Author: Christopher Tepedino, CoinTelegraph; Compiled by: Tao Zhu, Golden Finance

In an analysis of the $1.5 billion Bybit hack, two blockchain research institutions, Nansen and Chainalysis, disclosed Lazarus Group's money laundering strategies, which include swapping non-current assets for current assets, creating complex flows of funds, and leaving certain wallets idle to reduce scrutiny.

According to Nansen, a typical Lazarus Group strategy begins by swapping non-current assets for more replaceable assets, so it is easier to transfer. After Bybit was hacked, criminals converted at least $200 million of pledged tokens to Ether, which can be transferred more easily on-chain.

After converting illicit assets into liquid assets, the money laundering process begins. To create confusion, hackers used an intermediate wallet maze to create a complex path designed to obfuscate the tracker. According to Chainalysis, these funds are laundered through decentralized exchanges, cross-chain bridges, and even instant exchange services that do not require knowledge of your customers (KYC) verification.

Lazarus Group The complexity of money laundering behavior. Source: Chainalysis

Most of ETHs are eventually exchanged for stablecoins such as Bitcoin and Dai. In some cases, blockchain analysts are able to track these trends in real time. This allows certain organizations running these decentralized protocols, such as Chainflip, to prevent offenders from attempting to whitewash stolen funds.

During the entire money laundering process, hackers continue to divide the stolen funds into smaller pools of funds and send them to more and more wallets. The first “transfer” splits funds from one wallet into 42 wallets. The second “transfer” was divided into thousands from 42 wallets.

So far, Bybit hackers have laundered money only part of $1.5 billion. Lazarus Group has another strategy to avoid the high attention brought by high-profile thefts: sit and wait. Some wallets have stolen funds (currently all wallets are as much as $900 million) that have been dormant as the organization awaits the end of the review.

This nearly $1.5 billion hacking attack is more than the group’s total revenue in 2024 — $1.3 billion out of 47 attacks. The attack was the largest cryptocurrency robbery ever, uniting the community in support of Bybit and against hackers. As Lazarus Group faces increasingly stringent scrutiny,It continues to adapt to this intensity of review. As reported, its cyber warfare strategy remains one of the most profitable and complex strategies in the world.