The hackers who stole around $1.4 billion in cryptocurrency from crypto exchange Bybit have moved nearly all of the robbed proceeds and converted them into Bitcoin, in what experts call the first phase of the money-laundering operation.
On February 21, Bybit said that a “sophisticated attack” on one of the company’s wallets resulted in the theft of 401,346 Ethereum, worth around $1.4 billion at the time, in what is the largest crypto theft in history and possibly the largest heist of any kind ever. Blockchain monitoring firms and researchers, as well as the FBI, have accused the North Korean government of being behind the hack.
Since the digital robbery, the hackers have moved all the Ethereum they stole out of the dozens of crypto wallets they originally split the proceeds between and have converted most of the funds to Bitcoin, according to Tom Robinson, the co-founder and chief scientist of crypto monitoring firm Elliptic; and Ari Redbord, a former federal prosecutor and senior Treasury official who is now global head of policy at TRM Labs, also a blockchain monitoring firm.
Andrew Fierman, the head of national security intelligence at blockchain monitoring firm Chainalysis, told TechCrunch that the company is tracking around 90% of the stolen Bybit funds, “the majority of which have been converted to [Bitcoin] and are being held in ~4,400 addresses.”
“The remaining ~10% of stolen funds have been lost to fees/freezes/off-ramped,” the company said. Off-ramps are services that turn crypto into cash.
During this first phase between February 24 and March 2, the North Korean hackers took steps to obscure the origins of the stolen cryptocurrency. According to Redbord, the hackers did this by mostly relying on THORSwap, a decentralized protocol that enables users to swap assets across different blockchains “without the need for an intermediary.”
These laundering steps, Redbord said, showed an “unprecedented level of operational efficiency” from the hackers.
“This rapid laundering suggests that North Korea has either expanded its money-laundering infrastructure or that underground financial networks, particularly in China, have enhanced their capacity to absorb and process illicit funds,” said Redbord. “The scale and velocity of this operation present new challenges for investigators, as traditional anti-money laundering (AML) mechanisms struggle to keep pace with the high volume of illicit transactions.”
At the same time, both Redbord and Robinson said that this is only the beginning for the hackers.
“They still have a way to go to benefit from these funds,” Robinson told TechCrunch.
Contact Us
Do you have more information about the Bybit hack, or other crypto heists? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Redbord explained that, for now, the second phase has entailed depositing “an initial tranche” of the stolen funds — now Bitcoin — into mixers, which is designed to “create doubt in the tracing process” for investigators. Crypto mixers (or tumblers) are services designed to obscure the origin and destination of someone’s cryptocurrency by mixing it with other users’ funds.
“Up to this point essentially anyone with the patience and willingness could follow the flow of the Bybit funds. Mixers, though, are major hurdles for most investigators,” said Robinson.
Redbord noted, however, that mixers usually receive a volume of a few million to $10 million a day so, “whether these mixers can continue to absorb the amount of money at play is an open question.”
In other words, while the hackers got a major, record-breaking amount of loot from Bybit, it’s still unclear how much of it the hackers will be able to convert to cash.
But there’s still hope for Bybit to recover some of it, according to Robinson.
“It’s likely that at least some of these funds will pass through exchanges, where they could potentially be frozen,” Redbord said. “It’s just a question of whether those exchanges are aware quickly enough that they are handling stolen assets.”
After the hack, Bybit offered a total bounty of $140 million to anyone who could help trace the funds and freeze them, a process that prevents anyone else from accessing the funds. The company said it would pay 5% of the recovered funds to “the entity that successfully froze the funds,” and 5% to whoever first reported the funds and led to them being frozen. As of this writing, Bybit has awarded only $4.3 million to 19 bounty hunters, according to the official page of the bounty.
Bybit did not respond to a request for comment.
