A blockchain security firm revealed that stolen funds from crypto exchange Bybit are being moved by hackers to crypto mixers to convert the bagged funds into Bitcoin in an attempt to obfuscate the transaction trail.
Elliptic believes that the hackers known as the Lazarus Group, which is based in North Korea, could be trying to launder the stolen funds using crypto mixers to make it harder to trace the transactions.
Bybit Hackers On The Move
Elliptic reported that $1.4 billion of stolen digital assets from the hacking incident at the Bybit crypto exchange is believed to be on the move to crypto mixers so the hackers can launder the funds without being traced by authorities.
“If previous laundering patterns are followed, we might expect to see the use of mixers next,” Elliptic said.
The blockchain security firm attributed the multi-billion-dollar crypto heist to North Korean hackers known only as the Lazarus Group.
However, Elliptic noted that laundering the heist crypto funds may prove to be too challenging to the hacker’s group because of the sheer volume of stolen assets that they need to move without any trail.
“North Korea’s Lazarus Group is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic noted in its website.
The Laundering Process
Elliptic explained that North Korea’s Lazarus Group has a laundering process that normally follows a characteristic pattern. “The first step is to exchange any stolen tokens for a “native” blockchain asset such as Ether.
This is because tokens have issuers who in some cases can “freeze” wallets containing stolen assets, whereas there is no central party who can freeze Ether or Bitcoin,” the blockchain security firm said.
ETHUSD trading at $2.49 on the daily chart: TradingView.com
In the case of the Bybit theft, this first stage happened within minutes after the heist. Elliptic said that “hundreds of millions of dollars in stolen tokens such as stETH and cmETH exchanged for Ether.”
The hackers utilized decentralized exchanges (DEXs) to achieve this, avoiding any asset freezing that could happen when they use a centralized exchange to launder stolen funds.
An illustration of a crypto mixer. Image: Elliptic
“The second step of the laundering process is to “layer” the stolen funds in order to attempt to conceal the transaction trail. The transparency of blockchains means that this transaction trail can be followed, but these layering tactics can complicate the tracing process, buying the launderers valuable time to cash-out the assets,” the security firm noted.
The layering can be done in several ways such as sending funds through large numbers of cryptocurrency wallets, moving funds to other blockchains, switching between different crypto assets, or utilizing crypto mixers.
Systematically Emptied
Elliptic said that the North Korean hackers are currently at the second stage of laundering or doing the layering process, adding that the hackers did it by sending the stolen funds to 50 different wallets within two hours after the heist. Each wallet holds an estimated 10,000 ETH.
“These are now being systematically emptied – as of 10pm UTC on February 23, 10% of the stolen assets (now worth $140 million) have been moved from these wallets. Once moved out of these wallets, the funds are being laundered through various services, including DEXs, cross-chain bridges and centralized exchanges.,” the security firm explained.
Biggest Heist Of All Time
Reports said an estimated $1.46 billion of digital assets were stolen from Dubai-based crypto exchange Bybit on February 21, 2025. Investigators suggested that “malware was used to trick the exchange into approving transactions that sent the funds to the thief.”
This incident is so far the “largest crypto heist of all time” which is much bigger than the $611 million crypto assets robbed from Poly Network in 2021.
Featured image from Gemini Imagen, chart from TradingView
