- The Bybit hacker uses THORChain and OKX DEX to launder stolen funds and convert them into non-freezable DAI.
- Exchanges and security firms freeze stolen assets but the hacker shifts strategies to evade tracking and asset recovery.
- The hacker now bridges assets to Solana and uses fake KYC data which creates new challenges for crypto security teams.
The hacker behind the Bybit attack has resumed moving stolen assets and has refined their laundering techniques. According to Web3 security firm Beosin, the hacker has primarily relied on THORChain to transfer stolen cryptocurrency to the Bitcoin blockchain. They then convert the assets into non-freezable DAI using OKX DEX.
BeosinTrace said that it tracked the Bybit hacker to transfer assets again at 08:58:23 UTC+8 today. The hacker’s mode of selling has stabilized, mainly using Thorchain to transfer assets to the BTC chain, and using OKX DEX to convert them into DAI. The converted DAI will flow…
— Wu Blockchain (@WuBlockchain) February 24, 2025
Hacker Converts Over $106 Million Worth of ETH
A recent blockchain activity has shown that the Bybit hacker has already converted 37,900 ETH which is worth approximately $106 million, into other assets. This laundering operation began on February 22, 2025, and it lasted around 30 hours. The hacker used multiple cross-chain exchange platforms, including Chainflip, THORChain, LiFi, DLN, and eXch, to move funds.
As of the latest update, the hacker still holds 461,491 ETH, valued at around $12.9 billion. The structured approach in asset movement suggests an increasingly stable laundering method. Security analysts believe that by using decentralized platforms, the hacker aims to evade tracking and asset freezing efforts.
Exchanges and Authorities Take Countermeasures
Several cryptocurrency platforms have responded to the hack by freezing assets linked to the stolen funds. ChangeNow froze 34 ETH, while Avalanche restricted access to 0.38755 BTC. The Lightning Network-based exchange FixedFloat also froze $120,000 worth of USDC and USDT stablecoins.
Additionally, THORChain blacklisted addresses associated with the North Korean hacking syndicate suspected to be involved in the attack. Stablecoin issuers Tether and Circle have flagged wallets linked to the hacker, with Tether freezing 181,000 USDT.
Bybit stated that $42.85 million in stolen assets have been frozen across multiple exchanges. The platform also warned users about scammers posing as Bybit officials attempting to steal sensitive personal information.
Hacker’s Shift to Solana Raises New Concerns
On-chain data indicates that the hacker is now bridging assets to Solana and using fake KYC data to deposit funds on exchanges. In response, Bybit collaborated with Pump.fun and Solana Foundation President, Lily Liu, to remove a Solana-based token linked to the hacker.
The evolving laundering strategies highlight the challenges exchanges and security firms face in recovering stolen funds. Blockchain security experts continue to monitor the hacker’s activities as efforts to track and freeze assets persist.
