Analysis: Bybit hackers process funds in the ETH-BTC-fiat currency path, the process may last for several years and gradually turn into selling pressure

On February 22, according to the analysis of Eric Wall, co-founder of Taproot Wizards, the Bybit theft has been basically confirmed to be the work of the North Korean hacker group Lazarus Group. According to the Chainalysis 2022 report, the organization usually follows a fixed pattern in disposing of stolen funds, and the whole process may last for several years. Data from 2022 shows that the organization still holds $55 million in funds from the 2016 attack, indicating that it is not in a hurry to cash out quickly.

Regarding the disposal process of the stolen funds:

Step 1: Convert all ERC20 tokens (including liquid derivatives such as stETH) to ETH;

Step 2: Convert all the ETH obtained to BTC;

Step 3: Gradually convert BTC to RMB through Asian exchanges:

Final use: The funds are said to be used to support North Korea's nuclear weapons and ballistic missile programs;

Analysis points out that Bybit is currently supplementing the ETH gap of about $1.5 billion through borrowing, and this strategy may be based on the expectation of recovering the stolen funds. However, given that it has been confirmed that it was done by the Lazarus Group, the possibility of recovery is extremely low, and Bybit will have to purchase ETH to repay the loan. In the long run, Bybit's purchase of ETH and Lazarus Group's selling of ETH in exchange for BTC may offset each other, and the BTC obtained by Lazarus Group will gradually convert into selling pressure in the next few years.