While Bybit is trying to cope with the consequences and restore liquidity, the crypto community has turned its attention to the methods of Lazarus Group. We tell you what schemes North Korean hackers are using to launder their crypto loot and cover up their crimes.
How Bybit Lost $1.4 Billion
On February 21, 2025, reports about the hacking of one of the largest crypto exchanges Bybit appeared online. The first results of analyzing the incident led researchers to Lazarus Group, the most famous of North Korean hacker groups.
Despite the loss of $1.4 billion Bybit was able to maintain its reputation thanks to the prompt response and support of the crypto community. The exchange received financial assistance from platforms such as Binance and Bitget and coordinated the return of funds through a rewards system.
The attack appeared identical to the WazirX and Radiant Capital hacks in 2024. The hacker is known to have attacked Bybit's multi-signature cold wallet. Although similar hacks had happened before, the cryptocurrency exchange's system was unprepared for such a challenge and North Koreans got their money again.
How Lazarus Group's Money Laundering Scheme Works
After the Bybit hack, Lazarus Group began applying its well-known laundering strategy, which involves converting illiquid assets into more liquid ones. According to analytics platforms Nansen and Chainalysis, the group began by converting $200 million of previously staked coins into ETH, which is much easier to move online. The process was part of a more complex scheme to obfuscate trails and minimize traceability.
To conceal its actions, Lazarus used a variety of money laundering tools, including decentralized exchanges, crosschain bridges, and instant exchange services that do not require KYC. In the laundering process, funds were split into multiple parts and sent to different wallets, making them difficult to identify and trace. According to Chainalysis, funds were also moving through multiple intermediate wallets, creating a confusing trail.
Arkham analysts found that the hackers used THORCHAIN, among other things, in their work. According to their data, the attackers have already laundered at least $240 million worth of cryptocurrency through the network. Presumably, the fraudsters chose THORCHAIN because the platform allows direct crypto exchanges between different chains without the need to work with “wrapped” coins. This helps hide the origin and destination of the funds. Arkham believes that the hackers exchanged already laundered coins for bitcoins.
In addition, the group used a “sit and wait” strategy. Some wallets with stolen funds remained inactive for a certain period of time, which allowed them to be taken out of the crosshairs. This strategy allows Lazarus to avoid increased scrutiny of their actions and gives them time to reallocate funds without much risk.
Conclusion
The Bybit hack was a prime example of how, amid the growing popularity of cryptocurrency, criminal groups such as Lazarus continue to use digital assets as a tool to finance their goals. The incident poses serious challenges to the crypto industry, requiring not only improved security, but also tighter regulation to prevent crypto from being used for shady operations.