North Korean Hackers Launder $140M of Bybit Loot, Targeting Bitcoin as Elliptic Tracks Transactions

The misappropriated assets are being methodically transferred through untraceable exchanges before being converted into Bitcoin, a method that complicates the recovery efforts, as noted by Elliptic in a blog post on Saturday.

North Korean hackers have begun laundering the funds stolen from Bybit, with blockchain analytics firm Elliptic tracking over $140 million in initial transactions aimed at obscuring the flow of money.

The misappropriated assets are being systematically transferred through untraceable exchanges before being converted into Bitcoin, a method that complicates the recovery efforts, Elliptic noted in a blog post on Saturday.

“The next stage of the laundering process will involve ‘layering’ the stolen assets to obscure the transaction trail,” Elliptic explained. “While this trail can be followed, the layering techniques will complicate the process, giving the launderers valuable time to fully liquidate the assets.”

The $1.46 billion social engineering attack, which occurred on Friday and primarily involved Ethereum, marks the largest theft in the history of cryptocurrency, surpassing the $611 million heist from Poly Network in 2021.

Elliptic and Arkham Intelligence have attributed the attack to North Korea’s Lazarus Group, noting the use of decentralized exchanges and services such as cross-chain bridges and coin swap services to misdirect investigators.

“If typical laundering patterns are followed, we may also see the use of mixers to further obfuscate the transaction trail,” the report noted, adding that this may present challenges due to the “unusually large volume of stolen assets.”

Within hours after the theft, the attackers moved the stolen assets into 50 separate wallets, each containing around 10,000 ETH. According to Elliptic, these funds are now being emptied and converted into Bitcoin.

The attackers initially converted stolen tokens such as stETH and cmETH into Ethereum via decentralized exchanges, presumably to evade possible freezes on the assets.

This aligns with the laundering playbook typically employed by the Lazarus Group, which involves converting stolen tokens into “native” blockchain assets prior to further obfuscation, Elliptic noted.

Since 2017, the group has reportedly stolen over $3 billion in cryptocurrency assets, which were used to fund North Korea’s ballistic missile program, a UN report from last year noted, although the actual figure is likely much higher, according to Elliptic.

As a result of the theft on Sunday, Bybit is facing pressure from user withdrawals, with approximately 23,000 BTC being withdrawn from Bybit’s hot wallet, according to data from Arkham Intelligence.

The exchange’s primary wallets have seen their Bitcoin balance decrease from 70,000 BTC to just over 52,000 BTC, indicating an outflow of around $1.7 billion since Friday afternoon, the data shows.

Further analysis suggests that Bybit has experienced outflows totaling $6 billion across various cryptocurrencies.

Anonymous Crypto Exchange AccusedElliptic and other analysts, including ZachXBT, have pointed to the anonymous cryptocurrency exchange eXch as facilitating “tens of millions of dollars” in stolen assets from the hack, despite Bybit’s requests for the exchange to halt the activity.

“The stolen Ethereum is being continuously converted into Bitcoin, using eXch and other services,” Elliptic stated on Sunday.

An alleged email response from eXch, which was archived on X over the weekend and cited by Elliptic, claims that the exchange chose not to respond to Bybit’s requests, arguing that Bybit has previously made “direct attacks on the reputation” of eXch.

“We find it difficult to understand the expectation of collaboration” from an organization that has “actively undermined our reputation,” the email from eXch stated.

The exchange did not immediately respond to Decrypt’s request for comment.

On Sunday, eXch claimed in a post on a Bitcoin forum that the accusations of facilitating money laundering were unfounded.

“We are not laundering money for Lazarus/DPRK,” eXch asserted, stating that such allegations represent the “view of some individuals who wish to eliminate the fungibility and on-chain privacy of decentralized coins.”

“A small portion of the funds we processed from the Bybit hack in an isolated incident will be donated to various open-source initiatives that focus on privacy and security in and out of crypto space,” the exchange added.

Edited by Sebastian Sinclair