Lazarus Group Shows no Signs of Stopping After Moving Almost Three Quarters of ByBit Stolen Funds

The ByBit crypto heist saga continues to unfold, as perpetrators waste no time laundering funds stolen in the attack.

ByBit devastating attack

News of the ByBit crypto heist made the rounds last week after threat actors exploited a smart contract function to divert a record $1.5 billion to attacker-controlled wallets.

Security experts believed the Lazarus Group orchestrated the attack, and their suspicions were later reinforced when the FBI officially blamed the infamous North Korea-backed cybercrime syndicate.

Efforts to thwart laundering activities

Before establishing the threat group’s identity, ByBit, helped by security experts and authorities, identified the crypto wallet addresses involved in the heist, in an attempt to impede perpetrators from moving the stolen funds.

The FBI even published a list of crypto addresses connected to the attack, encouraging bridges, DeFi services, exchanges, RPC node operators, and other entities to block transactions linked to them.

Perpetrators continuously launder stolen funds

However, despite best efforts, threat actors already laundered most of the stolen proceeds. According to CoinTelegraph, perpetrators moved approximately 343,000 ETH, or 68.7% of the 499,000 ETH stolen.

The cybercrime gang used decentralized exchanges, instant swap bridges that lack KYC (know your customer) verifications, and crosschain bridges to convert the stolen crypto assets into BTC, DAI stablecoins and other crypto assets.

THORChain used to launder stolen funds

THORChain, one of the protocols used in the laundering process, faced heavy criticism after allowing a large portion of the stolen funds to be processed. As THORChain founder John-Paul Thorbjornsen pointed out, none of the sanctioned wallet addresses were used in the laundering. Thorbjornsen said he is no longer affiliated with the crosschain protocol.

However, the FBI’s sanctioned wallet list only holds 51 wallets, while blockchain analytics firm Elliptic flagged over 11,000 wallets potentially connected to the heist, making it increasingly difficult to track and block any suspicious transfers.