The Bybit hack; 4-key Compliance and AML lessons we learned from North Korea’s largest crypto hack.
On February 21, 2025, Bybit fell victim to a cyberattack that resulted in an unprecedented loss of approximately $1.46 billion in digital assets. To put the breach into perspective, the previous largest crypto heist was the $611 million that was stolen from Poly Network in 2021. Early reports pointed to the notorious Lazarus Group, a North Korean state-backed cybercriminal organization, which has already been implicated in several high-profile hacks and money laundering operations in the past. The FBI has since confirmed the Lazarus Group as the perpetrators of the attack.
The breach raises critical questions regarding the security of centralized exchanges, particularly in the wake of the Digital Operational Resilience Act (DORA). What truly underscores the importance of compliance and anti-money laundering (AML) measures is the speed with which the stolen funds were funnelled into laundering networks. TRM Labs estimates that at least $160 million was laundered within the first 48 hours, with this figure surpassing $400 million within a week, illustrating a level of operational efficiency and professionalism we haven’t seen before.
How the funds were laundered, an overview
With the stolen funds still circulating through the crypto ecosystem, examining the methods used to obfuscate the origin of the stolen funds is more relevant than ever. The Lazarus Group’s laundering tactics were notably sophisticated, leveraging various crypto services and decentralized exchanges (DEXs) to hide the trail of illicit funds.
The laundering operation commenced immediately after the breach, when the stolen assets- initially consisting of mETH and sETH (liquid staking tokens)[1]– were converted into ETH using DEXs. This step was vital to avoid intervention by token issuers, who could potentially freeze the compromised assets. Since Ether and Bitcoin are not controlled by a centralized authority, they are less susceptible to being frozen.
Following the conversion to ETH, the Lazarus group employed a common money laundering technique known as “layering”, dispersing the funds through multiple intermediary wallets in an attempt to conceal the origin of the funds and hinder tracking efforts. While the inherent transparency of the blockchain allow for the tracing of transactions, this strategy bought the hackers time to move the funds to different wallets, swap tokens, use cross-chain bridges, and interact with no-KYC instant swap services. Using these crypto services, the hackers swapped significant amounts of ETH for other cryptocurrencies, especially BTC and DAI.
Historically, North Korea has relied on crypto mixers as part of its laundering operations to obfuscate the origin of stolen assets before converting them into fiat currencies. With increased scrutiny and law enforcement actions targeting mixing services, it appears the Lazarus Group is now prioritizing speed and efficiency over privacy.
Key Compliance and AML Takeaways
The aftermath of the Bybit hack provides several important lessons for compliance officers, regulatory bodies, and businesses operating in the cryptocurrency sector. While the hack highlights vulnerabilities that still exist, it also underscores the importance of strong compliance frameworks, robust AML practises, and industry-wide cooperation. Some key takeaways include:
1. Enhanced Transaction Monitoring Systems
The sophistication of the laundering methods used in this case highlights the necessity for cryptocurrency platforms to implement advanced transaction monitoring systems. A combined effort between blockchain analytics firms, law enforcement and centralized exchanges were able to actively trace the stolen funds, identifying and flagging wallets related to the Lazarus Group. While several centralized exchanges were able to freeze assets, a large portion of the stolen funds remain under the hackers’ control and further attempts to launder these funds are expected in the coming days or weeks. The ongoing investigations illustrate both the effectiveness of blockchain- and transaction monitoring, as well as the challenges presented by cryptocurrency services such as DeFi protocols that potentially do not leverage blockchain analytics.
2. Strengthening KYC and AML Standards:
Crypto exchanges must ensure they adhere to stringent Know Your Customer (KYC) procedures and performing regular AML checks throughout the lifecycle of their client. While KYC requirements are now standard across exchanges, many DeFi platforms continue to lag in establishing robust identity verification processes. As decentralized finance and privacy tools continue to evolve, there is a growing need for a more rigorous approach to user onboarding and transaction monitoring to prevent illicit activity. A notable example of decentralized protocol already taking such actions is Chainflip, which implemented an emergency software update, blocking incoming funds tied to the hack.
3. Collaboration within the industry and law enforcement agencies
Effective collaboration within the industry and with law enforcement agencies is vital in combating money laundering threats and protecting the ecosystem. In response to the hack, Bybit launched a bounty program offering rewards of up to 10% for successfully frozen funds. This initiative sparked collaboration among industry actors, complicating efforts by the hackers to convert stolen assets into fiat currencies. This demonstrates the importance of swift, collaborative responses to protect the integrity of the cryptocurrency ecosystem and defend against these sophisticated cyber-attacks.
4. Education and Awareness
The Bybit hack highlights the need for continuous education and awareness within the crypto industry. Firms should invest in regular training for compliance teams to stay ahead of emerging laundering tactics. Moreover, educating users on the risks of interacting with unregulated platforms remains crucial to curbing illicit activity in the crypto space.
Conclusion: The Path Forward for Crypto Compliance
The Bybit hack serves as a reminder of the vulnerabilities currently present in the crypto ecosystem. As illicit actors become increasingly sophisticated in their methods, the need for robust compliance and AML measures has never been greater. Exchanges, DeFi platforms, and regulators must work together to close the gaps in the current system, implement strong monitoring tools, and ensure that the crypto space remains a safe and secure environment for legitimate users.
The ongoing investigations and the collaborative actions taken in response to the hack exemplify the cryptocurrency sector’s growing commitment to improving security standards and protecting users from illicit activity. By focusing on enhancing compliance frameworks, tightening KYC and AML standards, and fostering a culture of cooperation, the industry is taking crucial steps toward mitigating the risks of future breaches.
Do you seek support and assistance in enhancing your Crypto Compliance Framework?
Please reach out to us on: info@compliancechamps.com
Read more articles here.
[1] Liquid staking tokens refer to obtain a tradeable asset in exchange for staking a cryptocurrency in a proof-of-stake blockchain.
