Inside the Lazarus Group Money Laundering Strategy

The aftermath of Bybit's $1.5 billion hack has left a complex trail of clues, revealing the notorious money-laundering tactics employed by the Lazarus Group. The cybercrime syndicate's strategy involves swapping illiquid assets for liquid ones, creating a maze of intermediate wallets to obfuscate trackers, and letting certain wallets sit dormant to avoid scrutiny.

According to blockchain research organization Nansen, the typical Lazarus Group strategy begins with swapping the illiquid assets into those that are more fungible and easier to move. In the case of the Bybit hack, at least $200 million in staked tokens were converted into Ether (ETH), which can be moved much more easily onchain.

After this conversion, the laundering process was carried out. To create obfuscation, the hacker used a complex trail of intermediate wallets, aiming to confuse trackers. Chainalysis, another blockchain research organization, revealed that the funds were laundered through decentralized exchanges, crosschain bridges, and even instant swap services that do not require Know Your Customer (KYC) verification.

Much of the ETH was eventually swapped for Bitcoin (BTC) and stablecoins such as Dai (DAI). In some cases, blockchain analysts were able to track these movements in real time. That allowed certain organizations running these decentralized protocols, such as Chainflip, to block the perpetrator's attempt to launder the stolen funds.

Throughout the laundering process, the hacker kept breaking the stolen funds into smaller pools sent to a growing number of wallets. The first "hop" divided the funds from one wallet to 42 wallets. The second "hop" from 42 wallets into thousands. This strategy allowed the Lazarus Group to spread the money across multiple wallets, making it harder to track.

So far, the money laundered from the Bybit hack is just a portion of the $1.5 billion. Lazarus Group has another strategy to avoid heightened attention: sit and wait. Some wallets with stolen money — a sum that currently amounts to $900 million — have remained dormant as the group bides its time for the scrutiny to die down.

The nearly $1.5 billion hack is more than the group's entire haul in 2024, which totaled $1.3 billion over 47 attacks. The attack stands as the biggest crypto heist of all time, one that rallied the community together in support of Bybit and against the hackers.

As Lazarus Group faces increased scrutiny, it has continued to adapt its cyberwarfare strategy, which remains one of the most lucrative and sophisticated in the world. The group's ability to launder money through complex decentralized networks makes it a formidable foe for law enforcement agencies and crypto exchanges.

The Complexity of Lazarus Group's Laundering Efforts

Chainalysis revealed that the Lazarus Group's laundering efforts were carried out through a combination of decentralized exchanges, crosschain bridges, and instant swap services. This strategy allowed the group to bypass traditional KYC verification requirements and avoid detection.

The use of decentralized exchanges and crosschain bridges enabled the Lazarus Group to transfer funds across different blockchain networks without being detected. Instant swap services further complicated the tracking process by allowing the group to quickly exchange assets between wallets.

A Global Threat

The Bybit hack highlights the global nature of cybercrime and the need for increased cooperation between law enforcement agencies and crypto exchanges. The Lazarus Group's ability to launder money through complex decentralized networks makes it a formidable foe, but also underscores the importance of vigilance and collaboration in preventing such attacks.