An Overview of the Largest Hack in History
On February 21, 2025, Bybit, the world’s second-largest cryptocurrency exchange, based in Dubai, suffered a major security breach resulting in the theft of approximately $1.46 billion worth of digital assets. The attack was reportedly carried out using a sophisticated form of malware that manipulated Bybit’s transaction approval process, allowing unauthorised transfers to an external wallet controlled by the perpetrators. This incident marks the largest crypto theft ever recorded, surpassing previous high-profile breaches both in the cryptocurrency industry as well as in the broader financial industry.
Blockchain security firms, including Elliptic and Arkham Intelligence, have attributed the attack to the Lazarus Group, a cybercriminal organization linked to North Korea. The group has a well-documented history of targeting cryptocurrency platforms, having stolen billions in digital assets over the years. Following their established laundering pattern, the attackers quickly converted the stolen Ether (ETH) to Bitcoin and other cryptocurrencies. They then distributed the funds across multiple wallets, leveraging Decentralised Exchanges (DEXs), cross-chain bridges, and other obfuscation techniques to hinder tracking efforts.
The scale of this attack has raised concerns over security vulnerabilities within some centralised cryptocurrency exchanges. A key factor that enabled the exploit was the compromise of Bybit’s multi-signature wallet system through an attack that deceived signers into approving fraudulent transactions. Preventative measures that could have mitigated the breach include stricter access controls, enhanced authentication protocols, improved monitoring of transaction anomalies, and the use of more than one air-gapped cold storage for high-value assets. Keeping $1.4 billion of Ethereum in a single wallet, could be considered a significant central point of failure. Additionally, more rigorous cybersecurity training for employees handling critical transactions could have potentially helped prevent social engineering tactics from being successful.
In response to the breach, Bybit has worked closely with blockchain forensics firms and law enforcement agencies to track and recover the stolen funds. A portion of the assets has already been frozen by cryptocurrency service providers that flagged suspicious transactions. Meanwhile, Bybit has assured its users that it will absorb the losses and continue processing withdrawals without disruption. This incident underscores the persistent threat of cyberattacks on cryptocurrency platforms and highlights the need for industry-wide improvements in security infrastructure to safeguard against increasingly sophisticated threats.
Illicit Funds Still on the Move
Following the theft, the attackers began executing a sophisticated laundering operation to obscure the origin of the stolen assets and prevent their recovery. The first step involved converting the stolen tokens, such as stETH and mETH, into ETH through DEXs. This move was likely intended to avoid potential intervention from token issuers who could freeze the compromised assets. Unlike centralised exchanges, which require identity verification, DEXs operate without intermediaries, making them an effective tool for laundering illicit funds.
Once the assets were converted to ETH, the hackers employed a common laundering technique known as “layering” to obfuscate their transaction trail. The funds were distributed across hundreds of intermediary wallets, each receiving relatively small amounts to make tracking more complex. The attackers then leveraged cross-chain bridges to move assets between different blockchain networks, further complicating forensic analysis. This tactic is frequently used by cybercriminals to take advantage of the fragmented oversight across different blockchain ecosystems, making it harder for investigators to track stolen funds. Approximately $335 million of the stolen $1.46 billion from Bybit has already been laundered through decentralized exchanges, cross-chain bridges, and crypto-mixing services, leaving around $900 million still in the hacker’s control.
Another laundering method used by the hackers involved sending portions of the stolen ETH to crypto-mixing services, such as Tornado Cash or similar platforms. These services break the link between sender and recipient by pooling multiple transactions and redistributing them in a way that obscures the source of the funds. While blockchain transactions are inherently transparent, mixing services introduce an additional layer of anonymity, making it extremely difficult for investigators to trace the illicit funds back to their origin. The attackers also engaged in “peel chain” transactions, a technique where funds are continuously moved through multiple addresses in small increments to gradually integrate them back into the broader crypto ecosystem.
Despite these sophisticated efforts, blockchain analytics firms and law enforcement agencies have been actively tracking the stolen funds, identifying and flagging wallets involved in the laundering process. Several cryptocurrency service providers have responded by freezing assets linked to the hackers, limiting their ability to cash out. However, a significant portion of the stolen funds remains in circulation, and the hackers are likely to continue employing various laundering techniques over the coming weeks to move their remaining holdings undetected. The ongoing investigation highlights both the effectiveness of blockchain forensic tools and the persistent challenge of combating financial crime in the decentralised space.
As Crypto Adoption Increases, Authorities are Less Able to Control the Movement of Funds
Beyond the Bybit hack, various threat actors, including state-sponsored cybercriminal groups and sanctioned entities, have increasingly turned to cryptocurrency as a means of bypassing financial restrictions. These actors exploit the pseudonymous nature of blockchain transactions, DEXs, and cross-chain bridges to move funds outside the oversight of regulated financial institutions. Countries under international sanctions, such as North Korea, Iran, and Russia, have been linked to illicit crypto transactions, using these digital assets to finance state operations, including military programs and espionage efforts. The ability to operate outside traditional banking networks enables these actors to evade restrictions imposed by the global financial system, making cryptocurrency a powerful tool for circumventing anti-money laundering (AML) and countering the financing of terrorism (CFT) regulations.
One of the primary methods used to obscure illicit financial flows is the use of mixing services and coin-swapping platforms that facilitate anonymous asset transfers. Tumblers like Tornado Cash have been widely utilised by cybercriminals and sanctioned entities to obfuscate transaction trails, making it difficult for blockchain analysts to trace illicit funds back to their source. Additionally, no-KYC exchanges and peer-to-peer marketplaces provide further opportunities for bad actors to cash out stolen or sanctioned funds with minimal oversight. These platforms operate in jurisdictions with lax regulatory enforcement, allowing users to trade large sums of cryptocurrency without the scrutiny imposed by compliant financial institutions.
Cross-chain bridging has also emerged as a significant challenge for financial regulators, as it allows sanctioned entities to transfer funds across different blockchain networks while evading detection. By leveraging DeFi protocols, illicit actors can convert and move assets between networks, complicating efforts to freeze or track illicitly obtained funds. Some sanctioned entities have even been known to utilise their own blockchain-based financial infrastructure, issuing stablecoins or digital assets to maintain liquidity and conduct international transactions outside the reach of traditional financial oversight. The growing sophistication of these tactics has prompted regulatory bodies to intensify their scrutiny of the crypto industry and push for stricter compliance measures.
Despite these efforts, the borderless and decentralised nature of cryptocurrency continues to pose a major obstacle for enforcement agencies attempting to crack down on illicit financial flows. Threat actors, including ransomware groups, darknet marketplaces, and cybercrime syndicates, have increasingly adopted cryptocurrency to facilitate payments and launder illicit earnings. The lack of centralised control and the ability to transact without intermediaries make it difficult for governments and regulators to impose effective restrictions. While advancements in blockchain analytics and forensic tools have led to greater detection capabilities, the continuous adaptation of money laundering techniques by sanctioned entities and cybercriminals demonstrates the persistent cat-and-mouse dynamic between regulators and illicit actors in the digital financial ecosystem.
The rise of decentralised financial technologies, particularly cryptocurrencies, has fundamentally altered the relationship between governments and monetary control, effectively enabling a “separation of money from state.” While initially heralded as a means of financial sovereignty and resistance to censorship, this shift has also produced unintended consequences that challenge global regulatory frameworks. Cryptocurrencies have created an alternative financial system that operates beyond state oversight, allowing sanctioned entities, cybercriminals, and rogue actors to move funds outside traditional banking networks. This decentralisation has weakened the ability of governments to enforce economic sanctions, implement capital controls, and regulate illicit financial flows, making it increasingly difficult to contain the influence of unauthorised actors. With no central authority able to fully control blockchain transactions, this paradigm shift resembles a Pandora’s box, once opened, it is nearly impossible to reverse. As the financial landscape continues to evolve, policymakers and regulators face an ongoing dilemma: how to mitigate the risks posed by decentralised money without undermining the core innovations that have redefined global finance.
The post appeared first on Bitfinex blog.
