Crypto News

The Largest Crypto Heist in History: Unraveling North Korea’s $1.46 Billion Bybit Theft and Its Laundry Strategies

February 27, 2025
Smart Money

Massive $1.46 Billion Crypto Heist: Bybit Exchange Targeted

Last updated: February 27, 2025

In an unprecedented incident that marks the largest known theft in the history of cryptocurrency, approximately $1.46 billion in cryptoassets were stolen from Dubai-based exchange Bybit on February 21, 2025. Initial investigations suggest that malware was employed to deceive the exchange’s systems into authorizing transactions, allowing the assets to be funneled to the thief without alerting security protocols.

A Historic Heist

This stunning heist dwarfs the previous record for crypto theft—a $611 million attack on Poly Network in 2021, from which a significant portion of the funds was later returned by the perpetrator. The magnitude of this theft not only establishes it as the largest in the cryptocurrency sphere but also as the largest theft of any kind in modern history, surpassing the notorious $1 billion stolen by Saddam Hussein from the Iraqi Central Bank just prior to the 2003 Iraq War.

Attribution to North Korea

Elliptic, a prominent blockchain analytics firm, has linked the Bybit breach to North Korean actors, citing various markers related to the laundering of the stolen funds. It is noteworthy that North Korean cybercriminals have been implicated in the theft of over $6 billion in cryptoassets since 2017, with proceeds reportedly utilized to fund the country’s ballistic missile program. This attribution has been affirmed by the FBI, emphasizing the advanced capabilities of North Korea in not only breaching target organizations but also laundering illicit proceeds through complex blockchain transactions.

Ongoing Investigations and Efforts to Recover Funds

In light of this theft, Elliptic has been collaborating with Bybit, cryptocurrency service providers, and law enforcement agencies tirelessly to trace the stolen assets and prevent their conversion into cash. Their software has been instrumental in alerting businesses nationwide if they inadvertently receive proceeds derived from this theft, leading to the seizure of some stolen funds.

A recent analysis displayed through Elliptic Investigator illustrated a portion of the laundering operations, demonstrating how the stolen funds are distributed among multiple wallets in a complex scheme designed to mask the original transaction trail.

The Laundering Process

North Korea’s laundering activities typically follow a specific pattern aimed at obfuscating the origins of stolen funds. The first strategy involves exchanging stolen tokens for a “native” blockchain asset, such as Ether, due to the absence of central authorities who could freeze these assets—a tactic evident in the aftermath of the Bybit theft. Within minutes, hundreds of millions in stolen tokens were converted to Ether through decentralized exchanges (DEXs), thereby enabling the cybercriminals to evade potential freezes that would be imposed by centralized exchanges.

The subsequent phase involves layering the funds through various methods to further conceal their origins. Transactions can include funneling funds through a myriad of wallets, transferring assets to different blockchains via cross-chain bridges, and utilizing crypto mixers such as Tornado Cash. Notably, just two hours post-theft, the assets were dispersed across 50 different wallets, each containing approximately 10,000 ETH. As of February 27, a significant 46% of these holdings (valued at around $626 million) have reportedly been moved out.

eXch Exchange’s Involvement

One particular exchange has drawn attention during these laundering activities: eXch, known for facilitating anonymous cryptoasset swaps. This platform has been implicated in processing hundreds of millions of dollars in crypto derived from criminal activities, including the Bybit theft. Despite acknowledgments from Bybit urging eXch to block these activities, the exchange has continued to operate, collecting substantial transaction fees daily from these illicit exchanges.

Currently, the converted Ether is being traded for Bitcoin, indicating the likelihood of North Korean operatives employing mixers to further obfuscate the transaction trail. However, the sheer volume of stolen assets poses significant challenges for the laundering process.

Conclusion

As North Korea remains one of the most adept and well-resourced entities in the realm of cryptoasset laundering, ongoing efforts by the Elliptic team, Bybit, and investigative entities are vital to trace the stolen funds and work towards preventing the funds from benefiting the North Korean regime. With investigations still in their initial stages, updates will be provided as the situation continues to evolve.