Trend
More

文章详情

$--
download dymatic logo
image source head

The biggest theft case in history: Bybit Hacker Fund Tracking

trendx logo

Reprinted from jinse

02/24/2025·2M

Source: Elliptic; Translated by: Golden Finance xiaozou

On February 21, 2025, Bybit, a cryptocurrency exchange based in Dubai, encountered an incident of approximately US$1.46 billion in crypto assets. Preliminary reports show that the attacker used malware to trick the exchange into approving transactions that transferred funds to the thief’s account.

This is the largest cryptocurrency theft to date, far exceeding the $611 million stolen by Poly Network in 2021 (and most of the funds in the case were eventually returned by hackers). In fact, this is almost certainly the largest single theft ever, after the record holder was Saddam Hussein, who stole $1 billion from the Iraqi Central Bank on the eve of the 2003 Iraq War.

bHuwMVsBbltBu40yfaW6Bi1DbU1h27RR92VOjTUf.png

Elliptic analyzed a variety of factors, including the analysis of the money laundering paths of stolen crypto assets, and determined that the mastermind behind the Bybit theft was North Korea's Lazarus Group. Since 20

North Korea-related hackers have stolen more than $6 billion in crypto assets over 17 years, and the funds are allegedly used in the country's ballistic missile program.

The Lazarus Group has developed a powerful and complex attack capability that not only invades the target organization to steal crypto assets, but also cleans up stolen money through thousands of blockchain transactions. After the theft, Elliptic worked around the clock with Bybit, cryptocurrency service providers and other investigators to track the stolen funds and prevent them from being cashed out. As the world's leading provider of crypto asset trading and wallet screening solutions, Elliptic's software is warning customers around the world about whether they have received the stolen money from the stolen money. This has directly resulted in the freezing of some of the funds stolen from Bybit.

rPdMbA5OKnbgIHppYl2VbxPJg5iZXqQeAGPo78Cj.png

The money laundering process of the Lazarus Group usually follows a typical pattern. The first step is to exchange all stolen tokens into "native" blockchain assets, such as ETH. This is because tokens have issuers that can in some cases “freeze” wallets containing stolen assets, while ETH or Bitcoin has no central authority to freeze.

This is exactly what happened within minutes of the Bybit theft, where hundreds of millions of dollars of stolen tokens such as stETH and cmETH were exchanged for ETH. The attacker does this using decentralized exchanges (DEXs), which may be to avoid asset freezes that may occur when using centralized exchanges to launder money.

The second step in the money laundering process is to “layer” the stolen funds in an attempt to cover up the transaction path. The transparency of blockchain means that these transaction paths can be traced, but these hierarchical strategies will complicate the tracking process and secure valuable monetization time for money launderers. The stratification process can take many forms, including:

  • Transfer funds through large cryptocurrency wallets

  • Transfer funds to other blockchains using cross-chain bridges or exchanges

  • Switch between different crypto assets using DEXs, token exchange services, or exchanges

  • Use "coin mixers" such as Tornado Cash or Cryptomixer

Lazarus Group is currently in the second phase of money laundering. Within two hours of theft, the stolen funds were sent to 50 different wallets, each holding approximately 10,000 ETH. These wallets are being systematically emptied - as of 10 p.m. UTC time on February 23, 10% of the stolen assets (now worth $140 million) have been transferred from these wallets.

Once funds are transferred from these wallets, they will launder money through a variety of services, including DEXs, cross-chain bridges and centralized exchanges. However, a cryptocurrency exchange called eXch has become the main voluntary facilitator of the money laundering. eXch is known for allowing users to exchange crypto assets anonymously, which has made it used to exchange hundreds of millions of dollars in crypto assets from criminal activities, including multiple thefts committed by North Korea. Tens of millions of dollars worth of Bybit stolen crypto assets have been exchanged through eXch since the hack. Despite Bybit's request, eXch refused to block the activity.

The stolen ETH is being converted into Bitcoin through eXch and other services. If we follow the previous money laundering model, we may see that we will use the coin mixer to further obfuscate the transaction path. However, this can be challenging due to the huge scale of stolen funds.

North Korea's Lazarus Group is the most "professional" and most resource-rich crypto asset money launderers, constantly adjusting their technology to avoid the identification and seizure of stolen assets. Since minutes after the Bybit theft, the Elliptic team has worked around the clock with Bybit, clients and other investigators to track the funds and prevent the North Korean regime from benefiting from it.

more

The next major breakthrough in blockchain: What should we pay attention to feature image

trendx logojinse2M

The next major breakthrough in blockchain: What should we pay attention to

Market value is close to the previous high, and in-depth analysis of the fundamental factors of Sonic's counter-trend rise feature image

trendx logopanewslab2M

Market value is close to the previous high, and in-depth analysis of the fundamental factors of Sonic's counter-trend rise

Bybit has obtained approximately 446,870 ETH through loans, whale deposits and purchases, worth approximately US$1.23 billion feature image

trendx logopanewslab2M

Bybit has obtained approximately 446,870 ETH through loans, whale deposits and purchases, worth approximately US$1.23 billion

Georgia proposes second Bitcoin reserve bill feature image

trendx logopanewslab2M

Georgia proposes second Bitcoin reserve bill