What can you learn from Bibit Hacks?

February 28th What can you learn from Bibit Hacks?

Bybit Hack, the largest cryptocurrency theft in history, manipulated the approval of the exchange with the $1.46 billion theft stolen through malware, identifying the North Korean Lazarus group as the perpetrator. Hackers have quickly washed funds using encrypted services such as decentralized exchanges, cross-chain bridges and tornado caches, obscure trucks, and complicated recovery efforts despite blockchain forensic companies frozen some assets. Beyond this case, authorized entities and cybercriminals are attempting to leverage cryptocurrencies to bypass financial management to fund illegal activities through anonymous transactions and No-KYC platforms. Cryptocurrencies provide economic sovereignty and resistance to censorship, but their roles are destroyed by bad actors who use them to promote illegal finances, present ongoing challenges to governments, and emphasize the difficulty of reverse the profound financial destruction introduced by blockchain technology.

Overview of the biggest hacks in history

On February 21, 2025, BYBIT, the world’s second largest cryptocurrency exchange based in Dubai, suffered a major security breaches, resulting in the theft of approximately $1.46 billion worth of digital assets. The attack reportedly was carried out using sophisticated forms of malware that manipulates the bibit transaction approval process, allowing for unauthorized transfers to external wallets controlled by the perpetrator. The incident marks the largest crypto theft ever recorded, surpassing previous well-known infringements, both in the cryptocurrency and the broader financial industry.

Blockchain security companies, including Elliptic and Arkham Intelligence, have attributed the attacks to Lazarus Group, a cybercriminal organization linked to North Korea. The group has a well-documented history targeting cryptocurrency platforms, and has stole billions of dollars in digital assets over the years. Following the established washing patterns, the attackers quickly converted stolen ether (ETH) into Bitcoin and other cryptocurrencies. The funds were then distributed to multiple wallets, leveraging decentralized exchanges (DEXS), cross-chain bridges, and other obfuscation techniques to hamper tracking efforts.

The scale of the attack has sparked concerns over security vulnerabilities within some centralized cryptocurrency exchanges. A key factor that enabled the exploit was the compromise of Bibit’s multi-signature wallet system through attacks in which signers deceived signers to approve fraudulent transactions. Precautions that may mitigate violations include stricter access control, enhanced authentication protocols, improved monitoring of transaction anomalies, and the use of multiple air-suppressed cold storage for high-value assets. Keeping $1.4 billion in Ethereum in one wallet can be considered a key center of failure. Furthermore, more stringent cybersecurity training for employees handling critical transactions could potentially help prevent social engineering tactics from being successful.

In response to violations, BYBIT has worked closely with blockchain forensic companies and law enforcement to track and recover stolen funds. Some of the assets have already been frozen by cryptocurrency service providers that flag suspicious transactions. Meanwhile, BYBIT has ensured that users will absorb losses and continue to process withdrawals without interruption. The incident highlights the persistent threat of cyberattacks on cryptocurrency platforms and the need for industry-wide improvements in security infrastructure to prevent increasingly sophisticated threats.

Illegal funds are still on the move

Following the theft, attackers began carrying out sophisticated laundry operations to obscure the origins of the stolen assets and prevent them from recovering. The first step involved converting stolen tokens such as Steth and Meth to ETH via DEX. The move may be aimed at avoiding potential interventions from token issuers that could freeze the infringed assets. Unlike centralized exchanges that require identity verification, DEXS operates without an intermediary, making it an effective tool for washing illegal funds.

Once an asset was converted to ETH, hackers adopted a common laundry technique known as “layering” to obfuscate transaction trails. The funds are distributed across hundreds of intermediate wallets, each receiving a relatively small amount, making tracking more complicated. The attackers then leveraged cross-chain bridges to move assets between different blockchain networks, further complicating forensic analysis. This tactic is frequently used by cybercriminals and utilizes fragmented surveillance across various blockchain ecosystems, making it difficult for investigators to track stolen funds. About $335 million stolen $1.466 billion from BYBit has already been washed through decentralized exchanges, cross-chain bridges and cryptographic services, with about $900 million still remaining in hacker control.

Another washing method used by hackers involved sending some of the stolen ETH to cryptographic service services such as Tornado Cash or similar platforms. These services break the link between senders and recipients by pooling multiple transactions and redistributing them in a way that obscures the source of funds. Blockchain transactions are inherently transparent, but mixing services introduce additional layers of anonymity, making it extremely difficult for investigators to return illegal funds to their origins. The attackers also engaged in “peel chain” transactions. This means that funds move continuously with a slight increase in multiple addresses, gradually returning to a wider crypto ecosystem.

Despite these sophisticated efforts, blockchain analytics companies and law enforcement are actively tracking stolen funds and identifying and flagging wallets involved in the laundry process. Several cryptocurrency service providers respond by freezing hacker-linked assets, limiting their ability to cash out. However, a significant portion of the stolen funds remain circulated, and hackers may employ a variety of laundry techniques over the coming weeks to move their remaining holdings undetected. Ongoing research highlights both the effectiveness of blockchain forensic tools and the persistent challenge of fighting financial crime in a decentralized space.

As crypto adoption increases, authorities are unable to control the movement of funds

Beyond the Bibit Hack, various threat actors, including state-sponsored cybercriminal groups and authorized entities, were increasingly turning into cryptocurrencies as a way to bypass financial restrictions. These actors leverage the pseudonymity of blockchain transactions, DEX, and cross-chain bridges to move funds outside the monitoring of regulated financial institutions. International sanction-based countries such as North Korea, Iran and Russia are linked to illegal crypto transactions to use these digital assets to fund state operations, such as military programs and espionage. The ability to operate outside of traditional banking networks makes these actors a powerful tool to bypass the restrictions imposed by the global financial system, avoid money laundering (AML) and counter terrorism (CFT) regulation funding.

One of the main methods used to obscure illegal financial flows is the use of mixing services and coin swapping platforms that promote anonymous asset remittances. Tumblers like Tornado Cash are widely used by cybercriminals and authorized entities, obfuscating transaction trails, making it difficult for blockchain analysts to return illegal funds to their sources. Additionally, the No-Kyc Exchange and Peer-to-Peer Marketplace offer even more opportunities for bad actors to cash out stolen or licensed funds with minimal surveillance. These platforms operate in jurisdictions with loose regulations enforcement, allowing users to trade large quantities of cryptocurrencies without scrutiny imposed by obedient financial institutions.

Cross-chain bridging has also emerged as a key challenge for financial regulators as it allows authorized entities to transfer funds to various blockchain networks while avoiding detection. By leveraging the Defi protocol, illegal actors can convert and move assets between networks, complicating efforts to freeze or track illegally acquired funds. Some authorized entities are known to utilize their own blockchain-based financial infrastructure, maintain liquidity and even issue stable or digital assets to carry out international transactions outside the scope of traditional financial surveillance. The increasing sophistication of these tactics has led regulators to step up scrutiny of the crypto industry and promote stricter compliance measures.

Despite these efforts, the transnational, decentralized nature of cryptocurrencies continues to pose a major obstacle to enforcement agencies seeking to crack down on illegal financial flows. Threat actors, including ransomware groups, darknet markets and cybercrime syndicates, are increasingly adopting cryptocurrencies to promote payments and wash illegal incomes. Lack of centralized control and the ability to trade without intermediaries make it difficult for governments and regulators to impose effective restrictions. Advances in blockchain analytics and forensic tools have improved detection capabilities, but the ongoing adaptation of money laundering techniques by licensed entities and cybercriminals demonstrates the persistent cat and mouse dynamics between regulators and illegal actors in the digital financial ecosystem.

The rise of decentralized financial technologies, particularly cryptocurrencies, have fundamentally changed the relationship between government and financial control, effectively enabling the “separation of money from the state.” Initially, it was told as a means of resistance to financial sovereignty and censorship, but this shift had unintended consequences that challenged the global regulatory framework. Cryptocurrency created an alternative financial system that operates beyond state surveillance, allowing licensed entities, cybercriminals and fraudsters to move funds outside traditional banking networks. This decentralization has weakened the government’s ability to enforce economic sanctions, implement capital controls and regulate illegal financial flows, making it even more difficult to contain the effects of fraudsters. This paradigm shift is similar to Pandora’s box, with no central authority that has no complete control over blockchain transactions, and is almost impossible to reverse after opening. As the financial environment continues to evolve, policymakers and regulators face an ongoing dilemma. It is a way to mitigate the risks posed by decentralized money without undermining the co-innovation that redefines global finance.