Bybit Hacking Incident: $1.46 Billion Stolen — The Work of North Korean Hacker Group Lazarus?
On February 21, 2025, a massive hacking incident occurred at the cryptocurrency exchange Bybit, headquartered in Dubai, resulting in the theft of approximately $1.46 billion (around 1.5 trillion won) in cryptocurrencies. This is recorded as the largest cryptocurrency hack to date, surpassing the shocking incidents of the 2021 Poly Network hack and the 2022 Ronin Network hack.
Where the Stolen Funds Went: Possibility of Money Laundering Through Mixers
Blockchain security firm Elliptic has identified the North Korean hacker group Lazarus Group as likely being behind this hack. They also analyzed that “given historical money laundering patterns, it is highly likely that mixers will be utilized in the next stage.” However, they added that the sheer scale of the stolen assets may complicate this process.
The money laundering methods employed by Lazarus Group follow a specific pattern. In the first stage, the stolen cryptocurrencies are exchanged for native blockchain assets such as Ethereum (ETH). In the second stage, “layering” occurs, which involves dispersing funds through multiple steps to obscure transaction traces.
Money Laundering Techniques Used by Hackers
Various methods are utilized during the layering process, including:
- Moving funds through numerous cryptocurrency wallets.
- Transferring funds to different blockchains using cross-chain bridges.
- Performing exchanges among various cryptocurrencies via decentralized exchanges (DEX).
- Employing mixers like Tornado Cash to make tracking difficult.
According to Elliptic, within just two hours following the hack, the stolen funds had been distributed to 50 different wallets, with approximately 10,000 ETH stored in each wallet. These wallets are currently being systematically drained, with at least 10% of the stolen assets already transferred to other wallets.
Suspicions of Involvement by Specific Cryptocurrency Exchanges
In connection with this incident, suspicions have arisen that certain cryptocurrency exchanges are aiding the Lazarus Group in their money laundering efforts. Elliptic stated that “a specific service is acting as a major and intentional facilitator in this money laundering, refusing to cooperate despite direct blocking requests from Bybit.”
Elliptic specifically claims that a cryptocurrency exchange named 'eXch' allowed the anonymous exchange of stolen Bybit assets worth tens of millions of dollars. However, on February 23, eXch denied these allegations.
Past Money Laundering Cases of the Lazarus Group
The Lazarus Group is known to have laundered more than $200 million (approximately 260 billion won) through mixers and person-to-person (P2P) marketplaces from 2020 to 2023. However, recent reports from the blockchain analysis firm Chainalysis indicate that crime organizations like Lazarus Group are increasingly evolving to utilize cross-chain bridges instead of mixers.
Bybit Announces Full Replenishment of Stolen Assets
Meanwhile, on February 24, Bybit CEO Ben Zhou announced in an official statement that “Bybit has fully replenished the $1.46 billion worth of Ethereum stolen in this hacking incident.” He also revealed that Bybit plans to release a new “Proof of Reserve” report following a recent audit.
Conclusion: The Importance of Cryptocurrency Security
This hacking incident at Bybit serves as a reminder of the importance of security for cryptocurrency exchanges and their users. As hacking techniques evolve, individual investors must also pay closer attention to enhancing security. Particularly, exchanges need to establish robust security measures and carefully monitor suspicious transactions.
With the likelihood of continued activities from hacker organizations like Lazarus Group, collaboration between blockchain security firms and government agencies will become even more critical. It will be interesting to see how this incident impacts future enhancements in cryptocurrency security.
