Bybit exploit six months later: DPRK laundering tactics

On February 21, 2025, the Dubai-based Bybit exchange suffered a $1.46 billion hack, marking the largest confirmed crypto theft. Elliptic attributed the Bybit exploit to DPRK operatives. ZeroShadow reports over $1 billion has since been laundered through professional “laundering as a service” schemes. The analysis reveals novel crypto laundering tactics. Attackers used refund addresses to reroute blocked transactions to new wallets. Multi-chain laundering across BTC, ETH, BTTC, and TRX, with layering via mixers like Wasabi and CoinJoin, increased obfuscation. Following the Bybit exploit, stolen funds were also converted into worthless tokens via jUSDT pools on SunSwap, obscuring $24 million of USDT flows. Rare and lesser-known blockchains and services further impeded tracing efforts. Laundered assets were eventually cashed out to fiat via Chinese OTC dealers. DPRK’s ongoing hacking operations have stolen over $1.75 billion in 2025. The report highlights the heightened risk of DPRK’s advanced laundering toolkit. Elliptic’s blockchain analytics, covering 50+ chains, enable real-time screening to mitigate exposure to illicit funds.