How to launder $1,5 billion worth of crypto in 5 easy steps. Lazarus Group case

This study is published for informational purposes only and is not intended to popularize money laundering.

February 2025 has become a climactic month for cyber criminals. The Lazarus Group, a hacker group linked to North Korea, managed to steal the largest amount of money in history — almost $1,5 billion. The attackers gained access to one of the wallets of the Bybit crypto exchange.

Bybit had nothing to do with it

The hack of the crypto exchange Bybit was not the fault of its developers. More than two weeks before the hack, hackers conducted an attack on the multi-signature Safe Wallet, which until recently was considered the most reliable and secure. Therefore, Bybit used it to store cryptocurrency. On February 2, attackers exploited a zero-day vulnerability in macOS to gain access to the work laptop of one of Safe Wallet’s developers. Over the next few weeks, the hackers consistently bypassed all layers of Safe Wallet’s defenses and then integrated malicious Javascript code into the wallet.

Bybit hack chronology

Source: Mandiant

On February 21, Bybit employees were making internal transfers of funds from cold vaults, which are offline, to hot wallets as usual. One such transfer was made using malware on the Safe Wallet side.

Google subsidiary Mandiant, which investigated the hackers’ infiltration of Safe Wallet’s infrastructure, noted the virtuosity of the Lazarus Group, who not only carried out a large-scale attack, but also managed to thoroughly cover their tracks. Some of the technical details of the infiltration are still unknown, as the hackers managed to erase the malicious code and traces of their presence after the breach.

Moving stolen cryptocurrency to Lazarus Group wallets

Source: TRM Labs

Audit of stolen funds

After gaining access to the wallet, the hackers took possession of the following assets:

• 401 347 Ethereum (ETH)
• 90 376 Lido Staked Ether (stETH)
• 15 000 cmETH
• 8000 mETH

The value of all stolen assets at the time of the hack was $1,46 billion

After withdrawing assets from the Bybit cold wallet, hackers exchanged derivative ETH assets (stETH, cmETH, and mETH) for native coins of the Ethereum blockchain. DEX platforms such as Uniswap and Curve were used for this purpose.

How Lazarus Group laundered $1,5 billion in 10 days

Step №1. Fragmentation of assets and wallets

More than 475 000 ETH, which were initially stored at one address, started moving to new wallets within a day after the hack. In the first step, the attackers created a network of 48 addresses (10 000 ETH per address).

Step №2. Using cross-chain protocols

After the initial fragmentation, the hackers used cross-chain protocols to exchange ETH for BTC. At this stage, the attackers created another network that had almost 7 thousand BTC addresses. Thus, the hackers significantly complicated the process of tracking the movement of funds and blocking them. The largest amount of funds (about 361 000 ETH) was passed through the THORChain protocol, and some coins were passed through Chainflip.

Step №3. Using mixers and exchanges without KYC

After the secondary split, the stolen funds were directed to decentralized mixing protocols (Wasabi and CryptoMixer) and exchanges that allow for anonymous transactions. Some of the assets were moved to the eXch exchange. On its website, the eXch exchange openly states that it does not track any metadata of its users and warns of the likelihood of subsequent blocking of funds due to high AML risks. At this point, the network of addresses associated with the Bybit hack has grown several times larger, making it very difficult for even professional analytics companies and researchers to trace the chain of funds movement.

eXch exchange FAQ section

Source: exch.cx

Step №4. Meme coin platforms

Pump.fun, a popular meme coin platform on the Solana blockchain, was one of the tools used to launder funds stolen from Bybit. Attackers created meme coins on the platform and used the stolen funds to create liquidity pools. One such “dirty” token was QinShihuang. This step managed to launder more than $26 million. Then Pump.fun developers started blocking tokens related to money laundering.

Step №5. Peer-to-peer (P2P) exchanges

A small number of assets were laundered through over-the-counter and P2P instruments. For this, Chinese and Russian exchangers were used, where the cryptocurrency was exchanged for fiat funds.

How Garantex launders millions for Lazarus Group by circumventing sanctions — full investigation

How the exchange launders crypto assets, why it was blocked by Tether and how to avoid blocking funds — we go into detail

Read more

Why such transactions are difficult to trace

Despite the scale of the attack and the significant damage, only $42,8 million (less than 3% of the total value of the stolen assets) was promptly traced and blocked. Law enforcement agencies and analytical services faced an unprecedented challenge in combating the laundering of stolen funds. Hackers not only used large-scale network movements, creating thousands of new transaction chains, but also learned how to interrupt such chains thanks to decentralized technologies and cross-chain bridges.

Attackers have learned to use cross-chain technologies to their advantage. The essence of cross-chain transfers is that assets do not actually leave their blockchains. If an asset needs to be moved from blockchain A to blockchain B, the primary asset is blocked in blockchain A and an asset is created in blockchain B based on it. This breaks the direct chain of funds movement.

Sophisticated big data analytics systems are used to trace such links to broken transaction chains. The only way to identify a cross-chain transaction and link assets is to match metadata (transaction time, amount, etc.). To create a large amount of false data and confuse blockchain researchers, attackers use fragmentation and mixing, routing assets through thousands and sometimes tens of thousands of different addresses.