Bybit stolen funds likely headed to crypto mixers next: Elliptic

Crypto stolen from the massive $1.4 billion hack of the Bybit crypto exchange is likely to be laundered through mixers as the hackers continue to attempt to obfuscate the transaction trail. 

“If previous laundering patterns are followed, we might expect to see the use of mixers next,” reported blockchain security firm Elliptic, which attributed the theft to North Korea’s Lazarus Group.

However, “this may prove challenging due to the sheer volume of stolen assets,” it added.

On Feb. 21, approximately $1.46 billion in crypto assets were stolen from the Dubai-based Bybit exchange in the largest crypto heist of all time, dwarfing the hundreds of millions stolen from the Poly Network hack in 2021 and Ronin Network hack in 2022.

The Lazarus Group’s laundering process typically follows a “characteristic pattern,” with the first step to exchange any stolen tokens for a native blockchain asset such as ETH, said Elliptic. 

In the Feb. 23 blog post, Elliptic said that Lazarus is now engaged in the “second stage of laundering,” which involves “layering” the stolen funds in order to attempt to conceal the transaction trail. 

This layering process can take many forms, including sending funds through large numbers of crypto wallets, moving funds to other chains using crosschain bridges, switching between different crypto assets using decentralized exchanges, and using mixers such as Tornado Cash.

Within two hours of the theft, the stolen funds were sent to 50 different wallets, each holding approximately 10,000 ETH (ETH), Elliptic reported, adding that these are now being “systematically emptied,” with at least 10% of the stolen assets having moved from these wallets.

Elliptic said that one service, in particular, had emerged as a “major and willing facilitator of this laundering,” refusing to block the activity despite direct requests from Bybit.

Elliptic alleges that since the hack, crypto assets stolen from Bybit worth tens of millions of dollars have been exchanged using eXch, a crypto exchange notable for allowing users to swap crypto assets anonymously.

However, on Feb. 23, eXch denied laundering money for the North Korean hacking collective. 

Related: Lazarus Group consolidates Bybit funds into Phemex hacker wallet

The Lazarus Group successfully laundered over $200 million worth of stolen crypto between 2020 and 2023, primarily using mixers and peer-to-peer (P2P) marketplaces, reported blockchain sleuth ZachXBT in 2024. 

However, Chainalysis reported a decline in funds sent to mixers by criminal groups such as Lazarus as they evolved to crosschain bridges to clean their ill-gotten gains. 

Meanwhile, on Feb. 24, Bybit CEO Ben Zhou said the crypto exchange has fully replaced the $1.4 billion worth of Ether that was hacked, and a new audited proof-of-reserve report will be published soon. 

Magazine: Is XRP on its way to $3.20? SEC drops Coinbase lawsuit, and more: Hodler’s Digest