According to blockchain research firm Elliptic, the Lazarus Group has been laundering stolen cryptocurrency from the recent Bybit hack through the exchange eXch. The hack, which occurred last week, resulted in the theft of nearly $1.5 billion worth of Ethereum (ETH) and Lido Staked Ether (stETH). This attack is considered the largest crypto hack ever and potentially the biggest heist in world history. Elliptic, along with pseudonymous on-chain investigator ZachXBT and other researchers, have attributed the exploit to the Lazarus Group, a notorious North Korean cybercriminal organization known for targeting major crypto platforms.
In their analysis, Elliptic explains that Lazarus typically follows a specific money-laundering process. Initially, the group exchanges the stolen tokens for a native blockchain asset like Ethereum, as ETH cannot be frozen by a central authority. Next, the cybercriminals “layer” the stolen funds through various wallets, exchanges, cross-chain bridges, and crypto mixers to conceal the transaction trail. Elliptic states that Lazarus is currently in the middle of this second step.
Within two hours of the theft, the stolen funds were distributed among 50 different wallets, each holding approximately 10,000 ETH. As of February 24, 1 pm UTC, 14.5% of the stolen assets (worth $195 million) have been moved from these wallets. Once removed from these wallets, the funds are being laundered through different services, including decentralized exchanges (DEXs), cross-chain bridges, and centralized exchanges.
However, one service, eXch, has emerged as a significant facilitator of this money laundering. eXch is a cryptocurrency exchange known for enabling anonymous cryptoasset swaps. It has processed hundreds of millions of dollars in crypto assets derived from criminal activity, including multiple thefts by North Korea. Despite Bybit’s direct requests, eXch has refused to block this activity.
Over the weekend, eXch denied claims of laundering crypto for Lazarus on the BitcoinTalk forum. However, it admitted to processing an “insignificant” portion of the stolen Bybit funds, which entered their address 0xf1da173228fcf015f43f3ea15abbb51f0d8f1123. They clarified that this was an isolated case and the only part processed by their exchange. They also stated that any other transactions falsely attributed to eXch are targeted FUD attacks.
Bybit CEO Ben Zhou announced that the firm has restored a 1:1 backing on all client assets following the hack. The Dubai-based exchange announced a full restoration of services on Saturday.
