Enterprise-grade risk management solutions for every stage of the compliance lifecycle
VASP screening to onboard customers and counterparties
Wallet & transaction screening to meet AML regulatory requirements
Automatic rescreening & monitoring to understand changes in risk
Single-click cross-chain investigations for escalations
Custom data solutions to enhance internal compliance decisioning
Fully configurable risk rules to surface the activity you care about
See how customers are making their compliance more efficient with AI.
Mission-critical tools and datasets to thwart complex crypto-enabled crime
Bulk analyze wallets of interest and prioritize for investigation
Cross-chain forensics to surface leads and analyze criminal activity
Target intelligence gaps with custom illicit activity datasets
Add industry-leading blockchain data to your intelligence suite
Monitoring and data visualization solutions to evaluate individual cryptoasset trends
Proactive monitoring of token ecosystems to block illicit activity
On-chain analytics to assess a token before listing it for trade
Find the right solution for your business or organization
Enable compliance services on your network by joining the world’s only unified crypto financial system
Efficient integration of your network into Elliptic’s Holistic suite
Ongoing support and analytical insights into network activity trends
Learn more about the Holistic network and how to integrate
Turn your team into crypto experts with ongoing education and certifications
Upskill your team on cryptoasset basics with on-demand learning
Become an expert in Ellliptic’s solution suite
Access learning resources to build your knowledge of crypto basics
Boost your bottom line with solutions to securely adopt crypto
Process and prioritize high volumes of screening requests efficiently and scalably
Demonstrate compliance by integrating your network with our Holistic technology
Monitor and maintain trust in token and stablecoin ecosystems
Track illicit activities and recover assets with expert blockchain forensics
Maintain market integrity with proactive regulatory monitoring tools
Customer success
Customer Stories 
Get to know the industry’s leading blockchain analytics solutions
VASP screening & entity due diligence
Real-time multi-asset wallet screening
Fully automated crypto transaction monitoring
Single-click cross-chain investigations
Visualizations for crypto exposure trend analysis
Crypto activity datasets and raw blockchain intelligence
The innovation, infrastructure, and intelligence that powers efficient and effective blockchain analysis
Get more work done faster with automated end-to-end solutions
Programmatic, real-time & multi-asset tracing powered by Holistic tech
Analyze crypto activity your way with fully customizable insight
The industry’s broadest blockchain coverage and highest quality data
Increase efficiency and productivity with Elliptic’s copilot
Download your primer on preventing financial crime in cryptoassets
Learn how to make the most of Elliptic’s solutions
Already have an account? Login now
Blockchain analytics research findings, regulatory analysis, and enforcement trends
White papers, primers, and analytical deep-dives
Upcoming and on-demand webinars from our experts and industry leaders
Latest announcements, industry updates, and company press releases
The latest in cryptoasset regulation and compliance analysis
Data-Driven analysis of hacks, thefts, and investigations
Sanctioned actor activity and updates to sanction lists
Our new video series interviewing insiders in the world of crypto crime fighting
Featured
Read Report
Watch the Webinar
Our story, mission & vision
Security practices & client data protection
Preparing for the future of finance together
Join the Elliptic Partner Program
Learn more about our partner ecosystem
View open roles at Elliptic
Learn what makes our culture unique
Meet our Chief Value Officers
Browse current opportunities to join the Elliptic team
VASP screening to onboard customers and counterparties
Wallet & transaction screening to meet AML regulatory requirements
Automatic rescreening & monitoring to understand changes in risk
Single-click cross-chain investigations for escalations
Custom data solutions to enhance internal compliance decisioning
Fully configurable risk rules to surface the activity you care about
Bulk analyze wallets of interest and prioritize for investigation
Cross-chain forensics to surface leads and analyze criminal activity
Target intelligence gaps with custom illicit activity datasets
Proactive monitoring of token ecosystems to block illicit activity
On-chain analytics to assess a token before listing it for trade
Efficient integration of your network into Elliptic’s Holistic suite
Ongoing support and analytical insights into network activity trends
Upskill your team on cryptoasset basics with on-demand learning
Become an expert in Ellliptic’s solution suite
Boost your bottom line with solutions to securely adopt crypto
Process and prioritize high volumes of screening requests efficiently and scalably
Demonstrate compliance by integrating your network with our Holistic technology
Monitor and maintain trust in token and stablecoin ecosystems
Track illicit activities and recover assets with expert blockchain forensics
Maintain market integrity with proactive regulatory monitoring tools
VASP screening & entity due diligence
Real-time multi-asset wallet screening
Fully automated crypto transaction monitoring
Single-click cross-chain investigations
Visualizations for crypto exposure trend analysis
Crypto activity datasets and raw blockchain intelligence
Get more work done faster with automated end-to-end solutions
Programmatic, real-time & multi-asset tracing powered by Holistic tech
Analyze crypto activity your way with fully customizable insight
The industry’s broadest blockchain coverage and highest quality data
Increase efficiency and productivity with Elliptic’s copilot
Blockchain analytics research findings, regulatory analysis, and enforcement trends
White papers, primers, and analytical deep-dives
Upcoming and on-demand webinars from our experts and industry leaders
Latest announcements, industry updates, and company press releases
The latest in cryptoasset regulation and compliance analysis
Data-Driven analysis of hacks, thefts, and investigations
Sanctioned actor activity and updates to sanction lists
Our new video series interviewing insiders in the world of crypto crime fighting
Our story, mission & vision
Security practices & client data protection
Preparing for the future of finance together
Join the Elliptic Partner Program
Learn more about our partner ecosystem
View open roles at Elliptic
Learn what makes our culture unique
Meet our Chief Value Officers
Last updated: 5th March 2025
On February 21st 2025, approximately $1.46 billion in cryptoassets were stolen from Bybit, a Dubai-based exchange. Initial reports suggest that malware was used to trick the exchange into approving transactions that sent the funds to the thief.
This is by the far the largest crypto heist of all time, dwarfing the $611 million stolen from Poly Network in 2021 (and the vast majority of these funds were eventually returned by the hacker). In fact this incident is almost certainly the single largest known theft of any kind in all time, a record previously held by Saddam Hussein, who stole $1 billion from the Iraqi Central Bank on the eve of the 2003 Iraq War.
Elliptic has attributed the Bybit theft to North Korea, based on various factors, including our analysis of the laundering of the stolen cryptoassets. North Korea-linked actors have stolen over $6 billion in cryptoassets since 2017, with the proceeds reportedly spent on the country’s ballistic missile program.
This attribution of the theft to North Korea was later confirmed by the FBI.
North Korea has developed a powerful and sophisticated capability to not only breach target organisations and steal cryptoassets, but also to launder these proceeds through thousands of blockchain transactions. Following this theft, Elliptic has been working around the clock with Bybit, cryptocurrency service providers and fellow investigators, to trace the stolen funds and work to prevent them being cashed out.
Elliptic is the leading provider of cryptoasset transaction and wallet screening solutions to businesses worldwide, who are now being alerted by our software if they receive proceeds of this theft. This has already directly led to the seizure of some of the funds stolen from Bybit.
North Korea’s laundering process typically follows a characteristic pattern. The first step is to exchange any stolen tokens for a “native” blockchain asset such as Ether. This is because tokens have issuers who in some cases can “freeze” wallets containing stolen assets, whereas there is no central party who can freeze Ether or Bitcoin.
This is exactly what happened in the minutes following the Bybit theft, with hundreds of millions of dollars in stolen tokens such as stETH and cmETH exchanged for Ether. Decentralised exchanges (DEXs) were used to achieve this, likely to avoid any asset freezing that might be encountered when using a centralised exchange to launder stolen funds.
The second step of the laundering process is to “layer” the stolen funds in order to attempt to conceal the transaction trail. The transparency of blockchains means that this transaction trail can be followed, but these layering tactics can complicate the tracing process, buying the launderers valuable time to cash-out the assets. This layering process can take many forms, including:
North Korea is currently engaged in this second stage of laundering. Within two hours of the theft, the stolen funds were sent to 50 different wallets, each holding approximately 10,000 ETH. These wallets were then emptied one by one over the next nine days.
Once moved out of these wallets, the funds are being laundered through various services, including DEXs, cross-chain bridges and centralized exchanges. However, one service has emerged as a major and willing facilitator of this laundering. eXch is a cryptocurrency exchange, notable for allowing its users to swap cryptoassets anonymously. This has led them to being used to exchange hundreds of millions of dollars in cryptoassets derived from criminal activity, including multiple thefts perpetrated by North Korea. Despite attempting to conceal this activity, our analysis shows that since the hack, cryptoassets stolen from Bybit worth tens of millions of dollars have been exchanged using eXch. Despite direct requests from Bybit, eXch refused to block this activity, and has earned hundreds of thousands of dollars in fees for exchanging these stolen funds.
The majority of the stolen Ether has now been converted to bitcoin using eXch and other services. As with other North Korea-linked thefts, this bitcoin has now begun to be passed through mixers, to further obfuscate the transaction trail. This process has just begun, but already stolen assets worth hundreds of thousands of dollars have been sent through Cryptomixer and Wasabi Wallet.
Cryptomixer is a traditional, centralised mixer – users’ bitcoin is put in a pot controlled by the mixer operator. Users the withdraw bitcoin with a different source of funds (minus a fee). Cryptomixer is notable for having been in operation since 2016, without being targeted by law enforcement.
Wasabi Wallet operates differently – technically it is a “privacy wallet” rather than a mixer – making use of Coinjoin transactions to conceal the transaction trail. A “coordinator” facilitates this process, but does not take custody of funds.
North Korea is the most sophisticated and well-resourced launderer of cryptoassets in existence, continually adapting its techniques to evade identification and seizure of stolen assets. Beginning minutes after the theft from Bybit, the Elliptic team have been working around the clock with Bybit, our customers and fellow investigators, to trace these funds and prevent the North Korean regime from benefitting from them.
Featured Crypto Crime North Korea
Found this interesting? Share to your network.
The latest deep-dives and data-driven analysis from our Research team covering their own investigations, as-its-happening monitoring of hacks and thefts, and more.
This blog is provided for general informational purposes only. By using the blog, you agree that the information on this blog does not constitute legal, financial or any other form of professional advice. No relationship is created with you, nor any duty of care assumed to you, when you use this blog. The blog is not a substitute for obtaining any legal, financial or any other form of professional advice from a suitably qualified and licensed advisor. The information on this blog may be changed without notice and is not guaranteed to be complete, accurate, correct or up-to-date.
© Copyright Elliptic. Elliptic Enterprises Limited. Registered in England and Wales (number 8458210). VAT registration number 171021261.
