Bybit Hacker Launders Stolen Funds

• The Bybit hacker exploits THORChain and OKX DEX to launder stolen funds into non-freezable DAI.
• Exchanges and security firms freeze stolen assets, but the hacker evades tracking and asset recovery.
• The hacker is now bridging assets to Solana and using fake KYC data, creating new challenges for crypto security teams.

The hacker behind the Bybit attack has resumed moving stolen assets, refining their laundering techniques. According to Web3 security firm Beosin, the hacker primarily uses THORChain to transfer stolen cryptocurrency to the Bitcoin blockchain, then converts the assets into non-freezable DAI via OKX DEX.

> BeosinTrace reported tracking the Bybit hacker’s asset transfer at 08:58:23 UTC+8 today. The hacker’s selling method has stabilized, mainly relying on Thorchain for Bitcoin transfers and converting with OKX DEX. Converted DAI will flow…
> — Wu Blockchain (@WuBlockchain) February 24, 2025

Hacker Converts Over $106 Million Worth of ETH

Recent blockchain activity shows the Bybit hacker converted 37,900 ETH, approximately valued at $106 million, into various assets. This laundering operation began on February 22, 2025, and lasted around 30 hours. The hacker utilized multiple cross-chain exchange platforms such as Chainflip, THORChain, LiFi, DLN, and eXch to move funds.

As per the latest updates, the hacker still retains 461,491 ETH, valued at around $12.9 billion. The structured approach in asset movement indicates a more stable laundering method. Analysts believe by employing decentralized platforms, the hacker aims to evade tracking and asset freezing efforts.

Exchanges and Authorities Take Countermeasures

Several cryptocurrency platforms reacted by freezing assets related to the stolen funds. ChangeNow froze 34 ETH, Avalanche restricted access to 0.38755 BTC, and the Lightning Network-based exchange FixedFloat froze $120,000 in USDC and USDT stablecoins.

Additionally, THORChain blacklisted addresses linked to the North Korean hacking syndicate suspected in the attack. Stablecoin issuers Tether and Circle flagged wallets associated with the hacker, leading Tether to freeze 181,000 USDT.

Bybit announced that $42.85 million in stolen assets were frozen across various exchanges and warned users of scammers impersonating Bybit officials seeking sensitive information.

Hacker’s Shift to Solana Raises New Concerns

On-chain data suggests the hacker is now bridging assets to Solana, using fake KYC data for deposits on exchanges. In response, Bybit collaborated with Pump.fun and Solana Foundation President, Lily Liu, to eliminate a Solana-based token linked to the hacker.

These evolving laundering strategies underscore the challenges faced by exchanges and security firms in reclaiming stolen funds. Blockchain security experts remain vigilant in monitoring the hacker’s activities as efforts to track and freeze assets continue.