Bybit Hack Proceeds May Now Be Routed Through Mixers: Elliptic

Last updated:

Crypto Reporter

Shalini Nagarajan

Crypto Reporter

Shalini Nagarajan

About Author

Shalini is a crypto reporter who provides in-depth reports on daily developments and regulatory shifts in the cryptocurrency sector.

Last updated:

Why Trust Cryptonews

Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas – from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

The $1.4b stolen from crypto exchange Bybit will likely be laundered through mixers as hackers attempt to erase the transaction trail, according to blockchain analytics firm Elliptic.

Elliptic warned on Sunday that hackers may use crypto mixers next if past laundering patterns continue. However, the large amount of stolen assets could make this process more challenging.

The Bybit hack, one of the largest crypto thefts to date, took place on Feb. 21, 2025.

Hackers took advantage of a vulnerability in Bybit’s Ethereum (ETH) cold wallet system. The breach occurred during a routine transfer to a warm wallet.

Bybit CEO Ben Zhou explained that attackers manipulated the user interface (UI). They also used social engineering tactics to deceive the signers. This allowed them to siphon funds without detection.

Blockchain Forensics Uncover Lazarus Group’s Potential Post-Bybit Hack Laundering Steps

Blockchain investigators, including ZachXBT and Arkham Intelligence, have attributed the attack to North Korea’s Lazarus Group, a notorious cybercrime organization linked to multiple high-profile crypto heists.

According to Elliptic, the group follows a specific laundering process. The first step involves converting stolen tokens into native blockchain assets like Ether.

Some tokens can be frozen by their issuers. However, Ether and Bitcoin run on decentralized networks without central control. This makes them ideal for laundering.

Immediately following the Bybit theft, hundreds of millions of dollars in stolen tokens—such as stETH and cmETH—were swiftly converted to Ether using decentralized exchanges (DEXs). This move likely aimed to avoid potential asset freezes that could occur on centralized exchanges.

Stolen Bybit Funds Enter ‘Layering’ Stage of Laundering

The next phase of the laundering process, known as “layering,” is already underway, according to Elliptic. Within two hours of the theft, the stolen funds were distributed across 50 different wallets, each containing approximately 10,000 ETH. Data shows these wallets are now being systematically emptied.

As of 10 PM UTC on Feb. 23, about 10% of the stolen funds—valued at $140m—were already moved.

Once removed from these wallets, the funds are funneled through various laundering channels, including DEXs, cross-chain bridges and centralized exchanges. One exchange, known as eXch, has played a particularly active role in processing the stolen funds.

The platform is notorious for allowing anonymous crypto swaps, making it a popular choice for illicit transactions, including past North Korean-linked thefts. Despite direct appeals from Bybit, eXch has refused to block these transactions, facilitating the continued movement of stolen assets, Elliptic said.

Meanwhile, Bybit is working to restore confidence among its users.

On Monday, CEO Ben Zhou announced that the exchange has fully replenished its Ethereum reserves. He also confirmed that an audited proof-of-reserves (PoR) report will soon be published to verify that Bybit’s client assets are fully backed on a 1:1 basis.

You May Also Like