to hide the transaction trail,” Elliptic explained. “While this trail can be traced, the layering techniques complicate the process, giving the launderers crucial time to liquidate the assets.”
The $1.46 billion social engineering attack, which occurred on Friday and primarily involved Ethereum, marks the largest theft in the history of cryptocurrency, surpassing the $611 million heist from Poly Network in 2021.
Elliptic and Arkham Intelligence have attributed the attack to North Korea’s Lazarus Group, citing the utilization of decentralized exchanges and services such as cross-chain bridges and coin swap services to mislead investigators.
“If the typical laundering patterns are followed, we may observe the use of mixers next to further conceal the transaction trail,” the report indicated. However, this may present challenges due to the “enormous volume of stolen assets.”
Within hours after
the theft
, the attackers moved the stolen assets into 50 distinct wallets, each containing around 10,000 ETH. According to Elliptic, these funds are now being emptied and converted into Bitcoin.
Initially, the hackers converted stolen tokens such as stETH and cmETH into Ethereum via decentralized exchanges, presumably to evade possible freezes on the assets.
This aligns with the laundering playbook typically employed by the Lazarus Group, which involves converting stolen tokens into “native” blockchain assets prior to further obfuscation, Elliptic noted.
Since 2017, the group has reportedly stolen over $3 billion in cryptocurrency assets, financing North Korea’s ballistic missile initiatives with the proceeds, according to a UN
report
from last year, although the actual figure is likely much higher, according to Elliptic.
As a consequence of the theft on Sunday, Bybit is experiencing pressure from user withdrawals, with approximately 23,000 BTC having been withdrawn from Bybit’s hot wallet, as indicated by data from Arkham Intelligence.
Data shows the exchange’s primary wallets have seen their Bitcoin balance decrease from 70,000 BTC to just over 52,000 BTC, reflecting an outflow of around $1.7 billion since Friday afternoon.
Further assessments indicate that Bybit has experienced outflows totaling $6 billion across various cryptocurrencies.
Anonymous Crypto Exchange Accused
Elliptic and other analysts, including ZachXBT, have pointed to the anonymous cryptocurrency exchange eXch as having facilitated “tens of millions of dollars” in stolen assets from the hack, despite Bybit’s explicit requests to halt the activities.
“The stolen Ethereum is consistently being converted into Bitcoin, utilizing eXch and other services,” Elliptic stated on Sunday.
An alleged email response from eXch, archived on X
over the weekend and quoted by Elliptic, claims the exchange opted not to respond to Bybit’s requests, arguing that Bybit has made “direct attacks on the reputation” of eXch in the past.
“We find it difficult to comprehend the expectation of collaboration” from an organization that has “actively undermined our reputation,” the email from eXch stated.
The exchange did not promptly respond to Decrypt’s inquiry for comment.
On Sunday, eXch claimed in a
post
on a Bitcoin forum that the accusations of facilitating money laundering were unfounded.
“We are not laundering money for Lazarus/DPRK,” eXch asserted, stating that such allegations represent the “view of some individuals who wish to eliminate the fungibility and on-chain privacy of decentralized coins.”
The exchange added: “A negligible portion of the funds we processed from the Bybit hack in an isolated incident will be allocated to various open-source initiatives focused on privacy and security within and beyond the crypto space.”
Edited by Sebastian Sinclair
Daily Debrief Newsletter
Start each day with the latest news stories, alongside original features, podcasts, videos, and more.
