Main encryption theft includes $ 1.4 billion stolen from Excination bybit, which raises new alarm bells in the digital asset industry.
According to the data gathered by the researchers on the stock exchange and security, about $ 644 million of stolen money – nearly half a total – has disappeared from the monitoring of Blocchain that can be tracked.
These funds were systematically directed through encryption mixing services, which are designed to hide the source and destination of the transactions.
This development The new light sheds how to develop washing methods, especially as the services that have already been punished or claimed are continued to be vague.
The investigation also indicates links with the North Korean merchants group, which took advantage of a laptop of the developer’s laptop in early February.
The exploitation has been enabled through malicious programs that are simulating stock investment and led to a compromise of sensitive accreditation data.
Dominates washing by Wasabi Wallet and Exch
Bybit investigation reveals that $ 247.5 million (about 966 BTC) has been directed through Wasabi Wallet, a Bitcoin portfolio that focuses on privacy that uses Coinjoin to mix transactions.
Another $ 94.1 million was transferred through Excr, a less popular mixing service that announced its closure in April 2025.
However, forensic experts emphasized that Excr remains active through background programming facades, allowing washing to continue most of the standard screens.
Mixing services such as Tornado Cash and Railgun were also used, but to a lesser extent.
TRM LABS confirmed that Tornado Cash was used to wash $ 2.5 million in ETAREUM, while Railgun facilitated $ 1.7 million in Ethereum transactions.
These services work by collecting and redistributing user money in a way that makes tracking almost impossible.
TRM LABS analysts describe washing activity as “very difficult” in tracking due to the method of collecting and redistributing transactions.
Excr activity raises concern after demanding closure
EXCR, in particular, has drawn great attention because of its demand for its closure in April.
Crypto security researchers, including TRM LABS analysts, have confirmed that the back interface of the service is still working.
The continuation of Excr’s infrastructure, even after a public announcement of its closure, added a layer of complexity to the ongoing investigations.
One of the main challenges of the investigators is the full orphaned of these mixers. Transactions become almost impossible as they enter these services.
TRM LABS noticed that due to the mixing of all incoming and issued money together, users or addresses of individuals cannot be identified behind the transport.
This reduces the effectiveness of Blockchain transparent tools, even when applying forensic analysis.
Blame on the Tradertraitor Corean group
What increases the complexity of the issue is the alleged participation of the actors sponsored by the state.
Safe, Wallet Crypto, published details in March 2025, indicating that the North Korean piracy group was behind the original breach.
The infiltrators managed to access the BYBIT boxes after compromising the MacBook developer in Safe.
The attack was carried out by including malware inside the Docker file, as hidden as stock investment simulation.
Once implemented, harmful programs were connected to a suspicious field and installed harmful textual programs that extracted the AWS session.
Then these symbols were used to bypass multiple factors and access to the back interface systems in BYBIT.
Violation occurred in early February and is among the largest theft of cryptocurrencies in 2025.
It has been renewed by the organizers and stimulates discussions on the weaknesses of the Web3 infrastructure, especially the end points of the developers and the adopting access to the cloud.
Post Bybit Hack update: Nearly $ 650 million in stolen Crypto has disappeared for the first time on Invezz
