The February 2025 Bybit hack stands out as the biggest hack in DeFi history. The Lazarus Group compromised a Safe developer’s workstation and used it to display a malicious version of the Safe{Wallet} frontend to Bybit’s signers. One malicious transaction later, and Bybit has lost $1.5 billion from its cold, multi-sig wallet.

In addition to being a massive hack, the Bybit incident was also a masterclass in money laundering and obfuscation. The Lazarus Group is a master at laundering crypto on-chain, and the scope of this hack provided them with the perfect opportunity to show off their skills. It also demonstrated how ineffective many exchanges are at protecting against money laundering.

In theory, blockchain technology is well-suited to tracking stolen assets and freezing them. The distributed ledger is transparent and accessible, meaning that anyone can see the contents of any transaction and the source of funds. While it may be difficult to get block validators to blocklist a particular transaction, funds can be frozen by the exchanges that provide an off-ramp for converting crypto assets to fiat.

In practice, skilled hackers looking to launder stolen money tend to get away with it, as pointed out by ZachXBT on his Telegram channel. Some of the biggest challenges include the following:

One of the biggest challenges to preventing money laundering on-chain is also one of the key features of blockchain technology. Blockchain transactions are immutable, meaning that Web3 institutions generally can’t “claw back” malicious transactions in the same way that their traditional finance (TradFi) counterparts can.

This is problematic for preventing money laundering because it forces a proactive and preventative approach to freezing funds. If stolen crypto is deposited with an exchange, it has the ability to reject any attempts to withdraw it. However, once the funds are withdrawn, there is little or nothing that it can do to recover them.

One of the main selling points of the blockchain is its transparency. It’s largely possible to track the history of every token on the blockchain from its creation to its current owner.

One of the biggest exceptions to this rule is crypto mixers like Tornado Cash. These tools are deliberately designed to mix transactions from multiple parties together. While you know that tokens entered and exited the mixer, it’s largely impossible to determine the recipient address. As a result, these tools are a favorite of money launderers wishing to break up their trail and conceal the final destination of their stolen assets.

Know Your Customer (KYC) regulations exist in many jurisdictions and are a key part of anti-money laundering (AML) efforts. Financial institutions are required to perform verification of their users’ identities on account creation and alert authorities regarding any suspicious activities on their platforms.

While laudable, these efforts are largely ineffective in the Web3 space for various reasons. Once a user has created a new account with a cryptocurrency exchange, they’re largely trusted until they prove otherwise. The exchange also assumes that the same person is using the account throughout its lifecycle.

However, sophisticated hackers like the Lazarus Group specialize in compromising user credentials via phishing and malware, potentially providing access to legitimate accounts that have completed KYC. Alternatively, they may purchase access to clean accounts to use for their activities.

As a result, KYC’s ability to protect against potential money laundering is limited. Someone willing to steal $1.5 billion in a sophisticated, multi-stage attack won’t balk at stealing or buying an account to launder their funds.

Many centralized exchanges are willing to take action to freeze stolen assets after being notified of the theft. This is not only good for establishing goodwill within the Web3 community but is also necessary for compliance with AML laws.

However, the process of freezing assets is not always a fast one. An exchange needs to be notified of the incident, which means that someone with knowledge of the hack needs to get in touch with someone with the power to take action to freeze assets. At the best of times, this could take hours, especially when multiple time zones are in play, and key players may be asleep.

On the other hand, laundering crypto through an exchange tends to take only minutes. As a result, stolen assets can be laundered through an unprepared exchange long before it knows to take action to freeze them.

While centralized exchanges may be willing to take action to freeze stolen assets — albeit slowly — decentralized exchanges (DEXs) may not always be willing to. According to ZachXBT, some decentralized protocols are largely supported by money laundering by North Korean hacking groups like the Lazarus Group but disclaim all accountability and responsibility.

The drivers behind this lack of action could be ideological or technological. Decentralized platforms are implemented using smart contracts, meaning that all logic and processes — including the ability to freeze transactions — must be implemented within the code. The functionality used to accomplish this is dangerous and has significant potential for abuse, so a project may not choose to implement it.

Also, a decentralized platform may not want to decide which transactions merit freezing and which don’t. This could be driven by ideological reasons or a desire to avoid accountability for making the wrong decision — whether that’s allowing a transaction or blocking it.

Crypto has a reputation for being a tool mainly used by criminals, and ineffective KYC/AML aren’t helping. When criminals can steal millions on a regular basis and largely get away with it, this doesn’t look good for the industry.

Tracking and recovering assets stolen by sophisticated actors is difficult or impossible, and attacks are irreversible once they happen due to blockchain immutability. The best way to address the problem is to take a proactive, preventative approach.

Halborn offers a range of services designed to help organizations secure their projects at every stage of their lifecycle, from initial ideation to contract deployment and beyond. To learn more about managing the security risks to your project, get in touch.