Key Takeaways
- North Korean hackers employed advanced techniques, including social engineering and supply chain compromises, to infiltrate Bybit’s systems.
- The stolen funds were laundered using a combination of mixing services, cross-chain transfers and decentralized exchanges to obscure their origins.
- The proceeds from such hacks potentially fund illicit state activities, posing significant geopolitical risks.
- The incident emphasizes the critical need for cryptocurrency platforms to implement stringent security protocols and for users to exercise caution.
North Korean state-sponsored hacking groups, notably the Lazarus Group, have been implicated in some of the most significant cryptocurrency thefts in recent history.
Their sophisticated methods not only enable them to steal vast sums but also to effectively launder these assets, making detection and recovery challenging.
This article delves into the strategies employed by these hackers, with a focus on the Bybit exchange hack 2025, and explores their laundering techniques.
The Bybit Exchange Heist: An Overview
In February 2025, Bybit, a Dubai-based cryptocurrency exchange, suffered a monumental breach resulting in the loss of approximately $1.5 billion worth of Ethereum (ETH) and other tokens. This incident is considered the largest crypto heist to date.
The Federal Bureau of Investigation (FBI) attributed this theft to North Korean-linked hacking groups, specifically the Lazarus Group and TraderTraitor. These groups have a history of targeting cryptocurrency platforms using advanced cyber-espionage tactics.
Lazarus Group’s Money Laundering Process: Key Stages
The Lazarus Group employs a multi-stage process for laundering stolen cryptocurrency, paralleling traditional money laundering tactics. These stages include:
- Placement: The initial stage involves moving the stolen funds into the crypto space. This is done by exploiting vulnerabilities in cryptocurrency exchanges and converting the stolen assets into different cryptocurrencies to obscure their origin.
- Layering: In this stage, the hackers employ mixing services, cross-chain transfers and privacy-focused protocols to further distance the stolen funds from their origin. The assets are shuffled, exchanged and passed through multiple blockchains and wallets, making tracing difficult.
- Integration: Once the funds are sufficiently layered and anonymized, they are integrated into the broader financial system. This can be done through over-the-counter transactions, P2P platforms or by converting the funds into fiat currencies using exchanges that lack stringent Know Your Customer (KYC) and Anti-Money Laundering (AML) checks.
Laundering Methods Used by Lazarus Group
After securing the stolen assets, the hackers faced the challenge of laundering the funds to obfuscate their origins and convert them into usable currency. Their laundering process involved several sophisticated methods, including:
- Rapid asset conversion and splitting: Immediately after a hack, Lazarus consolidates stolen funds before quickly dispersing them into multiple wallets. In the Bybit case, around 50 new wallets each received approximately 10,000 ETH within hours. This “layering” technique fragments large sums into smaller portions, making it harder to trace a single, obvious source of illicit funds. After the initial dispersion, funds continue moving through additional layers of wallets over time, further obscuring their origins.
- DEX swaps: Lazarus exploits decentralized exchanges (DEXs) to swap stolen assets without going through centralized, KYC-enforced platforms. They often convert ETH to BTC or stablecoins like USDt using platforms such as Uniswap or Curve. By moving across multiple networks, including Tron or BNB Smart Chain, they attempt to leverage liquidity while avoiding detection. However, regulators have caught on, leading to occasional asset freezes.
- Cross-chain bridges and swaps: To evade blockchain-specific tracking, Lazarus transfers stolen funds across different chains using cross-chain bridges. They have used services like Chainflip and THORChain to swap large amounts of ETH into BTC. By distributing BTC across thousands of new addresses, they break the forensic trail. This method is highly effective because each blockchain operates differently, making full-scale tracking difficult.
- Use of mixers and anonymity services: Mixing services, such as Tornado Cash and Sinbad.io, help Lazarus obscure the transaction history of stolen funds. Mixers pool funds from multiple users and redistribute them, severing links between sender and receiver. However, due to post-sanction scrutiny, Lazarus increasingly relies on no-KYC exchanges like eXch, which effectively act as mixers by allowing anonymous asset swaps. This approach ensures stolen funds “go dark” after conversion.
- Obfuscation via memecoins and DeFi fog: Lazarus has innovated by using memecoins to launder funds. For example, they launched “QinShihuang” on Pump.fun, a Solana-based launchpad, and engaged in high-volume trades to mix stolen assets with legitimate transactions. Additionally, they leveraged “dust” tokens—tiny amounts of random crypto sent to wallets—to create a false trading history before swapping them into SOL. This novel method exploits the liquidity of speculative token markets.
- Strategic delay and cash-out: Rather than cashing out immediately, Lazarus often waits weeks or months, allowing forensic attention to fade. Stolen funds remain dormant before being gradually off-ramped through over-the-counter (OTC) brokers, peer-to-peer (P2P) trades or illicit fiat conversion networks, particularly in Asia. This patience ensures they can convert crypto into usable cash while minimizing exposure to enforcement actions.
Extent of Laundered Funds
As of early March 2025, the laundering activities have progressed as follows:
- February 26, 2025: Reports indicated that 135,000 ETH (approximately $335 million) had been laundered, accounting for 27% of the stolen funds.
- February 27, 2025: The laundered amount increased to 206,000 ETH, leaving 292,000 ETH still held by the hackers.
- March 1, 2025: An additional 62,200 ETH (worth $138 million) was moved, bringing the total laundered to 343,000 ETH, or about 68% of the stolen 499,000 ETH.
Here’s a table summarizing the movement of stolen Bybit funds across various exchanges and platforms:
| Platform type |
Key platforms used |
Role |
Status |
| Non-KYC crypto exchange |
eXch |
Major laundering hub, enabling anonymous swaps of ETH to BTC/XMR |
Continues operation, denies wrongdoing despite evidence of processing ~$200M |
| Decentralized exchanges (DEXs) |
Uniswap, 1inch, Pump.fun |
Token swaps across Ethereum, Solana, and other chains for liquidity exits |
Critical anonymity tool, but protocols cannot freeze funds |
| Cross-chain bridges & swapping |
THORChain, Chainflip |
Cross-chain ETH-to-BTC swaps to break traceability |
Chainflip temporarily disabled UI; THORChain processed ~$4.6B in a week |
| Instant No-KYC swap services |
ChangeNOW, FixedFloat |
Quick coin conversions with no accounts |
Some funds ($42M) frozen, but Lazarus likely reduced usage after exposure |
| Centralized exchanges & OTC brokers |
OKX, CoinEx, P2P brokers |
Final cash-out points via smaller or less-regulated platforms |
OKX Web3 swap processed ~$100M; CoinEx cooperated in freezing addresses |
| Stablecoin issuers |
Tether, Circle |
Frozen stablecoin assets traced to hackers |
Tether froze 181,000 USDt, contributing to $42M halted |
Modus Operandi: How the Bybit Hack Was Executed
The Bybit hack was not an isolated incident but rather a culmination of meticulous planning and execution. The following steps outline the hackers’ approach:
- Social engineering and phishing: The attackers employed sophisticated social engineering techniques to deceive Bybit employees. They crafted convincing phishing emails and fake websites to harvest login credentials and other sensitive information.
- Supply chain compromise: The hackers infiltrated Bybit’s software supply chain by compromising a developer’s machine associated with Safe{Wallet}, a tool used internally by the exchange. This allowed them to introduce malicious code into Bybit’s systems.
- Exploiting security gaps: Once inside, the attackers identified and exploited vulnerabilities within Bybit’s infrastructure. They manipulated a routine transfer of funds from a cold wallet (offline storage) to a hot wallet (online storage), redirecting the assets to addresses under their control.
Implications and Responses
The scale and sophistication of the Bybit hack have significant implications for the cryptocurrency industry and global financial security:
- Funding illicit activities: The stolen funds are believed to support North Korea’s nuclear and missile programs, circumventing international sanctions.
- Industry reputation: Such high-profile hacks undermine trust in cryptocurrency platforms, potentially deterring new users and investors.
- Regulatory scrutiny: Governments may impose stricter regulations on cryptocurrency exchanges and related services to prevent future incidents, impacting the industry’s growth and innovation.
Conclusion
The Bybit hack demonstrates how state-sponsored hacking groups, like Lazarus, continue to exploit vulnerabilities in the cryptocurrency ecosystem. The attackers’ use of decentralized platforms, cross-chain protocols and non-KYC services highlights the complex and evolving nature of crypto laundering methods.
Despite efforts by exchanges, investigators and stablecoin issuers to freeze funds, a significant portion of the stolen assets has been successfully laundered. This incident underscores the urgent need for enhanced security measures, proactive regulatory frameworks and global collaboration to combat illicit activities.
Strengthening anti-money laundering protocols, improving blockchain traceability tools and fostering cooperation between crypto platforms and law enforcement agencies will be essential in mitigating future threats.
As the crypto industry grows, addressing these challenges will play a crucial role in maintaining trust and safeguarding the integrity of digital financial systems.
FAQs
The Lazarus Group is a state-sponsored North Korean hacking collective known for executing high-profile cryptocurrency thefts, often targeting exchanges to fund the North Korean regime’s illicit activities.
The Bybit hack highlights vulnerabilities in the crypto industry, prompting calls for stronger security measures, tighter regulations, and increased international cooperation to prevent future attacks.
Cryptocurrency exchanges can implement multi-factor authentication (MFA), regular security audits, cold storage for assets, and enhanced encryption methods to protect against hacking attempts.
Law enforcement agencies use blockchain analysis tools to trace stolen crypto, track transactions across various addresses, and collaborate with international bodies to recover funds and apprehend the perpetrators.
Onkar Singh has three years of experience as a digital finance content creator. Throughout his career, he has collaborated with various DeFi projects and crypto media outlets. In his leisure time, he enjoys fitness activities at the gym and watching movies across different genres. Balancing his professional and personal interests, Onkar continues to contribute to the digital finance landscape while pursuing his hobbies.
Dr. Guneet Kaur is a senior editor at CCN.com and a Science Fellow at Exponential Science. She is a fintech and blockchain expert with extensive experience in digital finance education, blockchain ecosystems, and cryptocurrency markets. She has worked with global media such as Cointelegraph, as well as education and blockchain platforms, to design and lead strategic content and learning initiatives. As an educator and assessor for top-tier executive programs, she bridges real-world fintech trends with academic insight.
Dr. Kaur is also a published researcher and peer reviewer across fintech and data science journals, including Financial Innovation Journal and International Journal of Big Data Intelligence and Applications. Her work spans data-driven analysis, Web3 innovation, and technical content development. With a strong foundation in both industry and academia, she translates complex financial technologies into practical applications, empowering learners, professionals, and institutions across the rapidly evolving digital finance landscape.