Bybit Hack: $1.4B in Stolen Crypto Laundered by Hackers

Significant Cryptocurrency Theft: Funds Laundered to Bitcoin

Individuals responsible for the theft of approximately $1.4 billion in cryptocurrency from the Bybit exchange have transferred the vast majority of the stolen assets and converted them into Bitcoin. Experts characterize this activity as the initial stage of a sophisticated money-laundering operation.

Record-Breaking Hack and Allegations

On February 21st, Bybit reported a “highly complex attack” targeting one of its digital wallets. This resulted in the loss of 401,346 Ethereum, valued at roughly $1.4 billion at the time of the incident. This constitutes the largest cryptocurrency theft recorded to date, and potentially the largest financial heist in history. Investigations by blockchain analysis firms, researchers, and the FBI point to the North Korean government as the perpetrator.

Movement and Conversion of Stolen Funds

Following the digital robbery, the perpetrators moved all of the stolen Ethereum out of the numerous cryptocurrency wallets initially used to divide the proceeds. They subsequently converted the majority of these funds into Bitcoin, as indicated by Tom Robinson, co-founder and chief scientist at Elliptic, a cryptocurrency monitoring firm. Ari Redbord, former federal prosecutor and current global head of policy at TRM Labs, another blockchain monitoring firm, corroborates this assessment.

Tracking the Stolen Assets

Chainalysis, a blockchain monitoring firm, is currently tracking approximately 90% of the stolen Bybit funds, according to Andrew Fierman, the head of national security intelligence at the company. The majority of these funds have been transformed into Bitcoin and are distributed across roughly 4,400 different addresses.

The remaining 10% of the stolen funds have been lost due to transaction fees, account freezes, or conversion to cash through off-ramps.

Initial Laundering Phase and Operational Efficiency

Between February 24th and March 2nd, the North Korean hackers implemented measures to conceal the origins of the stolen cryptocurrency. Redbord explains that they primarily utilized THORSwap, a decentralized protocol allowing asset swaps across blockchains without intermediaries.

Redbord highlighted the “exceptional level of operational efficiency” demonstrated by the hackers during these laundering procedures.

Implications for Anti-Money Laundering Efforts

“This swift laundering process suggests that North Korea has either expanded its money-laundering infrastructure or that underground financial networks, particularly within China, have increased their capacity to handle illicit funds,” Redbord stated. “The scale and speed of this operation pose new challenges for investigators, as conventional anti-money laundering (AML) systems struggle to keep pace with the high volume of illegal transactions.”

Further Stages of the Operation

Both Redbord and Robinson emphasize that this represents only the initial phase of the hackers’ activities. Robinson noted, “They still have a considerable distance to travel before they can fully benefit from these funds.”

Utilizing Crypto Mixers

The second phase involves depositing an initial portion of the stolen funds – now in Bitcoin – into crypto mixers. These services are designed to obscure the transaction trail for investigators by combining funds from multiple users.

Robinson explained that, until now, tracking the Bybit funds was relatively straightforward. However, mixers present significant obstacles for most investigators.

Challenges and Limitations of Mixers

Redbord pointed out that mixers typically process a daily volume of a few million to $10 million. Whether these services can sustain the influx of funds from this operation remains uncertain.

Potential for Recovery and Exchange Cooperation

Despite the challenges, Robinson believes there is still a possibility of recovering some of the stolen funds. “It is probable that at least a portion of these funds will pass through cryptocurrency exchanges, where they could potentially be frozen,” Redbord added. “The key is whether exchanges can identify and freeze the stolen assets quickly enough.”

Bybit’s Bounty Program

Following the hack, Bybit established a bounty program totaling $140 million, offering rewards to individuals who could assist in tracing and freezing the stolen funds. The company pledged to award 5% of recovered funds to those who successfully freeze the assets and another 5% to those who initially report the funds leading to their freezing. As of the latest update, Bybit has distributed $4.3 million to 19 bounty hunters.

Bybit did not respond to a request for comment regarding this matter.