Bybit CEO Exposes $16M Bitcoin Laundering Through Wasabi Mixer After $1.5 Billion Hack Linked to Lazarus Group
In a chilling reminder of crypto’s vulnerability to international crime syndicates, Bybit CEO Ben Zhou has confirmed that $16 million worth of stolen Bitcoin has been laundered via the privacy-focused Wasabi mixer. The revelation comes after the staggering $1.5 billion crypto hack that has rocked the industry this year.
The perpetrators? According to Zhou, all signs point to North Korea’s notorious Lazarus Group, a hacking collective long associated with large-scale cyber thefts, espionage, and crypto laundering operations.
The Anatomy of the $1.5 Billion Crypto Heist
In one of the largest crypto breaches on record, the Lazarus Group made off with $1.5 billion in digital assets. The bulk of the stolen funds, originally in Ether (ETH), has since been aggressively converted to Bitcoin (BTC) in an elaborate effort to launder and obfuscate the funds.
According to Zhou:
- 86% of the stolen assets, equating to 440,091 ETH (~$1.23 billion), were swapped into 12,836 BTC.
- The BTC has been dispersed across 9,117 unique wallets, each holding an average of 1.41 BTC.
Cross-Chain Tactics: How Lazarus Moved Funds
The conversion of such a vast amount of Ether into Bitcoin wasn’t done via traditional exchanges, which would easily trigger red flags. Instead, the hackers utilized THORChain, a decentralized cross-chain liquidity protocol that facilitates asset swaps across different blockchains.
THORChain’s permissionless design makes it a go-to solution for bad actors aiming to exploit cross-chain liquidity in money laundering schemes, and in this case, it played a pivotal role in enabling Lazarus to move large sums swiftly.
Mixing It Up: Wasabi, CryptoMixer & Railgun in Play
With the stolen funds now in Bitcoin, the Lazarus Group turned to an old trick in the book: Bitcoin mixing services.
Mixers like Wasabi, CryptoMixer, and Railgun are designed to break transaction trails by pooling coins from multiple users and redistributing them in new wallets. This disrupts blockchain analysis tools, complicating the task of tracking the funds.
Key Findings:
- A significant chunk of the BTC—193 Bitcoin (~$16 million)—was laundered through the Wasabi mixer, known for its coinjoin protocol which enhances transactional privacy.
- The laundered BTC was then dispersed across various peer-to-peer (P2P) platforms, making it easier for bad actors to cash out or further distribute the funds.
Zhou’s data also highlights that CryptoMixer and Railgun have been actively used in the laundering pipeline, further scattering the stolen BTC across multiple chains and wallets.
The Lazarus Group: Persistent and Evolving Threat
Lazarus Group has been linked to several of the most significant crypto hacks in history, including the $600 million Ronin bridge attack in 2022. However, this latest incident underscores a troubling pattern: their ability to evolve tactics and leverage advanced blockchain tools to evade detection.
Despite international sanctions and enhanced blockchain intelligence, Lazarus continues to innovate. Their latest strategy reflects a hybrid model of cross-chain swaps via THORChain, followed by mixer obfuscation and P2P distribution, all designed to outmaneuver on-chain surveillance systems.
How Much of the Stolen Crypto Remains Traceable?
According to Bybit’s latest intelligence:
- 88.8% of the stolen funds are still traceable on-chain.
- 7.6% of the funds have become untraceable, primarily due to mixing services and off-chain distribution.
- 3.5% of the assets have been frozen, thanks to coordinated efforts between Bybit and blockchain forensic agencies.
Notably, data from blockchain analytics firm Arkham shows that Lazarus still controls approximately 13,400 BTC—most of which are traceable to this hack.
The Challenges of Tracking Mixed Bitcoin
Zhou emphasized that the key challenge is now decoding the transactions routed through mixers like Wasabi.
“The use of Wasabi and other mixers significantly complicates our recovery efforts. Once coins pass through these services, tracing them becomes a matter of probability and pattern analysis,” Zhou explained.
Mixers, while legal in most jurisdictions, exist in a regulatory gray area. They’re often used by privacy-conscious users but have also become a favorite tool for cybercriminals and state-sponsored actors.
The Growing Scrutiny of Mixers and Privacy Tools
The incident is likely to reignite global debate about the legitimacy of privacy-enhancing technologies in crypto. Authorities have already cracked down on services like Tornado Cash, which was sanctioned by the U.S. Treasury in 2022. Wasabi, though not yet sanctioned, is frequently mentioned in regulatory discussions about illicit finance.
Potential Fallout:
- Renewed calls for stricter KYC/AML regulations on non-custodial wallets and DeFi protocols
- Increased pressure on developers of privacy tools to introduce compliance layers or face blacklisting
- Heightened surveillance of cross-chain bridges and decentralized liquidity networks like THORChain
Can Lazarus Be Stopped?
The Lazarus Group’s deep ties to North Korea’s state apparatus and its persistent cyberwarfare capabilities make it a formidable adversary. Despite significant international efforts, the group continues to siphon billions from the crypto economy to fund weapons programs and state initiatives, according to cybersecurity experts.
While Bybit and partner organizations have had some success in freezing a fraction of the stolen funds, the sheer scale and complexity of Lazarus’s laundering tactics suggest that full asset recovery is unlikely.
What This Means for the Crypto Industry
This hack and subsequent laundering scheme shine a spotlight on the ongoing vulnerabilities in crypto infrastructure:
1. The Need for Robust Cross-Chain Security
Cross-chain bridges and liquidity networks have emerged as high-risk zones. While they enable interoperability and capital efficiency, they also create openings for hackers to slip through regulatory cracks.
2. The Balancing Act Between Privacy and Security
Mixers are a double-edged sword. While protecting user privacy, they also shield illicit activities. The crypto community faces a critical inflection point: how to preserve decentralization and privacy while deterring criminal misuse.
3. The Importance of Real-Time Blockchain Intelligence
Platforms like Bybit are ramping up their investments in blockchain forensic tools, but tracing laundered crypto remains a game of cat and mouse. Collaboration between exchanges, law enforcement, and analytics firms will be crucial moving forward.
Conclusion: The Battle Continues
The Lazarus Group’s laundering of $16 million via Wasabi Mixer is just the tip of the iceberg in a broader, more sophisticated laundering scheme that spans multiple blockchains and continents.
Bybit, under Ben Zhou’s leadership, is spearheading efforts to recover the stolen funds and bring clarity to a murky and dangerous situation. However, the challenges posed by decentralized privacy tools and cross-chain protocols underline the evolving complexities of financial crime in the Web3 era.
While most of the stolen BTC remains traceable for now, Lazarus’s next moves will test the resolve and capabilities of crypto security teams worldwide.
