Elliptic revealed details about the laundering of $1,46 billion stolen from Bybit

What’s new? Analysts at IS firm Elliptic have said North Korean hacker group Lazarus was involved in the hack of Dubai-based crypto exchange Bybit. On February 21, Bybit, one of the leading global centralized crypto exchanges (CEX), lost $1,46 billion in a malware attack.

Elliptic log

What else is known? Elliptic emphasizes that the incident was the largest single theft not only in the crypto industry but in general in history: previously, the record belonged to Saddam Hussein, who stole $1 billion from the Central Bank of Iraq on the eve of the war in 2003.

Elliptic’s version of Lazarus’ involvement is based on an analysis of the hackers’ post-attack behavior, including tactics for laundering stolen assets. Lazarus has long been active in the crypto space, and experienced researchers have long highlighted a number of criteria indicating a link between certain attacks and the DPRK.

Since 2017, individuals linked to North Korea have stolen more than $6 billion worth of crypto assets, with proceeds claimed by a number of parties, including the US government, being used to fund a weapons program.

Experts interviewed by The Block said that DPRK hackers were involved in the hack of Phemex for $70 million

The exchange announced that the withdrawal function would soon be restored

Read more

Analysts note that Lazarus has developed a powerful, sophisticated system to hack targeted organizations, steal crypto assets and launder them through thousands of blockchain transactions.

Lazarus typically converts tokens to bitcoins or Ethereum first when laundering. Thus, issuers of a number of tokens can in some cases freeze wallets with stolen assets, while there is no central authority for BTC and ETH to freeze them.

This is exactly what happened in the first minutes after the Bybit hack: hundreds of millions of dollars in tokens such as stETH and cmETH were exchanged for ETH through decentralized crypto exchanges (DEXs).

In the second step, the stolen funds are segregated, making it difficult to track their movements in a transparent blockchain and slowing down the investigation. This process can take many forms, including sending funds through a large number of wallets, transferring funds to other blockchains using cross-chain protocols (interconnect bridges) or exchanges, and using cryptomixers such as Tornado Cash or Cryptomixer. All of these allow hackers to buy time to withdraw funds.

Media report on the mass employment of DPRK developers in crypto startups

Since at least 2018, North Koreans have been infiltrating companies to make money in the face of sanctions, as well as organizing hacks

Reada more

According to Elliptic’s claim, Lazarus is currently in its second phase. Within two hours of the theft, funds were sent to 50 wallets, about 10 000 ETH each. These wallets are now being systematically emptied: by February 23, 10% of the stolen assets had been transferred to other addresses.

Once funds are withdrawn from these wallets, they are laundered through various services including CEX, DEX, and cross-chain bridges. According to analysts, the primary and willing facilitator of this laundering is the anonymous P2P platform eXch.

Tens of millions of dollars stolen from Bybit have already passed through eXch, but the platform’s team has refused to block the activity in response to inquiries.

eXch and other similar services are used to convert ETH to BTC. Based on typical Lazarus tactics, we can expect hackers to soon start using mixers to obfuscate transactions. However, this may prove to be a difficult task due to the sheer volume of stolen assets, the analysts concluded.