TLDR:
- North Korean hackers have begun laundering approximately $140 million (10%) of the $1.46 billion stolen from Bybit through anonymous exchange services and conversion to Bitcoin
- Bybit is offering a 10% bounty (up to $140 million) for help recovering the stolen assets, while experiencing massive user withdrawals totaling around $6 billion
- Exchanges and stablecoin issuers have frozen $42.85 million in stolen funds through coordinated efforts, with Tether freezing 181,000 USDT
- The hack has been linked to North Korea’s Lazarus Group by both Elliptic and Arkham Intelligence, based on their typical laundering patterns
- Anonymous exchange eXch has processed “tens of millions” in stolen assets despite Bybit’s requests to block the activity, claiming past reputational conflicts
North Korean hackers have initiated the laundering process for approximately $140 million of the $1.46 billion stolen from cryptocurrency exchange Bybit, marking the start of what could be a lengthy recovery effort for the largest theft in crypto history.
Blockchain intelligence firm Elliptic reported on Saturday that the stolen funds are being methodically moved through anonymous exchanges and converted to Bitcoin, making the assets increasingly difficult to trace and recover.
The hackers distributed the stolen assets across 50 different wallets immediately after the theft, with each wallet containing approximately 10,000 ETH. These wallets are now being systematically emptied as the funds undergo conversion to Bitcoin.
The attackers began by converting stolen tokens such as stETH and cmETH to Ethereum using decentralized exchanges. According to Elliptic, this strategy aligns with the typical methods employed by the Lazarus Group, which often converts stolen tokens to “native” blockchain assets before further obscuring the trail.
Both Elliptic and Arkham Intelligence have connected the attack to North Korea’s Lazarus Group, citing the use of decentralized exchanges and other services, including cross-chain bridges and coin swap services. The group has stolen over $3 billion in crypto assets since 2017, with proceeds reportedly funding North Korea’s ballistic missile program.
Bounty Offerered
In response to the theft, Bybit announced early Saturday that it would offer a bounty of 10% of recovered funds—up to $140 million—to any on-chain security experts who assist in recovering the assets. This announcement came as the exchange faced mounting pressure from user withdrawals.
Data from Arkham Intelligence shows that users have withdrawn approximately 23,000 BTC from Bybit’s hot wallet since the incident. The exchange’s main wallets indicate a Bitcoin balance reduction from 70,000 BTC to just over 52,000 BTC, representing an outflow of roughly $1.7 billion since Friday afternoon.
Further analysis reveals that Bybit has experienced total outflows of $6 billion across various cryptocurrencies, highlighting the scale of user response to the security breach.
The anonymous crypto exchange eXch has emerged as a key player in the laundering operation, processing tens of millions of dollars in stolen assets despite direct requests from Bybit to block the activity. In a purported email response, eXch claimed it chose not to acknowledge Bybit’s requests due to past reputational conflicts between the two entities.
In a forum post on Sunday, eXch denied allegations of money laundering for Lazarus Group, stating that the “insignificant part of funds” processed from the Bybit hack would be donated to various open-source privacy and security initiatives.
A coordinated industry response has led to the freezing of $42.85 million in stolen funds across multiple platforms. THORChain has blacklisted several addresses linked to the North Korean hacking syndicate, while ChangeNow froze 34 ETH ($97,000) in related addresses.
The Avalanche network restricted access to 0.38755 BTC ($37,124), and FixedFloat, a Lightning Network-based exchange, froze 120,000 in USDC and USDT stablecoins. Stablecoin issuers have joined the effort, with Tether freezing 181,000 USDT.
Bybit is taking additional security measures, including collaborating with Pump.fun and Solana Foundation President Lily Lui to remove a Solana-based token linked to hacker groups. On-chain data indicates that the Lazarus Group is bridging assets to Solana and using fake KYC data to deposit funds on exchanges.
The exchange has warned users about scammers impersonating Bybit officials to obtain sensitive information, emphasizing that it will never request personal information, deposits, or passwords directly from users.
Members of the Ethereum community are currently discussing the possibility of a blockchain rollback to impede the efforts of the attackers, though no formal proposals have been made public.
Elliptic suggests that based on previous laundering patterns, the next step may involve the use of mixers to further obscure the transaction trail, though the large volume of stolen assets could make this approach challenging.
