The hacker behind the Bybit exploit has successfully laundered $1.04 billion worth of stolen cryptocurrency within just 10 days, making it the fastest and largest crypto heist laundering operation in history. Despite the speed of the laundering process, blockchain security firms believe portions of the stolen assets may still be recoverable.
On Feb. 21, the crypto exchange Bybit fell victim to an attack that resulted in the theft of over $1.4 billion in Ether (ETH), Mantle Staked ETH (mETH), and various ERC-20 tokens. The breach, identified as the largest in cryptocurrency history, saw approximately 500,000 ETH siphoned from the platform. Blockchain analysis firm Chainalysis detailed that the attackers executed a sophisticated scheme, which began with a phishing campaign targeting Bybit’s cold wallet signers.
The hackers replaced a multisignature wallet implementation contract with a malicious version, enabling unauthorized transfers. The funds were then funneled through a network of intermediary wallets to obscure the transaction trail. According to Chainalysis, this tactic, commonly employed by North Korea-linked hacking groups, aims to hinder tracing efforts by blockchain analysts.
A Complex Laundering Process
Following the attack, the hacker moved all 499,395 ETH, valued at $1.04 billion, primarily through the decentralized cross-chain protocol THORChain. Blockchain security firm Lookonchain reported on March 4 that the hacker had successfully laundered the entirety of the stolen assets.
The process involved converting portions of the stolen ETH into Bitcoin (BTC) and Dai (DAI) via decentralized exchanges (DEXs) and cross-chain bridges. The hacker also utilized an instant swap service that lacks Know Your Customer (KYC) protocols to transfer funds across different blockchain networks. These tactics, according to security experts, are designed to evade traditional tracking mechanisms.
Multiple blockchain analytics firms, including Arkham Intelligence, have linked the hack to North Korea’s Lazarus Group, a notorious state-backed hacking organization. The group has been accused of conducting cyber thefts to finance North Korea’s nuclear weapons program. South Korean authorities recently sanctioned 15 North Koreans for their involvement in similar cyber heists.
Despite these allegations, Lazarus Group has proceeded with laundering the stolen proceeds, employing advanced obfuscation techniques. Chainalysis noted that the hackers deliberately left portions of the stolen funds dormant across multiple addresses, a common strategy aimed at outlasting the initial scrutiny following high-profile breaches.
Security Firms and Regulators Work to Recover Funds
While the hacker has laundered a significant portion of the stolen assets, blockchain security firms remain optimistic that some funds may still be traced and frozen. Bybit CEO Ben Zhou confirmed that approximately 77% of the stolen funds remain traceable, though over $280 million has disappeared into untraceable wallets. So far, security efforts have led to the freezing of 3% of the stolen funds.
Deddy Lavid, co-founder and CEO of blockchain security firm Cyvers, emphasized that recovery depends on rapid response efforts. “While laundering through mixers and cross-chain swaps complicates recovery, cybersecurity firms leveraging on-chain intelligence, AI-driven models, and collaboration with exchanges and regulators still have small opportunities to trace and potentially freeze assets,” he said.
Blockchain analysis firm Chainalysis also reported that collaborative industry efforts have led to the freezing of $40 million of the stolen funds. The firm underscored the importance of strengthening security measures to prevent future attacks, warning that proactive investment in threat prevention is crucial.
Bybit Responds with Customer Protection Measures
Despite the unprecedented breach, Bybit continues to assure customers that their funds remain protected. The company replenished the stolen $1.4 billion in Ether within three days of the attack and has continued to honor withdrawals.
Michael Pearl, vice president of GTM strategy at Cyvers, highlighted an emerging security solution known as off-chain transaction validation, which he claims could prevent 99% of all crypto hacks. This technology preemptively simulates and validates blockchain transactions in an off-chain environment before they are executed, offering a potential safeguard against similar attacks in the future.
