1.5 Billion Crypto Theft In Bybit

On February 21, 2025, the crypto industry witnessed its largest theft in history: $1.46 billion was stolen from Bybit, a Dubai-based exchange. Initial investigations indicate that malware was used to manipulate transactions, allowing the attacker to drain the funds. This heist surpasses not only the $611 million Poly Network hack but also the largest known theft of any kind previously held by Saddam Hussein.

Given the increasing risks in crypto security, we recently explored similar threats in our article "Crypto, Hack, and Fraud: How To Avoid?". 

Investigators have linked the Bybit hack to North Korea’s Lazarus Group, a notorious cybercriminal organization that has stolen over $6 billion in crypto assets since 2017. Experts believe the funds from these heists have been funneled into North Korea’s ballistic missile program, raising concerns about the geopolitical consequences of such attacks.

Lazarus Group has demonstrated an advanced ability to breach crypto platforms and launder stolen assets through intricate blockchain transactions. Following the Bybit theft, AEXchanger and its partners have been working tirelessly with crypto security firms and investigators to trace and recover the stolen assets and block further transactions linked to the criminals.

Blockchain tracking technology has played a key role in identifying and seizing some stolen funds. Businesses relying on crypto wallet monitoring solutions are now being alerted if any compromised assets enter their systems, making it harder for the hackers to cash out. However, given the scale and sophistication of this operation, the full recovery of funds remains uncertain.

The Lazarus Group’s laundering strategy follows a well-established pattern designed to obscure the origins of stolen funds. The first step involves converting compromised tokens into more liquid and decentralized assets such as Ether (ETH). Organizations issue many tokens with the ability to freeze wallets containing stolen assets. Still, cryptocurrencies like Bitcoin and Ether operate without a central authority, making them impossible to freeze. Within minutes of the Bybit heist, hundreds of millions of dollars in stolen tokens, including stETH and cmETH, were swiftly exchanged for ETH through decentralized exchanges (DEXs)—a move likely aimed at avoiding restrictions imposed by centralized platforms.

The second phase of the laundering process, known as “layering,” is designed to complicate the tracking of stolen funds. While blockchain transactions remain publicly visible, mixing and distributing assets through multiple channels can make tracing them more difficult, providing hackers with valuable time to cash out before authorities intervene. The Lazarus Group employs various methods to obfuscate the transaction trail, including:

• Transferring funds across numerous wallets to break direct links between transactions.
• Utilizing cross-chain bridges to shift assets between different blockchains, making tracking more complex.
• Swapping assets through DEXs, coin swap services, and other platforms to further obscure their movement.
• Leveraging privacy-focused mixers such as Tornado Cash and Cryptomixer, which blend stolen funds with legitimate transactions, makes them harder to trace.

By employing these tactics, the attackers attempt to dodge detection and evade seizure efforts, ensuring that stolen assets can be laundered and withdrawn with minimal risk of exposure.

The Lazarus Group is currently in the midst of the second stage of its laundering operation. Two hours after the Bybit heist, the stolen funds were distributed across 50 separate wallets, each containing around 10,000 ETH. These wallets are now being systematically drained, and as of 1 PM UTC on February 24, approximately 15% of the stolen assets—valued at almost $200 million—have already been transferred elsewhere.

After leaving these initial wallets, the funds are being laundered through various services, including decentralized exchanges (DEXs), cross-chain bridges, and centralized platforms. However, one particular exchange has emerged as a key enabler of these illicit transactions. eXch, a cryptocurrency trading platform known for allowing anonymous asset swaps, has played a major role in laundering funds linked to various criminal activities, including multiple high-profile crypto thefts attributed to North Korea. Since the Bybit breach, over $75 million worth of stolen assets have been funneled through eXch, despite direct requests from Bybit urging them to intervene. The platform has refused to take action, allowing the conversion of stolen Ether into Bitcoin to continue unchecked.

If past laundering patterns serve as an indicator, the next likely step in the process involves using mixing services to further obscure the movement of stolen funds. However, given the massive scale of this theft, executing such transactions without drawing attention may prove more difficult.

The Lazarus Group remains the most sophisticated and well-funded crypto laundering entity, continuously refining its techniques to evade detection and asset recovery efforts. Within minutes of the attack, Bybit and other investigative partners, made a dedicated effort to track the stolen funds and prevent North Korea from profiting off this record-breaking theft.

Final Thoughts

The Bybit hack is a stark reminder of the persistent threats looming over the cryptocurrency market. With $1.46 billion stolen, it is the largest crypto heist in history and one of the most significant financial thefts ever recorded. Like many before, this incident underscores the urgency of enhanced security measures and the need for regulatory frameworks that can help curb illicit activities in the crypto space.

Despite high-profile attacks, the landscape of crypto security is evolving. As the industry matures, exchanges and blockchain networks develop stronger defenses, and authorities implement stricter monitoring systems to track stolen assets. While bad actors continue to adapt their methods, the market is also learning and improving, meaning that the frequency and scale of such thefts will likely decrease over time.

For individual investors, safeguarding assets is paramount. Some essential steps include:
- Using hardware wallets instead of leaving funds on exchanges.
- Enabling multi-factor authentication (MFA) to add extra security layers.
- Verifying transaction details carefully to avoid phishing scams.
- Being cautious with third-party applications and suspicious investment schemes.

While cybercriminals like the Lazarus Group will continue their efforts, the increasing awareness and adoption of security best practices will play a crucial role in minimizing risks. The Bybit case is a wake-up call for the entire crypto community—strengthening defenses and staying vigilant is the only way forward.