- Blockchain analysis links Bybit and Phemex hacks, with the address having been used in a washout of the crypto funds taken in both exchanges.
- Lazarus Group laundered the pilfered ETH through cross-chain bridges and mixers and converted them into Bitcoin in a bid to cover their origin.
- Chainflip Labs countered with disabled services, but because Chainflip is decentralized, a complete block on illegal transactions on the site is not possible.
The latest Bybit and Phemex blockchain security breaches have gained even more attention with the recent surfacing of information linking the two breaches. The researchers, including blockchain researcher ZachXBT, state that North Korean-associated Lazarus Group was behind the movement and money laundering of the pilfered amounts via multiple crypto services and wallets.
On-Chain Transactions Link Bybit and Phemex Exploits
Blockchain analyst ZachXBT highlighted a direct connection between the Bybit and Phemex exploits. In a recent tweet, he revealed how a common address, 0x33d057af74779925c4b2e720a820387cb89f8f65, was used in commingling in the Bybit breach and Phemex hacks. The Bybit breach involved two major transactions on February 22, 2025, while the Phemex hacks involved corresponding movement on February 20, 2025. The attackers laundered the stolen funds through multiple intermediate wallets in a move aimed at avoiding tracking and later cashing them out.
The transfer of funds indicates a concerted effort to conceal the source of the stolen assets. Abusers tend to utilize several addresses to mix funds, which complicates the work of authorities and blockchain tracking software in tracing the path. The purported involvement of the Lazarus Group also points to the fact that advanced cybercriminal groups are now targeting large crypto exchanges to finance illegal activities.
Laundering Tactics and Use of Crypto Mixers
According to Wu Blockchain, the Lazarus Group moved the 5,000 ETH stolen in the Bybit exploitation to a new address and laundered them through the eXch mixer, a program aimed at anonymizing trails on transactions. The Lazarus Group went on and moved the stolen Ethereum via Chainflip, a decentralized cross-chain bridge, and sold them in Bitcoin. Bybit CEO Ben made a comment on the attack, urging cross-chain bridge projects to cooperate in halting illegal transfers and preventing future laundering.
The utilization of crypto mixers and cross-chain bridges is progressively a security issue on the blockchain. The services are helpful in enabling the attackers to break the traceability of the origin of the stolen funds. The procedure renders the recovery of funds even more challenging since the attackers can bypass traditional anti-money laundering (AML) measures.
Response from Chainflip Labs and Industry Concerns
Chainflip Labs commented on the issue in a statement, affirming that although they did act swiftly, their decentralized platform does not have the ability to freeze or divert the funds. As a stopgap measure, they deactivated a couple of frontend features temporarily so they could slow the flow of the stolen funds. They did admit, nevertheless, that an outright block of illicit transactions is still challenging.
The latest assaults highlight the increasing maturity of crypto attackers and the limits on decentralized systems in stopping illegal business. The trail is still being pursued by investigators on the movement of pilfered cash in hopes of tracking down the attackers and recovering the cash. The business is under increasing pressure to adopt new protection protocols balancing decentralization with improved protection against hacking and fraudulent efforts.
DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
