Bybit hackers are utilizing meme coin issuance and cross-chain transfers for money laundering. By issuing meme coins on decentralized platforms and employing cross-chain transfers, hackers are cleverly concealing their illicit gains and dispersing the flow of funds across multiple platforms.
(Background: Bybit offers a 10% reward for recovering stolen funds; mixer eXch refuses to intercept stolen assets, causing controversy.)
(Additional context: CZ clarifies the suggestion for Bybit to pause withdrawals: the principle is safety first! The CEO responds that “this situation is different.”)
Following a weekend of reflection after the hacking incident, the laundering methods employed by the attackers have garnered significant attention within the cryptocurrency community. According to Solscan monitoring, the Bybit hackers appear to be issuing meme coins through the pump.fun platform for money laundering purposes.
Data reveals that the hackers transferred approximately 60 SOL to the address 9Gu8v6…aAdqWS, which subsequently issued a meme coin named “QinShihuang.” Currently, the trading volume of this token has surpassed $26 million, with a market cap reaching $2.2 million; however, its liquidity stands at only $200,000.
After being identified as a suspected laundering method, pump.fun has removed meme coins potentially associated with the North Korean hacker group Lazarus Group from its front end to prevent further asset laundering. On the other hand, this has exposed issues regarding the control of the pump.fun platform. Although the platform claims to be decentralized, it actually maintains management rights over listed assets, determining which tokens appear on the platform, contradicting its self-proclaimed spirit of full decentralization.
From the perspective of Bybit victims, we also hope to freeze or even recover these hacked assets; how can we balance these interests? This is an area that requires more discussion within the cryptocurrency industry in the future.
Flow of funds from Bybit hackers and cross-chain laundering
According to tracking by BeosinTrace, starting from February 23, 2025, the Bybit hackers began transferring large sums of money to multiple sediment addresses, involving 115 addresses and totaling 11,693.48 ETH (approximately $160 million). These funds flowed to platforms including Okx Dex and Thorchain: Router. The specifics are as follows:
From February 22 to 23, contract address 0xf3de (Okx Dex. Aggregation Router) received 6,624.25 ETH;
Contract address 0xd37 (Thorchain: Router) received 7,662.8 ETH;
Address 0xf1da (Exch exchange) received 3,570.62 ETH;
Contract address 0xfc9 (Okx Dex. Xbridge) received 2,541.56 ETH.
The flow of these funds indicates that the Bybit hackers are actively utilizing decentralized exchanges and bridging protocols to disperse their funds, attempting to conceal the sources of the funds and increase the difficulty of tracking.
Then, the assets are exchanged for DAI on OKX DEX for further circulation, with the exchanged DAI flowing into eXch. pic.twitter.com/zfP0mNhLKp
— Beosin Web3 Security & Compliance (@Beosin_com) February 24, 2025
Hackers still hold over 460,000 ETH
According to on-chain analyst Yu Jin’s observations, after the incident broke out, the Bybit hackers have utilized several cross-chain platforms such as Chainflip, THORChain, and LiFi to convert approximately 37,900 ETH (worth over $106 million) into other assets, including Bitcoin (BTC). Currently, their address still holds around 461,491 ETH (valued at approximately $1.29 billion), with the total amount of ETH stolen and transferred from Bybit reaching 499,395 ETH (worth about $1.4 billion).
The speed at which the Bybit hackers are laundering this ETH is quite rapid. Since starting the laundering process yesterday afternoon, nearly 30 hours have passed, and they have already used numerous addresses to convert 37,900 ETH ($106 million) into other assets (BTC, etc.) via cross-chain exchange platforms like Chainflip, THORChain, LiFi, DLN, and eXch. The Bybit hacker address currently has 461,491 ETH ($1.29 billion) remaining. https://t.co/3tzuCvCCM5 pic.twitter.com/TyYlpG0cB6
— Yu Jin (@EmberCN) February 23, 2025
