Six months after the $1,5 billion Bybit hack. How the incident changed the industry

It has been exactly six months since the historic hack of the Bybit exchange. At that time, attackers stole approximately $1б46 billion in Ethereum (ETH) and ERC-20 tokens. GetBlock AML Research summarizes the efforts to counter North Korean hackers and explains their methods of laundering stolen cryptocurrency.

According to a recent report by zeroShadow, more than $1 billion of the stolen funds have already been laundered. It is unlikely that all this money remained under the complete control of North Korean hackers at every stage. It is believed that from the very beginning, they connected professional turnkey laundering services: they paid North Korea an agreed amount minus their fee. This version is confirmed by user complaints: sometimes the services blocked funds stolen from Bybit, and the launderers tried to “save” the money not for the client’s sake, but for their own profit.

Visualization: Elliptic

The rate of laundering of stolen assets in the first days after the hack

Large volumes

Usually, funds stolen by North Korea remained in wallets for weeks or even months before any movement began. In the case of Bybit, the money began to be actively transferred immediately. This is because the attack attracted a lot of attention: the crypto community, analysts, and even law enforcement agencies joined the investigation.

In addition to speed, the complexity of the laundering schemes is also noteworthy. Standard techniques are usually used: transfers through different blockchains and anonymizing services. But in the case of Bybit, the attackers repeatedly “mixed” the coins, running them through different blockchains and services, creating additional layers of obfuscation. Sometimes they even used little-known blockchains to make the investigation more difficult.

Visualization: Elliptic

Connection of money laundering wallets with different blockchains

New methods

Different schemes were used for different parts of the stolen funds, suggesting that several independent money laundering teams were at work.

Sometimes they tried to save on fees:

• they bought special tokens that reduced the cost of transactions,
• used energy rental services on the Tron network instead of standard payments in TRX,
• and used “return addresses.”

The latter method worked as follows: some services allow you to specify a separate address for refunds if the transaction fails. Usually, the money is returned to the sender. But the hackers specified a new “clean” wallet to which the refunded funds were transferred. As a result, the trail disappeared. At the same time, the services still charged a processing fee, which shows that this trick was not invented specifically for anonymity, but helped to hide the transfers.

Visualization: Elliptic

Use of addresses for refunds

Mixers and anonymous wallets

Some of the stolen funds were converted into bitcoins and run through Wasabi Wallet (CoinJoin wallet) and various mixers. The use of Wasabi was particularly high, much higher than in previous North Korean thefts. Tornado Cash, on the other hand, was used less frequently. Little-known mixers were also used: Cryptomixer, Jambler, Coinomize, and others. This is because many services familiar to North Korea have been shut down, such as Chip Mixer and Sinbad.io. Therefore, it was necessary to look for new tools.

Useless tokens

The hackers created a new token that no one needed, made a liquidity pool for it with USDT, and began exchanging stolen stablecoins for this token. This created the “appearance of value.” Then, these tokens were exchanged back to USDT from other addresses, and the laundering process continued. This allowed them to “hide” about $24 million.

Visualization: Elliptic

Scheme for creating useless tokens for asset laundering

Cash withdrawal

Ultimately, most of the funds ended up in the Tron blockchain and were converted to USDT. They were then “cashed out” through Chinese OTC services (unofficial exchange services), which convert millions of dollars worth of cryptocurrency into cash every year and ask their customers almost no questions. Many of these services are linked to the Huione group.

The threat remains

Despite the huge amount stolen from Bybit, North Korea continues to steal cryptocurrency in 2025. Their methods include:

• infiltrating IT specialists into crypto projects (they work honestly at first, then hack their employer),
• fake calls on Zoom or Google Meet with malicious code installation,
• “fake” job openings for developers, where infected repositories are slipped in instead of test assignments.