Bybit Hacker Utilizes Decentralized Exchanges to Convert Stolen Funds to DAI
Blockchain analysis has revealed that addresses linked to the Bybit hacker have been actively using decentralized exchanges (DEXs) to trade stolen cryptocurrency for Dai (DAI), a stablecoin that lacks a freeze function, making it a preferred asset for illicit activities.
Recent on-chain records indicate that one of the wallets involved in the $1.4 billion Bybit hack on February 21 has engaged with platforms such as Sky (formerly MakerDAO), Uniswap, and OKX DEX. These interactions suggest a strategic attempt to obscure the movement of funds and avoid asset freezes enforced by centralized issuers.
Bybit Hacker Swaps $3.64M to DAI
According to copy trading platform LMK, the Bybit exploiter transferred approximately $3.64 million worth of Ether (ETH) to a designated address, which was subsequently used to exchange ETH for DAI. Unlike centralized stablecoins such as Tether (USDT) and USD Coin (USDC), which are managed by Tether and Circle respectively, DAI operates on a decentralized framework that does not allow fund freezing. This makes DAI a preferred asset for cybercriminals looking to maintain control over their stolen funds.
Exchange eXch Declines to Freeze Stolen Funds
The Bybit hacker appears to be fragmenting their DAI holdings across multiple wallet addresses. Some of these funds have been directly deposited into non-Know Your Customer (non-KYC) cryptocurrency exchange eXch, while others have been converted back into ETH.
eXch has been at the center of controversy following the Bybit breach, as it has refused to freeze funds associated with the hack. Unlike other exchanges and DeFi protocols that have cooperated with Bybit by freezing flagged addresses or offering financial support to mitigate losses, eXch has chosen to remain uninvolved.
In a response to Bybit’s request for assistance, eXch stated, “Given the direct attacks on the reputation of our exchange by Bybit over the past year, it is difficult for us to understand the expectation of collaboration at this time.” This email correspondence was later shared on the Bitcointalk forum, further fueling debate over eXch’s stance on cybercrime-related transactions.
Tether CEO Paolo Ardoino confirmed on February 22 that the company had frozen $181,000 in USDT tied to the Bybit hack. However, despite these efforts, some stolen funds continue to evade security measures. Cointelegraph has reported that a transaction linked to the Bybit breach resulted in 30,000 USDC reaching eXch, underscoring the ongoing challenges in tracking and freezing illicit crypto transfers.
Lazarus Group’s Involvement in the Bybit Hack
On-chain investigator ZachXBT has identified the North Korean state-sponsored hacking collective, Lazarus Group, as the primary suspect behind the Bybit hack. The investigation uncovered a shared address used by the Bybit exploiter in previous attacks on cryptocurrency exchanges Phemex and BingX—both of which have been attributed to Lazarus.
Further supporting this connection, ZachXBT highlighted that all three exploits also link back to a common address associated with the Poloniex attack, deepening suspicions of Lazarus Group’s involvement in coordinated cyber thefts targeting centralized and decentralized platforms alike.
Despite mounting evidence, eXch has denied accusations of laundering money for Lazarus Group or any North Korean-affiliated entities. However, cybersecurity expert Nick Bax, a member of the white hat collective Security Alliance, estimates that eXch facilitated the laundering of approximately $30 million for the hackers on February 22 alone.
As investigations continue, industry leaders and regulatory bodies are increasing scrutiny on the role of decentralized finance (DeFi) platforms and non-KYC exchanges in enabling cybercriminals to move and obscure illicit funds. The Bybit hack serves as yet another example of how sophisticated threat actors exploit the anonymity and decentralization of blockchain networks to evade law enforcement and financial restrictions.
