Source: Beosin
On the evening of February 21, 2025, the cryptocurrency trading platform Bybit suffered a massive hacker attack, with over 400,000 ETH and stETH worth more than $1.5 billion being transferred to unknown addresses. This event not only shocked the entire cryptocurrency industry but also sparked deep reflections on anti-money laundering (AML) and the security of decentralized finance (DeFi) platforms.
And today, Beosin Trace has detected that the Infini project has also been attacked, with an estimated loss of $50 million. The investigation is currently ongoing. The Infini hacker has now converted 4.95 million DAI into approximately 17,700 ETH and transferred them to the new address 0xfcc8a...6e49.
In the Bybit incident, as the hackers used cross-chain exchange platforms and DeFi protocols to launder the stolen funds, how to effectively track and intercept these illicit funds has become a focus of industry attention.
Review of the Bybit Incident: Hacker Attack and Money Laundering
On the evening of February 21, Bybit platform was hacked, and the attackers successfully transferred ETH and stETH worth over $1.5 billion. Subsequently, the hackers began to exchange the stolen assets into other cryptocurrencies (such as BTC) through cross-chain exchange platforms like Chainflip, THORChain, LiFi, DLN, and eXch, as well as DeFi protocols, in an attempt to conceal their tracks through complex fund flow paths.
Although Bybit took immediate action after the incident and collaborated with multiple parties to freeze some of the stolen funds (a total of $42.89 million), the hackers' fund transfer speed was extremely fast, and they used multiple addresses and cross-chain protocols to launder the money, posing a huge challenge for tracking and interception. As of February 24, 2025, BeosinTrace has tracked that the hackers are still continuously transferring assets, with the funds flowing to the OKX DEX and cross-chain exchange protocols like Thorchain:Router.
The Dilemma of Anti-Money Laundering in the Crypto Industry
The hackers used cross-chain exchange platforms and DeFi protocols' liquidity to disperse the funds to multiple addresses and blockchain networks, making traditional blacklist mechanisms and simple fund tracing tools ineffective. The main challenges currently faced in the field of anti-money laundering are as follows:
1. Complexity of Cross-Chain Transfers
The hackers transferred the stolen assets to other blockchain networks through cross-chain exchange platforms (such as THORChain and Chainflip), increasing the difficulty of fund tracing. The anonymity and decentralized nature of cross-chain technology make the fund flow paths more obscure, and traditional anti-money laundering tools are difficult to cover multi-chain environments.
2. Address Dispersion and Rapid Replacement
The hackers used a large number of new addresses for fund transfers, and the traditional blacklist mechanism cannot be updated in time, allowing some funds to escape monitoring. Furthermore, the hackers can automatically generate new addresses in batches through scripts, further increasing the complexity of tracing.
3. Anonymity of DeFi Protocols
The anonymity and decentralized nature of DeFi platforms allow hackers to easily use these protocols for fund transfers. For example, hackers can exchange the funds on decentralized exchanges (DEXs) for other cryptocurrencies and disperse them to multiple addresses, making it difficult for compliance personnel to distinguish between normal transactions and illicit transactions.
4. Abuse of Non-KYC Exchanges
According to The Block, the non-KYC centralized exchange eXch was accused of assisting the hackers in money laundering in the Bybit incident. Although eXch denied the accusation, its ETH trading volume experienced an abnormal surge after the incident, increasing from the usual 800 ETH to 20,000 ETH in the past 24 hours. The eXch team acknowledged that "a small portion of the funds from the Bybit hacker attack eventually entered our addresses," but claimed it was an "isolated case." This event highlights the lack of anti-money laundering measures in non-KYC exchanges.
How to Build a Firewall for Decentralized Platforms
Facing increasingly complex hacker attacks and money laundering activities, DeFi platforms need more powerful tools to identify and intercept risky funds. KYT (Know Your Transaction) tools designed specifically for the blockchain industry can help platforms effectively address challenges similar to the Bybit incident. The following are key measures to build a firewall for DeFi platforms:
1. Automated Risk Fund Identification and Tracing
In the Bybit incident, hackers often used cross-chain exchange platforms and DeFi protocols for fund transfers, and the liquidity pools of these platforms often contain a large amount of normal users' funds. If all related platforms are marked as high-risk, compliance personnel will face a large number of false alarms, which will interfere with normal anti-money laundering work. KYT tools can automatically identify the source of funds in these addresses and mark them as high-risk, helping platforms quickly freeze the relevant assets. For example, Beosin KYT can use smart algorithms and on-chain data analysis to track fund flows in real-time, identify addresses and transactions related to hackers, and ensure that risky funds cannot escape monitoring.
2. Precise Identification of Risky Funds in Cross-Chain and DeFi Transactions
Hackers use the liquidity pools of cross-chain exchange platforms and DeFi protocols for fund transfers, making it difficult for compliance personnel to distinguish between normal transactions and illicit transactions. Traditional anti-money laundering tools often cannot accurately identify risky funds in these complex transactions. KYT tools can use smart algorithms to precisely identify risky funds in cross-chain and DeFi transactions, without mistakenly identifying normal users' funds in the liquidity pools as high-risk. For example, in the Bybit incident, the hackers used THORChain and OKX DEX for fund transfers. Beosin KYT can automatically trace the source of funds before these protocols, identify transactions related to the hackers, and avoid interfering with normal users' funds.
Beosin KYT product screenshot
3. Labeling and Monitoring of High-Risk Exchanges and Addresses
In the Bybit incident, the hackers used multiple addresses and cross-chain protocols for fund transfers, and the traditional blacklist mechanism could not be updated in time, allowing some funds to escape monitoring. Beosin KYT has already labeled some high-risk exchanges and addresses based on the transaction patterns of this incident. By real-time monitoring these high-risk addresses, platforms can quickly take action to freeze the relevant assets and prevent hackers from further transferring the funds.
4. Collaborative Defense: Sharing High-Risk Address Information
The hackers' fund transfer paths often involve multiple platforms and protocols, and a single platform's anti-money laundering measures are often unable to cope with the complex fund flows. It is recommended that decentralized protocol projects and off-chain exchange platforms share information on hacker-related addresses through a dedicated internal channel. This collaborative defense mechanism can help platforms quickly block the hackers' fund flows and freeze the relevant assets. For example, when BeosinTrace tracks that the hacker address 0xfc926659dd8808f6e3e0a8d61b20b871f3fa6465 starts to transfer assets, the relevant platforms can immediately freeze the funds in this address to prevent further flow.
In Conclusion
These security incidents once again remind us that decentralized platforms still face huge challenges in terms of security and anti-money laundering. Hackers use cross-chain exchange platforms and DeFi protocols for fund transfers, making traditional blacklist mechanisms and simple fund tracing tools ineffective. Anti-money laundering is not only a regulatory requirement but also the cornerstone of the sustainable development of the crypto sector. Only through technological innovation and industry collaboration can we truly achieve the goal of "building a firewall" and provide safer digital asset services to global users.
