Prominent cryptocurrency exchange Bybit was hacked for over $1.4 billion in what is being touted as the biggest heist in the industry’s history, and experts suggest the stolen funds are likely to be laundered through mixers and cross-chain bridges.
According to a recent report by Web3 security firm Elliptic, North Korea’s infamous Lazarus Group, which it believes to be responsible for the attack, might follow its usual laundering pattern.
Currently, Bybit hackers are in what the report dubbed the “layering phase,” the second stage of their laundering process.
In this stage, the Lazarus Group attempts to obscure the origin of the funds by dispersing them across multiple wallets, using cross-chain bridges to shift assets between blockchains, and exchanging tokens on decentralized platforms to complicate tracking efforts.
This was preceded by the initial conversion of stolen tokens into ETH, a typical first step in their laundering strategy.
“This is because tokens have issuers who in some cases can “freeze” wallets containing stolen assets, whereas there is no central party who can freeze Ether or Bitcoin,” the report explained.
Subsequently, within just two hours of the attack, the stolen funds were split across 50 different wallets, each holding around 10,000 ETH.
Elliptic noted that the attackers have since begun systematically emptying these wallets, with more than 10% of the stolen funds already in motion.
The next likely step, experts believe, will involve sending portions of the funds through crypto mixers like Tornado Cash.
The Lazarus Group is well known for using Tornado Cash, and the platform has faced heavy criticism in the past for facilitating North Korea’s crypto laundering activities.
Elliptic also accused the crypto exchange eXch of playing a significant role in the laundering process, adding that attackers were using it to convert the stolen Ether into Bitcoin.
eXch has “emerged as a major and willing facilitator of this laundering effort,” the report stated, adding that the platform even refused to block these transactions despite direct requests from ByBit.
The exchange has denied these allegations in a post-incident update.
Despite these efforts, experts at Elliptic believe laundering such a massive sum won’t be easy for the hackers.
The sheer volume of stolen assets increases the risk of detection, as large transactions are more likely to trigger alerts on exchanges and blockchain monitoring systems.
The $1.4 billion ByBit Hack
On February 21, the attackers exploited ByBit’s Ethereum multisig cold wallet during a routine transfer to the exchange’s warm wallet.
The attackers manipulated the signing interface, making it display the correct wallet address while altering the underlying smart contract logic.
Over $1.4 billion worth of various assets, such as Mantle Staked ETH (mETH) and other ERC-20 tokens, were siphoned off the exchange.
Independent crypto sleuth ZachXBT uncovered direct on-chain links between the Bybit hack and the recent Phemex exchange breach, both of which are suspected to be the work of the Lazarus Group.
The same initial theft address was used across both incidents,
ByBit, however, has clarified that all users affected in the breach would be made whole and has launched a $140 million bounty program for cybersecurity experts and blockchain analysts who help track and retrieve stolen assets.
The post What’s next for the $1.4 billion stolen in the Bybit hack? appeared first on Invezz
