Bybit hackers moves stolen funds through crypto mixers and Wasabi Wallet

Blockchain analytics company Elliptic has revealed that the group behind the Bybit hack has started laundering funds. In an update to its February 23 report, the firm said the Lazarus Group, which is behind the hack, has started laundering funds with Bitcoin mixers.

According to Elliptic, Lazarus is using Cryptomixer and Wasabi Wallet to launder the stolen funds, which it had earlier converted to Bitcoin through the eXch exchange. The move appears to be the final step in the hackers’ effort to hide any traces of the stolen $1.4 billion.

It wrote:

“As with other North Korea-linked thefts, this bitcoin has now begun to be passed through mixers to further obfuscate the transaction trail. This process has just begun, but stolen assets worth hundreds of thousands of dollars have already been sent through Cryptomixer and Wasabi Wallet.”

While the hackers’ choice of mixers might surprise most people,  it highlights the expertise of the North Korean hackers, whom Elliptic describes as the “most sophisticated and well-resourced launderer of crypto assets in existence.” It also shows how most bad actors convert stolen assets into Bitcoin as part of the laundering process and use diverse ways to make the assets untraceable.

Cryptomixer is a centralized mixer that has existed since 2016. Like all traditional mixers, users dump assets into one pool controlled by the operator and withdraw their funds, excluding fees, using other addresses. Despite being around for almost a decade, the platform has managed to avoid being targeted by law enforcement agencies.

On its part, the Wasabi wallet is not a traditional mixing service. It is actually a fully non-custodial privacy wallet that uses Coinjoin transactions to hide the transaction trail. This is not the first time that bad actors will use Wasabi, with an Elliptic report from 2022 showing that Chinese spies used it to pay bribes to a US double agent.

So far, only hundreds of thousands have been moved through the mixers, and several crypto investigators continue to follow the money trail despite the mixing to prevent the hackers from cashing out on the stolen assets.

Extra $43k in Bybit money frozen on OKX

Meanwhile, efforts to recover as much of the Bybit funds as possible from the bad actors remain underway as the hackers try to convert the stolen funds to cash on centralized exchanges.

According to the most recent report from on-chain sleuth ZachXBT, $43,0000 connected to the hack has been frozen on OKX in collaboration with the OKX team.

While this might seem small given the total amount stolen, it highlights the highly collaborative approach that the crypto community has adopted in tracing and recovering stolen funds. Elliptic has been busy tracing the funds while Web3 forensics company zeroShadow is also assisting with tracking and freezing the stolen assets.

So far, their efforts have yielded the freezing of over 3%  of the stolen assets, around $50 million. However, about 20% of the funds ($280 million) have reportedly become untraceable, showing how effectively the hackers are hiding their transaction trail.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot