In the post-mortem of the $1.5 billion Bybit hack, two blockchain research organizations — Nansen and Chainalysis — have revealed the Lazarus Group’s money laundering strategy, which includes swapping illiquid assets for liquid assets, creating a complex money trail, and letting certain wallets sit dormant to let scrutiny die down.
According to Nansen, the typical Lazarus Group strategy first involves swapping the illiquid assets into those that are more fungible and, therefore, easier to move. After the Bybit hack, the perpetrator converted at least $200 million in staked tokens into Ether (ETH), which can be moved much more easily onchain.
After this conversion from illiquid to liquid assets, the laundering process was carried out. To create obfuscation, the hacker used a maze of intermediate wallets to create a complex trail aimed at confusing trackers. According to Chainalysis, the funds were laundered through decentralized exchanges, crosschain bridges, and even instant swap services that do not require Know Your Customer (KYC) verification.
Related: Bybit CEO declares ‘war against Lazarus’ after $1.4B hack
The complexity of Lazarus Group’s laundering efforts. Source: Chainalysis
Much of the ETH was eventually swapped for Bitcoin (BTC) and stablecoins such as Dai (DAI). In some cases, blockchain analysts were able to track these movements in real time. That allowed certain organizations running these decentralized protocols, such as Chainflip, to block the perpetrator’s attempt to launder the stolen funds.
Throughout the laundering process, the hacker kept breaking the stolen funds into smaller pools sent to a growing number of wallets. The first “hop” divided the funds from one wallet to 42 wallets. The second “hop” from 42 wallets into thousands.
Related: Bybit hack, withdrawals top $5.3B, but ‘reserves exceed liabilities’ — Hacken
So far, the money laundered from the Bybit hack is just a portion of the $1.5 billion. Lazarus Group has another strategy to avoid the heightened attention that a high-profile heist brings: sit and wait. Some wallets with stolen money — a sum that across wallets currently amounts to $900 million) have remained dormant as the group bides its time for the scrutiny to die down.
The nearly $1.5 billion hack is more than the group’s entire haul in 2024 — $1.3 billion over 47 attacks. The attack stands as the biggest crypto heist of all time, one that rallied the community together in support of Bybit and against the hackers. As Lazarus Group faces increased scrutiny, it has continued to adapt. As Cointelegraph reported, its cyberwarfare strategy remains one of the most lucrative and sophisticated in the world.
Magazine: Lazarus Group’s favorite exploit revealed — Crypto hacks analysis
