Bybit Hack Update: North Korea Moves to Next Stage of Laundering

On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, suffered an unprecedented cyberattack at the hands of North Korea, resulting in the theft of approximately USD 1.5 billion in Ethereum tokens. This event now stands as the largest exploit on record, surpassing previous high-profile exchange breaches and raising serious concerns about the increasing sophistication of cybercriminals.

Beyond the sheer scale of the Bybit hack, the speed at which the stolen funds are being laundered is particularly alarming. Within 48 hours, at least USD 160 million had been funneled through illicit channels, with TRM estimating that the total surpassed USD 200 million by February 23. By February 26, over USD 400 million had been moved, indicating an unprecedented level of operational efficiency.

Late in the day on March 3, 2025, the North Koreans finished the initial phase of laundering the proceeds of the Bybit hack. All of the stolen ETH has now been moved to new addresses, with the vast majority bridged to Bitcoin, mostly via services using THORchain. TRM is tracking addresses controlled by the Bybit launderers. This rapid and methodical operation indicates an unprecedented level of operational efficiency, posing serious challenges for investigators.

The laundering process has relied heavily on decentralized finance (DeFi) tools, particularly decentralized exchanges (DEXs) and cross-chain bridges, to obscure the stolen assets' origins. Attackers moved the vast majority of the stolen Ethereum via THORswap, a decentralized cross-chain liquidity protocol that enables direct asset swaps without the need for an intermediary. Between February 24 and March 2, THORChain saw an unprecedented surge in activity.

This rapid laundering suggests that North Korea has either expanded its money laundering infrastructure or that underground financial networks, particularly in China, have enhanced their capacity to absorb and process illicit funds. The scale and velocity of this operation presents new challenges for investigators, as traditional anti-money laundering (AML) mechanisms struggle to keep pace with the high volume of illicit transactions.

Historically, North Korean cybercriminals have relied on cryptocurrency mixers as a second phase in their laundering process. We have now entered that second phase and have seen an initial tranche of Bybit’s BTC being deposited to mixers including Wasabi and CryptoMixer. Whether these mixers can continue to absorb the amount of money at play is an open question. The typical volumes for these services range from a few million to perhaps USD 10 million in a day. The Bybit launderers might easily deposit that much in hours. 

But even at scale, these mixers can create doubt in the tracing process. Up to this point essentially anyone with the patience and willingness could follow the flow of the Bybit funds. Mixers, though, are major hurdles for most investigators. While investigators with access to tools like TRM are able to trace through many mixers with a high degree of confidence, that is not true of investigators using available online tools. TRM expects the number of false positive leads to surge as investigators mistakenly trace unrelated withdrawals from mixers. 

Despite the swift movement of assets, a large portion of the converted bitcoin remains largely stationary, suggesting that the hackers are preparing for large-scale liquidation or further obfuscation through over-the-counter (OTC) networks. 

This shift in laundering tactics reflects North Korea’s reliance on cross-chain bridges and high-volume transaction strategies, as detailed in a TRM report on DPRK cyber activity. In previous heists, North Korean hackers utilized platforms like Ren Bridge and Avalanche Bridge, often converting funds into bitcoin before employing mixers such as Sinbad, YoMix, Wasabi Wallet, and CryptoMixer. While the services used change with time and enforcement actions, the basic strategy remains largely the same - bridge and mix and bridge again…and again. 

According to TRM’s North Korea expert, and former FBI subject matter expert, Nick Carlsen, “The Bybit exploit indicates that the regime is intensifying its ‘flood the zone’ technique—overwhelming compliance teams, blockchain analysts, and law enforcement agencies with rapid, high-frequency transactions across multiple platforms, thereby complicating tracking efforts.”