Bybit hack: Stolen ETH laundered via DEX and eXch
Bybit hack shows crypto communitys unity
The theft of $1.4 billion in ETH from Bybit and the subsequent attempts to launder the funds demonstrated the crypto community’s unity in preventing impunity for cryptocurrency theft. However, there were exceptions.
Bybit CEO Ben Zhou thanked the issuers of USDT and USDC—Tether and Circle—for preventing the stolen funds from being monetized. Additionally, the Pump.fun platform, which the hacker attempted to use to launch memecoins on Solana, showed solidarity with Bybit by promptly blocking and deleting them.
Despite the increasing difficulties faced by crypto thieves, loopholes for laundering still exist.
Cointelegraph reports that addresses linked to the Bybit hacker were found using decentralized exchanges (DEXs) such as Sky (formerly MakerDAO), Uniswap, and OKX DEX to trade stolen crypto into Dai, a stablecoin that lacks a freezing function.
According to the copy-trading platform LMK, the Bybit exploiter sent $3.64 million worth of ETH to an address that was later used to swap ETH for Dai.
Additionally, on February 22, blockchain detective ZachXBT reported that the eXch crypto exchange laundered $35 million from the stolen Bybit funds. Nick Bax from Security Alliance also calculated that eXch processed around $30 million in transactions that day linked to North Korea.
"If you're using eXch... don’t be surprised when any service with compliance measures starts scrutinizing the source of your funds," Nick Bax warned users.
The security firm SlowMist also stated that a significant portion of the stolen Ether was converted into Bitcoin, Monero, and other cryptocurrencies via eXch.
In response, eXch denied the accusations but admitted to processing a small portion of the stolen assets, describing it as an "isolated incident."
Moreover, eXch initially refused to freeze the stolen Bybit funds, citing a complicated relationship and past accusations from Ben Zhou as the reason.
Lazarus-style laundering
According to blockchain analytics firm Elliptic, the North Korean hacker group Lazarus, which is suspected to be behind the exploit, follows a characteristic pattern when laundering stolen funds.
Specifically, the group swaps stolen tokens for native blockchain assets like ETH to prevent token issuers from freezing the funds. In the Bybit exploit, the stolen tokens were almost immediately converted to ETH via decentralized exchanges.
The hackers then obscured the transaction history by splitting the funds across multiple wallets, moving assets between blockchains, and using mixing services like Tornado Cash.
Within two hours of the attack, the stolen funds were spread across 50 wallets, each holding approximately 10,000 ETH. By February 23, around 10% of the stolen assets—worth $140 million—had already been moved.
Elliptic reports that the stolen ETH is now being converted into BTC, a step that typically precedes further obfuscation through mixers. However, the large volume of assets could make this process more challenging.
As we wrote, Bybit CEO Ben Zhou confirmed on Friday that the crypto exchange suffered a significant breach when a hacker exploited a flaw in its ETH cold wallet security.
