Bounty King: Bybit Security Breach – $1.4B Stolen Asset Analysis (Ongoing Investigation 2)

Bounty King: Investigation Series follows a team of skilled investigators as they navigate the dark world of cybercrime, uncovering hidden digital trails and solving complex mysteries with the power of AI and blockchain technology. Each case takes them deeper into the realm of online fraud, crypto hacks, and digital heists, where bounties fuel the relentless pursuit of truth. With every investigation, they piece together the puzzle—tracing lost assets and exposing the individuals behind the screens. It’s a journey of persistence, intelligence, and teamwork, where every clue brings them one step closer to justice in an ever-evolving digital landscape.

In Ongoing Investigation 1, we identified a money laundering network on the BNB Chain by analyzing a shared wallet (0x33d057af74779925c4b2e720a820387cb89f8f65) linked to both Bybit and Phemex. We also tracked the centralized exchanges where some of the laundered funds started off.

In Ongoing Investigation 2, we’ll look deeper into how these connected laundering networks move funds multiple times before making large deposits into CEXs.

For on-chain analysis, the key to proving connections is accurate transaction data. The best way to do this is by tracking transactions (tx), as they clearly show how funds move between wallets.

Our next step is to expand the investigation based on a key fund aggregator address found in Investigation 1: 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572.

Bounty King: Bybit Security Breach – $1.4B Stolen Asset Analysis (Ongoing Investigation 1)

https://community.chainbounty.io/posts/0195352f-55de-7791-aae3-9e6008c8bcb9

On the BNB Chain, this address collects small amounts of BNB from different wallets and then sends them to specific target addresses. The same pattern appears on the Ethereum mainnet, so we’ll check for any unusual withdrawals from this wallet.

We usually start by analyzing withdrawal addresses because the person controlling the wallet actively decides where to send the funds, which gives us clues about their intentions. In contrast, deposit addresses are more passive, making it harder to determine the owner's motives.

This address has also been seen sending 0.03 ETH to multiple wallets (Figure 1) on the Ethereum network.

Figure 1: Outgoing transaction patterns of the fund aggregator wallet on Ethereum

If we look at the types of tokens held by the connected wallets, most of them commonly have stablecoins like DAI and USDT, along with the native coin ETH. Since stablecoins are pegged to a fixed value, they are less volatile.

However, two wallets stand out because they hold different types of tokens:

• 0x264e3ca158787b40798d1f006c0fd6558a203ded –This wallet has a history of holding tokens named Arb.
• 0x27d680edfd1094efa01ba003113e5a6c4e202d59 – This wallet has a history of holding tokens named Polygon ecosystem.

In on-chain analysis, looking at different pieces of information helps us understand the intent behind transactions. In cases like this, the presence of specific tokens in certain wallets can be an important clue. Automated wallets typically do not hold unique tokens unless they are manually operated, making these cases worth further investigation.

For example, 0x264e3ca158787b40798d1f006c0fd6558a203ded received ARB through OKX and later transferred it to Gate.io.(Figure 2)

Figure 2: Suspicious token transfers from CEX to CEX

Transaction Details:

First Transaction

• From: OKX Withdraw Wallet  (0x6cc5f688a315f3dc28a7781717a9a798a59fda7b)
• To: 0x264e3ca158787b40798d1f006c0fd6558a203ded
• Date & Time: August 6, 2024, 04:19 AM (UTC)
• Transaction Hash: 0xe8431526a81a2b9549acbd7ce3f377feb72467052f19ddf36968802eda76c1a3
• Amount: 9.168 ARB

Second Transaction

• From: 0x0ba9161b32a541bf30ac8db6842b9a6904e2d924
• To: Gate.io User Wallet (0x0ba9161b32a541bf30ac8db6842b9a6904e2d924)
• Date & Time: December 28, 2024, 12:57 PM (UTC)
• Transaction Hash: 0x6603d59dad51ade1feb121df40bfd8026ebc67d7147ff1490e94f33fff93650e
• Amount 9.168 ARB

In the previous ongoing investigation, only the withdrawal transaction from the exchange was confirmed. However, the deposit transaction has now also been identified. Therefore, it is important to work with law enforcement to verify the user details associated with these transactions.

It is also confirmed that 0x27d680edfd1094efa01ba003113e5a6c4e202d59 received Polygon from Gate.io.(Figure 3)

• From: Gate.io Withdrawal Wallet (0x0d0707963952f2fba59dd06f2b425ace40b492fe)
• To: 0x27d680edfd1094efa01ba003113e5a6c4e202d59
• Date & Time: November 17, 2024, 07:48 AM (UTC)
• Transaction Hash: 0x99e537e4839c5a4285334828507ba4cdba987d2cd02a95d11094765ee31b2946
• Amount: 107.170 Pol

Figure 3: Suspicious token transfers from CEX 

In this case, after passing through four steps, funds from 0x27d680edfd1094efa01ba003113e5a6c4e202d59 eventually flow into 0x33d057af74779925c4b2e720a820387cb89f8f65, which is an overlapping address(Figure 4) used by both Phemex and Bybit for ETH transactions.

Within the cluster, multiple addresses are interconnected, forming links both forward and backward. 

Therefore, identifying relationships between wallets that follow this pattern is crucial for understanding the overall flow of funds and verifying transactions.

Figure 4: Connection to 0x33d057af74779925c4b2e720a820387cb89f8f65

By following this cluster flow, we can identify addresses with significant transfer in/out activity.

For example, the address 0x24c367c656c9960655936bac8cf8b738a70433dc exhibits such behavior.

Looking at the flow of the wallet 0x264e3ca158787b40798d1f006c0fd6558a203ded, which has a history of transferring ARB from OKX to Gate.io, we can see that after four steps, 140 ETH(Figure 5) was transferred in and out of 0x24c367c656c9960655936bac8cf8b738a70433dc.

Figure 5: Large Distribution Wallet Observation

The overlapping addresses above are also used for fund distribution in money laundering schemes. Based on this, we can infer that relay wallets exist within approximately four steps between the aggregator and the distribution phase.

Now, let's analyze 0x264e3ca158787b40798d1f006c0fd6558a203ded further to identify additional patterns.

Looking at the in/out transaction history of 0x264e3ca158787b40798d1f006c0fd6558a203ded, we can see that the address 0x9ff1b430a699ee6215b315ea8f7892520e14b9cd transferred 140 ETH.(Figure 6) This address shows significant incoming transactions from multiple wallets.

A key observation here is that the 140 ETH was bridged via Debridge, which utilizes OKX’s cross-chain DEX. (Figure 6)

Figure 6: Distribution Wallet Analysis

By examining 0x9ff1b430a699ee6215b315ea8f7892520e14b9cd as the source of these funds, we can clearly (Figure 7) see a connection.

From 0x9ff1b430a699ee6215b315ea8f7892520e14b9cd, a total of 1,141 ETH was split and distributed across eight different addresses. These funds were then swapped cross-chain through Debridge.

In fact, using Debridge for money laundering is a well-known pattern commonly used by groups like Lazarus and other laundering operations.

The following visualization illustrates how large-scale fund distributions are processed.

Figure 7: Large Distribution Wallet operation

Let’s highlight an important point here.

Looking at the source of wallet 0x9ff1b430a699ee6215b315ea8f7892520e14b9cd, which distributes funds through eight wallets via Debridge, we can see multiple records of deposits from CEXs (Figure 8). This is crucial to understand because money laundering networks do not rely solely on DEXs; they often move funds through multiple CEXs as well.

Therefore, the process involves a combination of swaps, cross-chain transfers, and CEX transactions to obscure the fund trail.

By following this report, we can observe how CEXs ultimately serve as the final gateway for money laundering.

Figure 8: Illicit Sources from CEXs

For example, laundered funds from Huobi (HTX) are further distributed across multiple wallets before ultimately reaching the pre-Debridge distribution wallets. This process illustrates how funds are layered and moved to obscure their origins.(Figure 9)

Figure 9: Complex Source from CEXs

Below is the detailed information on 1,140 ETH being sent to Debridge through nine transactions across eight addresses.

This data can be analyzed further using the Debridge Explorer to track how the assets are converted into different cryptocurrencies.

Transaction Summary (Debridge Identified)

1) Transaction Hash: 0x85ae303e13c17c16336cfe7f23f812f074414566d522652a4bb91d8a820077ac

• From: 0xd9274cda8346d25a7e344079594d8e1a1a4d3a02
• To (Debridge): 0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251
• Transaction Time (UTC): 2025-02-06 21:27:47
• Token: ETH
• Amount: 159.984891

2) Transaction Hash: 0x5cf2b00098898c1af5ce7ce240908102edde611906d2eae967e4ddeed75402a9

• From: 0x24c367c656c9960655936bac8cf8b738a70433dc
• To (Debridge): 0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251
• Transaction Time (UTC): 2025-02-06 18:54:35
• Token: ETH
• Amount: 139.981718

3) Transaction Hash: 0x7930109426d980a9de4a29309103d4cde3ddc3ab28a3f259ff69a574b8524976

• From: 0xa7fce5ed6006626bb07749245a9854296a60e2d1
• To (Debridge): 0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251
• Transaction Time (UTC): 2025-02-06 17:36:35
• Token: ETH
• Amount: 137.969672

4) Transaction Hash: 0x6b9434bf9faaf0b7552e002ac687a0e2e596960188a4c1d8c06d1fb980205ec1

• From: 0xcbc18f2c0371a03b25b1ec596b497d1f5a7b54e8
• To (Debridge): 0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251
• Transaction Time (UTC): 2025-02-06 22:22:23
• Token: ETH
• Amount: 76.985214

5) Transaction Hash: 0x8f98c88f6b4b72c257fbc947250921fd82b94739fa422be24bee497378b03d53

• From: 0xbe7a5460d177ca8c89839ba3f900e3b61e4d4d89
• To (Debridge): 0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251
• Transaction Time (UTC): 2025-02-10 12:23:59
• Token: ETH
• Amount: 5.902455

6) Transaction Hash: 0xe225eed10a1dc3b2b06b510c06d7bacd2f69b1043a3b9c8e98d704dc1bf5df06

• From: 0xbe7a5460d177ca8c89839ba3f900e3b61e4d4d89
• To (Debridge): 0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251
• Transaction Time (UTC): 2025-02-10 12:23:11
• Token: ETH
• Amount: 159.905085

7) Transaction Hash: 0xf2a9fa7022e97b6178f36f0ba1d978e2aabd53154d99feef560c3113596c17d9

• From: 0x74851cba5b37cb085b75a16c778a1f74c6b27d3f
• To (Debridge): 0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251
• Transaction Time (UTC): 2025-02-06 19:23:59
• Token: ETH
• Amount: 139.985168

8) Transaction Hash: 0x52d77d0d4a9ec43e6abf23628cd0eadb7c67687530d5030e0da91a43c06f4553

• From: 0x81ceaa93e6c7021276f92da90a62f1cbed802d44
• To (Debridge): 0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251
• Transaction Time (UTC): 2025-02-06 20:48:11
• Token: ETH
• Amount: 160

9) Transaction Hash: 0x634af7279d816d98b6c57311ea7e695cea129f46bb1e92db05357087a3c0dacd

• From: 0x0bd2d8e6f19fe540cb69a6c72ee3e942218c1f86
• To (Debridge): 0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251
• Transaction Time (UTC): 2025-02-06 19:56:59
• Token: ETH
• Amount: 159.985086

For example, a transaction sending 159.984891 ETH in TX 0x85ae303e13c17c16336cfe7f23f812f074414566d522652a4bb91d8a820077ac goes through two conversions:

159.98 ETH → 429,120 USDC (Solana) → 429,120 USDC (BSC). (Figure 10)

Figure 10: Cross-chain swap from ETH to Solana and BSC

Source: https://app.debridge.finance/orders?s=52ptwAmkmMsg7PaQiCexjbJmkEYtA3VZXebTjtrgBoAU

After that, 428,772 USDC is sent from BSC back to deBridge. (Figure 11)

Figure 11: Cross-chain swap from BSC by Debridge

Source: https://bscscan.com/address/0x55788125568c5b22d14c020914b86d9acf753272#tokentxns

After that, 428,772 USDC is sent from BSC to Solana, where it arrives at 428,520 USDC.

Figure 12: Cross-chain swap from BSC to Solana

Source: https://app.debridge.finance/orders?s=0x55788125568c5B22D14C020914b86d9acf753272

This transaction undergoes a total of three cross-chain swaps:

ETH → Solana → BSC → Solana

The final destination wallet is as follows:

The 428K USDC was ultimately deposited into a private wallet:

8rduN4bx1UuYZk1UAhQ31Wt5sKDPTKcPQQc3PJApDNwg

This wallet presents two interesting points:

1. There is a history of deposits and withdrawals involving approximately 428K USDC from a wallet that the community refers to as Wintermute. (Figure 13)
2. However, we cannot definitively confirm that this wallet belongs to Wintermute, a globally recognized market maker and OTC trading firm.

Figure 13: Final Wallet on Solana

Source: https://intel.arkm.com/explorer/address/8rduN4bx1UuYZk1UAhQ31Wt5sKDPTKcPQQc3PJApDNwg

If multiple sources, including the community and Arkham Intelligence, label the wallet as Wintermute, this becomes particularly noteworthy.

• If the owner of this wallet was involved in money laundering, they likely completed KYC verification at some point.
• Wintermute, if indeed associated with the wallet, would have access to relevant KYC information.

Next Steps for Law Enforcement

To establish the facts, law enforcement should consider reaching out to Wintermute for verification. If the wallet is indeed tied to them, they may hold crucial KYC data that could assist in further investigation.

By tracing the nine initial ETH transactions sent to deBridge, we can observe that all funds eventually consolidate into a single exchange wallet.

Destination Exchange Wallet

• OKX Deposit Wallet: HK7RDBzzBfhSr8DWxgLtwKA62zAzf3iUtsVsw54tAv5f
• This wallet started receiving funds on February 4, approximately three weeks ago.
• It has a total deposit history of 3.37M USDC.

This indicates that the source funds were aggregated and transferred to OKX(Figure 14), making it a key point of interest for further investigation.

Figure 14: OKX User Wallet

Source: https://explorer.bitquery.io/solana/address/HK7RDBzzBfhSr8DWxgLtwKA62zAzf3iUtsVsw54tAv5f?from=2024-02-01&till=2025-02-25

This OKX deposit wallet has been actively receiving funds since February 4, 2025, accumulating a total deposit of 3.37M USDC. This wallet serves as the final destination for the traced transactions, consolidating funds from multiple cross-chain transfers.

Based on multiple findings, we analyzed Large Distribution Wallets using fund aggregator addresses linked to money laundering clusters previously identified on Phemex and Bybit.

Conclusion & Next Steps for Law Enforcement and Exchanges

1. Large-Scale Money Laundering Activity Confirmed

The investigation has identified a clear pattern of cross-chain money laundering, where stolen funds were transferred through three separate cross-chain swaps before being deposited into a specific OKX wallet. This structured movement of funds suggests the involvement of an organized laundering network designed to obscure the origins of stolen assets.

2. Suspicious Transactions Involving a Wallet Labeled as "Wintermute"

One of the laundering wallets has transaction records linking it to a wallet that Arkham Intelligence and the community have labeled as "Wintermute." However, we cannot confirm with certainty that this wallet actually belongs to Wintermute, which is a global market maker and OTC firm. If this wallet is indeed linked to Wintermute, this could be a key point of investigation, as companies like Wintermute are required to follow strict KYC and compliance regulations. Unlike anonymous or fake KYC accounts on exchanges, firms like Wintermute typically collect verified identity data on their clients. If law enforcement confirms this connection, Wintermute could possess important identity records related to the individuals involved in these transactions. There is a high chance this wallet has been mislabelled as open-source information identifying the wallet with Wintermute has never once cited any evidence.

3. 3.37M USDC Deposited into an OKX Wallet from a Laundering Network

A wallet on OKX has received 3.37 million USDC since February 4, 2025, with transactions that strongly match known laundering methods. Given the timing and pattern of transfers, this wallet is highly likely connected to the Phemex hack.

Analyzing other wallets with similar transaction behaviors on OKX and other exchanges could reveal additional laundering accounts and transactions.

We will continue to work on the investigation and will share further information.