Bybit Hackers Utilize Meme Coin Issuance and Cross-Chain Transfers for Money Laundering
Through the issuance of Meme coins on decentralized platforms and the use of cross-chain transfers, hackers are cleverly concealing their illegal gains and dispersing the flow of funds across multiple platforms.
(Background: Bybit offers a 10% bounty to recover stolen funds; the mixer eXch refuses to intercept the stolen assets, causing controversy.)
(Additional context: CZ clarifies the suggestion for Bybit to pause withdrawals: the principle is safety first! The CEO responds that “this situation is different.”)
After a weekend of reflection following the hacking incident at the exchange Bybit, the attackers’ money laundering tactics have drawn significant attention from the cryptocurrency community. According to Solscan monitoring, the Bybit hackers appear to be using the pump.fun platform to issue Meme coins for money laundering.
Data shows that the hackers transferred approximately 60 SOL to the address 9Gu8v6…aAdqWS, which subsequently issued a Meme coin named “QinShihuang.” Currently, the trading volume of this token has exceeded $26 million, with a market capitalization of $2.2 million; however, its liquidity stands at only $200,000.
Following the discovery of what appeared to be the attackers’ money laundering methods, pump.fun has removed Meme coins that may be linked to the North Korean hacking organization Lazarus Group from its front end, in an effort to prevent further asset laundering. On the other hand, this also exposes the control issues of the pump.fun platform, which, despite claiming to be decentralized, actually possesses management rights over the listed assets and can decide which tokens appear on the platform, contrary to its professed ideals of complete decentralization.
From the perspective of Bybit victims, we also hope to freeze or even recover these hacked assets; how should we balance these interests? This is also a topic that the cryptocurrency industry needs to discuss more in the future.
Flow of Funds from Bybit Hackers and Cross-Chain Cleaning
According to tracking by BeosinTrace, starting from February 23, 2025, the Bybit hackers began transferring large sums of money to multiple deposit addresses, involving 115 addresses and totaling 11,693.48 ETH (approximately $160 million). These funds flowed to platforms including Okx Dex and Thorchain: Router. The specifics are as follows:
From February 22 to 23, contract address 0xf3de (Okx Dex. Aggregation Router) received 6,624.25 ETH;
Contract address 0xd37 (Thorchain: Router) received 7,662.8 ETH;
Address 0xf1da (Exch exchange) received 3,570.62 ETH;
Contract address 0xfc9 (Okx Dex. Xbridge) received 2,541.56 ETH.
The flow of these funds indicates that the Bybit hackers are actively utilizing decentralized exchanges and bridging protocols to disperse funds, attempting to obscure the source of the money and increase the difficulty of tracking.
Then, the assets are exchanged for DAI on OKX DEX for further circulation, with the exchanged DAI flowing into eXch.
pic.twitter.com/zfP0mNhLKp
— Beosin Web3 Security & Compliance (@Beosin_com) February 24, 2025
Hackers Still Hold Over 460,000 ETH
According to on-chain analyst Yu Jin’s observations, following the outbreak of the incident, the Bybit hackers have utilized multiple cross-chain platforms like Chainflip, THORChain, and LiFi to convert approximately 37,900 ETH (worth over $106 million) into other assets, including Bitcoin (BTC). Currently, their address still holds about 461,491 ETH (worth approximately $1.29 billion), totaling 499,395 ETH (worth about $1.4 billion) that has been transferred from Bybit.
The speed at which the Bybit hackers are laundering ETH is quite rapid. Since the laundering began yesterday afternoon, approximately 30 hours later, they have used a large number of addresses to utilize cross-chain exchange platforms such as Chainflip, THORChain, LiFi, DLN, and eXch to convert 37,900 ETH ($10.6 million) into other assets (BTC, etc.).
The Bybit hacker address currently still holds 461,491 ETH ($1.29 billion), which they transferred from Bybit…
https://t.co/3tzuCvCCM5
pic.twitter.com/TyYlpG0cB6
— Yu Jin (@EmberCN) February 23, 2025
