Bybit Hack: How the Lazarus Group Exploited DeFi Protocols to Launder $400M

Crosschain analysis shows Lazarus leveraged DeFi protocols to launder funds

Bybit, the world’s second-largest exchange by trading volume, recently suffered the largest crypto hack in history. On February 21, 2025, North Korea’s Lazarus Group stole $1.46 billion in Ethereum tokens from Bybit and immediately began laundering the funds to cash out.

While many reports detailed how THORChain, ParaSwap, and token transfers were used to launder funds, we analyzed cross-chain DeFi & DEX activity to shed light on an untold part of the story: the Lazarus Group used DeFi aggregators to discreetly swap $386 million through DeFi protocols.

Though Lazarus laundered one-fifth of the stolen funds ($263M) through PancakeSwap alone, this is the first report on the Bybit hack to highlight the protocol (at the time of writing) and the role of aggregators. Allium’s cross-chain data enabled our wizards to track and visualize every transaction on Ethereum within five layerur analysis involved:

• 13,000 unique wallets,
• 127,000 transactions,
• With a cumulative volume of $12 billion,
• 5 hops away from the genesis node.

DeFi projects enable attackers to launder assets pseudonymously

DeFi projects are used for laundering because they do not require KYC (Know Your Customer) verification to transact. DeFi projects allow users to maneuver funds without identity verification – creating a pseudonymous environment where attackers can directly interact with smart contracts. While the IRS recently mandated that front-end DeFi platforms enforce KYC for tax reporting purposes, these regulations won’t be enforced until 2027. 

Instead, DeFi projects check an address’s history to determine transaction eligibility. However, these addresses must be flagged manually, and most data providers are too slow to support real-time transaction validation. To identify fraud-connected wallets in real-time, organizations need data that clearly shows all DEX and aggregator activity – such as Allium’s.

Conversely, centralized exchanges (Coinbase, Binance, and Bybit) implement AML (Anti-Money- Laundering) controls similar to traditional banks. They require KYC verification, monitor transactions for suspicious patterns, and report unusual activities to regulators – creating clear audit trails linking blockchain addresses to verified identities.

DEX swaps make recovery more challenging and liquidity more available

A crypto swap is a transaction that results in the direct exchange of one crypto for another, without the need for an intermediary to facilitate the trade.

"Trading on a centralized exchange is facilitated by an intermediary that exchanges your crypto on your behalf. Swapping on a decentralized exchange (like Uniswap Protocol) uses smart contracts to execute your swap, so there is never a third party in control of your funds." – Uniswap

DEX swaps make asset recovery more challenging by dispersing funds across multiple assets, requiring victims and authorities to contact each project separately for freezing. 

Additionally, swapping a large amount of one asset for smaller amounts of multiple assets allows attackers to access more liquidity pools to cash out stolen funds.

DeFi aggregators automate this process across multiple DEXs

"DeFi aggregators bring together trades across various decentralized finance platforms into one place. They aim to optimize trades by pulling competitive prices from across the DeFi landscape. DeFi aggregators permit users to analyze and combine other users' trading strategies, which could potentially make the process more efficient and user-friendly." – Coinbase

Attackers used DeFi aggregators to further obscure the flow of funds. They sent stolen funds to these aggregators, which then automatically routed the transactions across multiple DEXs based on algorithmic optimization. PancakeSwap processed the majority ($263M) of these aggregated transactions, followed by SushiSwap ($74 million), Curve ($47 million), and Uniswap ($39 million).

Final Thoughts

Now more than ever, crypto enterprises and regulators need comprehensive & up-to-date blockchain data to prevent & detect illicit activity and respond faster to crises.

For more detailed insights, reach out to us at insights@allium.so.