Bybit exchange hackers launder 89,500 ETH (worth about $224 million) in the past 2.5 days

On-chain analyst EmberCN revealed that the Bybit exchange hacker has laundered 89,500 ETH in the past two and a half days. According to the firm, the hacker has laundered nearly $224 million, which was 18% of the total Ethereum he stole (499,000ETH).

EmberCN believes that if the laundering frequency continues, the hacker will be able to exchange the remaining 410,000 ETH for other assets in half a month. EmberCN also noted that the hackers’ cross-chain asset exchanges were mainly carried out through THORChain.

The Bybit exchange hackers began laundering the funds on February 22 by transferring 10,000 ETH ($27M) to Bybit Exploiter 54. On February 23, the hackers used multiple addresses to swap 37,900 ETH ($106M) for Bitcoin and other assets through Chainflip, THORChain, LiFi, DLN, and eXch.

The firm revealed that the hackers began laundering ETH through the eXch cryptocurrency exchange without KYC. Bybit exchange had asked the crypto exchange platform to freeze the funds, but eXch rejected the request. The hackers have now laundered over $75M from Bybit through eXch and it’s still ongoing.

The Bybit exchange exploiter also laundered funds via PumpFun by sending 60 SOL to an address. ZachXBT revealed that the latter launched the token “QinShihuang” (500,000) and generated over $26M in trading. PumpFun later removed the Lazarus-linked meme coin from its front end on February 23.

According to ZachXBT, the attacker received $1.08M from the Bybit hack on February 22. The funds were later moved from Ethereum to Solana, then to BSC, and then split across 30+ addresses. He added that 106K USDC was later divided between 10 BSC addresses and bridged back to Solana. 

On February 23, Bybit froze a total of $42.89 million as part of a coordinated effort. Tether’s founder, Paolo Ardoino, froze 181K USDT tied to the Bybit hack. Fixed Float also froze 120K USDC and ESDT, while ChangeNOW froze around 34 ETH.

Arkham Intelligence revealed that the Bybit exchange hacker was making 2 to 3 transactions per minute and stopped every 45 minutes for a 15-minute break. The firm also noted that the hackers moved ETH from one address at a time before moving on to the next one. Lookonchain acknowledged that the Bybit hacker who stole $1.4B in assets appeared to have received ETH from Binance as gas fees. 

“As part of the investigation and recovery efforts, Bybit is pledging 10% of recovered funds to reward ethical cyber and network security experts who play an active role in retrieving the stolen cryptocurrencies in the incident.” – Bybit.

Bybit’s founder, Ben Zhou, said that it was not an issue if the firm was experiencing a bank run because the company had enough tokens to give to the clients. He assured the firm’s customers that Bybit could cover the hacked amount of 400,000 ETH with the Bybit treasury. He said, “No matter what, we will make sure all of the client’s money is safe, so your money is safe.”

Bybit also acknowledged that it took loans after the hack to cover its withdrawals. Binance’s founder and former CEO, Changpeng Zhao, suggested that Bybit should halt withdrawals for a bit as a standard security precaution.

Hackers steal $1.5B from Bybit exchange

Cryptocurrency exchange Bybit revealed last week that hackers had stolen digital assets worth around $1.5 billion, which was called the biggest crypto heist of all time. ZachXBT made over 920 addresses linked to the hack public and also confirmed a Lazarus Group connection.

According to Arkham Intelligence, ZachXBT submitted definitive proof on February 21, 19:09 UTC, that the Lazarus Group performed the attack on Bybit exchange. ZachXBT’s submission included a detailed analysis of test transactions and connected wallets used before the hack, as well as multiple forensics graphs and timing analyses.

Bybit exchange CEO Ben Zhou believes that the funds were siphoned from a cold wallet that was used for other tokens. Zhou also confirmed that the company’s hot wallet, warm wallet, and all other cold wallets remained secure.