Bybit Hackers Resume Laundering Activities, Move Another 62,200 ETH

The hackers behind the February 21 Bybit breach, believed to be affiliated with North Korea’s Lazarus Group, have resumed their laundering activities, moving another 62,200 Ether (ETH) worth approximately $138 million on March 1. This brings the total amount of Ether laundered to 343,000 ETH, or 68.7% of the total stolen funds. Only 156,500 ETH remains to be moved, according to a pseudonymous crypto analyst.

The massive hack, which stole 499,000 ETH — valued at over $1.4 billion — from the cryptocurrency exchange Bybit, remains one of the largest exploits in the history of the crypto industry, more than doubling the losses from the $650 million Ronin bridge hack in March 2022.

Continued Laundering Despite Law Enforcement Pressure

The laundering spree continued despite efforts by U.S. authorities to track and block transactions tied to the exploiters. The FBI has been actively involved in preventing the movement of stolen funds by sharing 51 Ethereum addresses linked to the hackers with crypto exchanges, node operators, and other financial entities. In addition, blockchain analytics firm Elliptic has flagged over 11,000 crypto wallet addresses that may be associated with the hackers.

X user EmberCN, a pseudonymous crypto analyst, previously noted that laundering activities had slowed in late February, likely due to increased pressure from U.S. authorities. The hacker group’s progress had dropped to just 54% of the stolen funds by February 28, but the recent surge in laundering indicates the continued efforts to move the stolen ETH.

Converting Stolen Ether into Other Assets

To obfuscate the origin of the stolen Ether, the hackers have converted portions of the funds into other cryptocurrencies, such as Bitcoin (BTC) and the Dai (DAI) stablecoin, using decentralized exchanges, cross-chain bridges, and instant swap services that lack Know Your Customer (KYC) protocols.

One such service, the cross-chain asset swap protocol THORChain, has faced heavy criticism for facilitating a significant portion of the hackers’ transfers. Following a controversial vote to revert a proposal to block transactions linked to North Korean hackers, one of THORChain’s developers, known as "Pluto," announced they would cease their contributions to the project. In response, THORChain's founder John-Paul Thorbjornsen confirmed his disengagement from the protocol and stressed that none of the sanctioned addresses flagged by the FBI or the U.S. Treasury’s Office of Foreign Assets Control (OFAC) had interacted with THORChain.

Impact of the Bybit Hack

The Bybit hack has left a significant mark on the cryptocurrency landscape, with industry observers pointing to the scale of the exploit as a wake-up call for greater security measures and vigilance within the space. While hackers have made significant progress in laundering the stolen funds, authorities continue to work diligently to track the movement of the remaining assets.

As of now, the remaining 156,500 ETH is expected to be moved in the coming days, further complicating efforts to reclaim the stolen funds and prevent their use for illicit activities.