North Korean cybercriminals have begun to launder funds stolen from Bybit, with blockchain analysis firm Elliptic reporting that over $140 million in initial transactions are being used to hide the movement of these illicit assets.

The stolen cryptocurrency is being deliberately transferred through untraceable exchanges prior to being converted into Bitcoin. This method complicates efforts to track and recover the misappropriated funds, as noted by Elliptic in a recent blog post.

“The next phase of the laundering operation involves ‘layering’ the stolen funds to obscure the transaction trail,” Elliptic explained. “While this trail can still be traced, these layering strategies can hinder the tracking process, allowing the perpetrators more time to liquidate the assets.”

The recent incident, a staggering $1.46 billion social engineering hack primarily involving Ethereum, marks the largest theft in the history of cryptocurrency, eclipsing the previous record of $611 million stolen from Poly Network in 2021.

Elliptic, in collaboration with Arkham Intelligence, has attributed the attack to North Korea’s Lazarus Group, highlighting their tactic of employing decentralized exchanges and various services, including cross-chain bridges and coin swapping, to obscure their actions.

“Based on prior laundering behaviors, it is likely that mixers will be used next to further disguise the transaction trail,” the analysis suggests. However, this could pose difficulties due to the substantial volume of stolen funds involved.

Shortly after the theft, the attackers dispersed the stolen assets across 50 separate wallets, each containing around 10,000 ETH. These funds are currently being systematically liquidated and swapped for Bitcoin, as per Elliptic’s findings.

The attackers initially converted stolen tokens such as stETH and cmETH to Ethereum via decentralized exchanges, likely to evade potential asset freezes. This approach aligns with the typical laundering strategy employed by the Lazarus Group, transforming stolen tokens into “native” blockchain assets before implementing further concealment tactics.

Since 2017, the Lazarus Group has reportedly stolen over $3 billion in cryptocurrencies, which have been allegedly funneled to support North Korea’s ballistic missile initiatives, according to a UN report published last year. However, analysts believe the actual figure could be significantly higher.

In the wake of the theft on Sunday, Bybit is experiencing significant withdrawal pressure from users, with approximately 23,000 BTC being pulled from the exchange’s hot wallet, based on data from Arkham Intelligence.

The exchange’s primary wallets registered a decline in Bitcoin balances from 70,000 BTC to just over 52,000 BTC—a loss totaling around $1.7 billion since Friday afternoon. Further assessments indicate that outflows could amount to as much as $6 billion across multiple cryptocurrencies.

Anonymous Exchange Under Scrutiny

Elliptic, among others including ZachXBT, has identified the anonymous crypto exchange eXch as having processed “tens of millions of dollars” linked to the stolen assets, despite Bybit’s direct appeals to halt these activities.

“Stolen Ethereum is being gradually converted to Bitcoin, utilizing eXch and other platforms,” Elliptic reported on Sunday.

A purported response from eXch, cited by Elliptic and archived on X, claims that the exchange chose not to heed Bybit’s requests, accusing the latter of past attacks on its reputation. “It’s hard for us to comprehend the expectation for cooperation from a group that has actively undermined our standing,” the email stated.

The exchange has not yet provided a response to Decrypt’s inquiries for additional comments.

In a post to a Bitcoin forum, eXch denied allegations of facilitating money laundering, asserting, “We are not laundering assets for Lazarus/DPRK.” They further argued that the claims stem from individuals who wish to eliminate the fungibility and on-chain privacy of decentralized currencies.

eXch also mentioned that a small portion of the funds processed as a result of the Bybit hack will be donated to various open-source projects dedicated to privacy and security, both inside and outside the crypto sector.

Edited by Sebastian Sinclair.

Source link