Community Investigation

Bounty King: Bybit Security Breach – $1.4B Stolen Asset Analysis (Ongoing Investigation 1)

BountyKing

BountyKing

2025.02.23

view201

Bounty King: Investigation Series follows a team of skilled investigators as they navigate the dark world of cybercrime, uncovering hidden digital trails and solving complex mysteries with the power of AI and blockchain technology. Each case takes them deeper into the realm of online fraud, crypto hacks, and digital heists, where bounties fuel the relentless pursuit of truth. With every investigation, they piece together the puzzle—tracing lost assets and exposing the individuals behind the screens. It’s a journey of persistence, intelligence, and teamwork, where every clue brings them one step closer to justice in an ever-evolving digital landscape.


The Bybit hacker is currently laundering funds through platforms like Exch exchange, Chainflip, and Thorchain, converting assets into BTC, ETH, and TRON USDT.


Since many teams worldwide are already tracking the money laundering process and sharing similar information, we will focus on profiling rather than laundering activities.


According to on-chain investigator ZachXBT, one address, , has been linked to transactions from a previous hacking incident involving Phemex, which was connected to the Lazarus Group.


We will dig deeper into this connection.



Source:

https://x.com/zachxbt/status/1893211577836302365


We have verified this information and found it to be credible.


The reason is that while many new addresses are being used for money laundering, this particular address is not new. Its first transaction dates back to November 2024.


Looking at its deposit and withdrawal patterns, it appears to be an automated address within a money laundering cluster. This suggests that some of the laundered funds have overlapped with addresses previously used for laundering.


Based on this, we assume that this wallet is part of an automated money laundering cluster. We are now analyzing patterns of other wallets linked to this address.


During this analysis, we discovered something unusual.


We found that 0x33d057af74779925c4b2e720a820387cb89f8f65 exists on the BSC (Binance Smart Chain) and decided to trace the movement of BNB backward.


By doing so, we were able to track the reverse flow(Figure 1) as follows:

0x33d057af74779925c4b2e720a820387cb89f8f65 → 0x9d636e330abef7a34fbb079580e6c3d20b4dd3cc → 0x543568d6c7b41537eb0bb9ed455e77949f0892ae



Figure 1: Reverse Tracking

We observed the following transactions:

Both wallets show patterns commonly associated with relay wallets used in money laundering.


For example, each wallet has only five transactions in total, with small amounts being transferred, which is a typical characteristic of temporary relay wallets used for one-time fund transfers.




Figure 2: Relay Wallet Pattern


Source: BSC Scan

https://bscscan.com/address/0x9d636e330abef7a34fbb079580e6c3d20b4dd3cc


Continuing our investigation from 0x543568d6c7b41537eb0bb9ed455e77949f0892ae, we found that some funds within this money laundering cluster were received from two centralized exchanges (Figure 3) CoinEx and Gate.io.


Figure 3: CEX Connection for Fund Deposits to the Cluster


The complete transaction trail is as follows:


To gather more details, cooperation from CEXs is required to obtain IP logs, KYC data, and further transaction records. This should be coordinated with law enforcement for verification and further investigation.


Here is the continued transaction trail(Figure 4) from 0x17eef0f69e0cf668ab51b75aab5b944ca09fb3e0:



Figure 4: Full Trail for Reverse Tracking


Here's a structured breakdown of the transaction history:

1) 0x17eef0f69e0cf668ab51b75aab5b944ca09fb3e0 → 0x8fa78148eabcda855f84e98d6568ce9f93c5c8ce

2) 0x8fa78148eabcda855f84e98d6568ce9f93c5c8ce → 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572

3) 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572 → 0xd9cbf4290651ef7f8b4571a55167a414619bd15b

4) 0xd9cbf4290651ef7f8b4571a55167a414619bd15b → 0x543568d6c7b41537eb0bb9ed455e77949f0892ae

5) 0x543568d6c7b41537eb0bb9ed455e77949f0892ae → 0x9d636e330abef7a34fbb079580e6c3d20b4dd3cc

Summary

  • The original transaction of 0.10 BNB was sent from 0x17eef0f6 to 0x8fa78148.
  • The same amount was immediately transferred to 0x672ee9a8.
  • Then, 0.05 BNB was split off and sent to 0xd9cbf429 on Feb 13.
  • That 0.05 BNB was further transferred to 0x543568d6 on Feb 17.
  • Finally, it was moved to 0x9d636e33 on Feb 19.
  • This means the initial 0.10 BNB transaction was divided into two 0.05 BNB transfers, and one of those portions moved through multiple addresses.


This pattern indicates layering in the money laundering process, where small amounts are moved between multiple addresses to obscure the original source of funds.


The wallets linked to show some distinct characteristics compared to typical relay wallets.


As seen in the transaction patterns, many small incoming transactions of 0.016 BNB are received from various addresses. These funds are then consolidated into larger amounts such as 0.3 BNB, 0.6 BNB, and 2.354 BNB before being sent out.


This pattern suggests that the wallet might be used for fund aggregation, (Figure 5) where small amounts from multiple sources are collected and then distributed in larger transactions. Such behavior is often observed in cases related to money laundering, transaction obfuscation, or automated fund processing. However, further analysis would be needed to determine the exact intent behind these transactions.



Figure 5: Fund Aggregation Pattern


Expanding on this pattern, the transaction flow can be visualized as follows:

On the left side, numerous addresses send small amounts of BNB (e.g., 0.016 BNB) into the wallet. These small transactions are then collected and consolidated before being sent out in larger amounts on the right side (e.g., 0.3 BNB, 0.6 BNB, 2.354 BNB).


This structure suggests a fund aggregation mechanism, where multiple small inputs are gathered and then processed into larger outgoing transactions. This pattern is commonly seen in:

  • Mixing services attempting to obscure the origin of funds
  • Money laundering activities using structured deposits and withdrawals
  • Automated fund distribution for services or payouts


Further investigation into the sources of these small deposits and the destinations of the larger transactions would be necessary to understand the true purpose of this activity.(Figure 6)



Figure 6: Full Visual of Fund Aggregation Pattern


When dealing with such a high volume of transactions, it becomes difficult to manually analyze and track all the movement patterns. This is where an AI investigator can be extremely useful.



Figure 7: AI Investigator Support


The AI Investigator's full analysis of wallet 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572 suggests potential money laundering activity based on the following transaction patterns:


AI Investigator response


Upon analyzing the transaction data for the origin address 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572, several patterns emerge that could be considered suspicious or indicative of potentially fraudulent or unusual activity:

  1. High Frequency of Small Incoming Transactions: There is a noticeable pattern of numerous small incoming transactions (negative depths) from various addresses. These could be indicative of a dusting attack, where small amounts of cryptocurrency are sent to a wallet by an attacker in an attempt to deanonymize the wallet by linking it to other accounts or to engage in a phishing attack.
  2. Repeated Transactions Between the Same Addresses: There are several instances where the same addresses appear multiple times in the transaction list, both sending to and receiving from the origin address. For example, address 0x1d3146598721f9380fd3860e960602b782288b7a appears multiple times in both incoming and outgoing transactions with similar amounts. This could suggest a pattern of cycling funds, which might be an attempt to obfuscate the movement of funds (a technique often used in money laundering).
  3. Timing of Transactions: If the transactions are occurring at regular intervals or at specific times that coincide with certain events, this could indicate automated behavior or timing the transactions to avoid detection during low-traffic periods.
  4. Similar Transaction Amounts: Transactions that are consistently for similar amounts, especially if they are just below reporting thresholds, could be indicative of structuring, a technique used to avoid triggering legal reporting requirements and scrutiny.
  5. Rounded Transaction Amounts: Many transactions are for rounded amounts of BNB (e.g., 0.1 BNB, 0.5 BNB), which is unusual for regular transactions but common in artificial transaction patterns.
  6. Direct Reversal of Transactions: Some transactions appear to be directly reversed shortly after they occur. For instance, address 0x1d3146598721f9380fd3860e960602b782288b7a sends 0.1 BNB to the origin and then receives a similar amount back. This could be indicative of wash trading, where an entity trades with itself to create misleading market activity.
  7. Use of Multiple Addresses: The use of a large number of receiving and sending addresses in relation to the origin address could indicate an attempt to disguise the true source or destination of the funds through address hopping.


It is important to note that while these patterns can be indicative of suspicious activity, they do not provide conclusive evidence of wrongdoing. Each pattern would need to be investigated more thoroughly in the context of additional information outside of this dataset. Identifying suspicious patterns is the first step, and each observation would require further analysis and context to determine if there is indeed fraudulent or illegal activity occurring.


Conclusion

To summarize, automated mixing clusters consist of multiple types of wallets, each serving different roles. Some of the identified funds have been deposited from Gate.io and CoinEx, indicating potential exchange interaction.


With this information, Bybit should collaborate with law enforcement agencies for further investigation.

Within these clusters, different wallets serve specific functions:

  • Relay Wallets: Used to transfer funds without holding them for long.
  • Storage Wallets: Hold a portion of the funds temporarily.
  • Distribution Wallets: Collect and redistribute funds.


If overlapping patterns emerge among these wallets, there is a high probability that they are linked to the same group, similar to what ZachXBT described in the Phemex hacking case.


However, based on our extensive investigations, while on-chain data may suggest these wallets belong to the same group, hacking groups and money laundering networks often operate separately.


Multiple organizations frequently collaborate to facilitate illicit transactions, making it essential to conduct deeper profiling to determine which individuals or entities are involved.


We will continue to investigate this case and update the community as we gather more insights.

Join the Support! 🚀

100 CBP(≈$0)Donated So Far

post_like3
post_total_comment0

Show Your Support!

You are about to donate to the BountyKing. Supporting great contributions helps strengthen our community.

Your current CBP0
Donation Amount
cbpCBP

Donations are final and cannot be refunded. Thank you for supporting the ChainBounty community!

0/500 bytes
chainbounty-logo

Signing in progress...

Please sign your wallet messages to ensure a secure connection.