According to blockchain research firm Elliptic, the Lazarus Group has laundered stolen cryptocurrency from the recent Bybit hack through the exchange eXch. Last Friday, hackers stole nearly $1.5 billion worth of Ethereum (ETH) and Lido Staked Ether (stETH) from Bybit, making it the largest crypto hack in history. Elliptic, along with pseudonymous on-chain investigator ZachXBT and other researchers, has attributed the exploit to the Lazarus Group, a well-known North Korean cybercriminal organization responsible for multiple high-profile hacks on major crypto platforms.

Elliptic’s analysis reveals that Lazarus’ typical money-laundering process involves exchanging stolen tokens for a native blockchain asset like Ethereum because ETH cannot be frozen by a central authority. The stolen funds are then “layered” through various wallets, exchanges, cross-chain bridges, and crypto mixers to obscure the transaction trail. Currently, Lazarus is in the middle of the second step.

Within two hours of the theft, the stolen funds were sent to 50 different wallets, each holding around 10,000 ETH. As of 1 pm UTC on February 24, approximately 14.5% of the stolen assets, now worth $195 million, have been moved from these wallets. Once moved out of these wallets, the funds are being laundered through various services, including decentralized exchanges (DEXs), cross-chain bridges, and centralized exchanges.

However, one service, eXch, has emerged as a major facilitator of this laundering process. eXch is a cryptocurrency exchange known for allowing anonymous crypto asset swaps. It has been used to exchange hundreds of millions of dollars in crypto assets derived from criminal activity, including multiple thefts by North Korea. Despite Bybit’s direct requests, eXch has refused to block this activity.

Over the weekend, eXch denied claims of laundering crypto for Lazarus on the BitcoinTalk forum, though it admitted to processing an “insignificant” portion of the stolen Bybit funds. Bybit CEO Ben Zhou stated that the firm has restored a 1:1 backing on all client assets after the hack and announced a full restoration of services on Saturday.

Source: https://www.elliptic.co/blog/bybit-hack-lazarus-group