The $1.4b stolen from crypto exchange Bybit will likely be laundered through mixers as hackers attempt to erase the transaction trail, according to blockchain analytics firm Elliptic.
Elliptic warned on Sunday that hackers may use crypto mixers next if past laundering patterns continue. However, the large amount of stolen assets could make this process more challenging.
The Bybit hack, one of the largest crypto thefts to date, took place on Feb. 21, 2025.
Hackers took advantage of a vulnerability in Bybit’s Ethereum (ETH) cold wallet system. The breach occurred during a routine transfer to a warm wallet.
Bybit CEO Ben Zhou explained that attackers manipulated the user interface (UI). They also used social engineering tactics to deceive the signers. This allowed them to siphon funds without detection.
Blockchain Forensics Uncover Lazarus Group’s Potential Post-Bybit Hack Laundering Steps
Blockchain investigators, including ZachXBT and Arkham Intelligence, have attributed the attack to North Korea’s Lazarus Group, a notorious cybercrime organization linked to multiple high-profile crypto heists.
According to Elliptic, the group follows a specific laundering process. The first step involves converting stolen tokens into native blockchain assets like Ether.
Some tokens can be frozen by their issuers. However, Ether and Bitcoin run on decentralized networks without central control. This makes them ideal for laundering.
Immediately following the Bybit theft, hundreds of millions of dollars in stolen tokens—such as stETH and cmETH—were swiftly converted to Ether using decentralized exchanges (DEXs). This move likely aimed to avoid potential asset freezes that could occur on centralized exchanges.
Stolen Bybit Funds Enter ‘Layering’ Stage of Laundering
The next phase of the laundering process, known as “layering,” is already underway, according to Elliptic. Within two hours of the theft, the stolen funds were distributed across 50 different wallets, each containing approximately 10,000 ETH. Data shows these wallets are now being systematically emptied.
As of 10 PM UTC on Feb. 23, about 10% of the stolen funds—valued at $140m—were already moved.
Once removed from these wallets, the funds are funneled through various laundering channels, including DEXs, cross-chain bridges and centralized exchanges. One exchange, known as eXch, has played a particularly active role in processing the stolen funds.
The platform is notorious for allowing anonymous crypto swaps, making it a popular choice for illicit transactions, including past North Korean-linked thefts. Despite direct appeals from Bybit, eXch has refused to block these transactions, facilitating the continued movement of stolen assets, Elliptic said.
Meanwhile, Bybit is working to restore confidence among its users.
On Monday, CEO Ben Zhou announced that the exchange has fully replenished its Ethereum reserves. He also confirmed that an audited proof-of-reserves (PoR) report will soon be published to verify that Bybit’s client assets are fully backed on a 1:1 basis.
The post Bybit Hack Proceeds May Now Be Routed Through Mixers: Elliptic appeared first on Cryptonews.
