When North Korea’s Lazarus Group executed the $1.5 billion Bybit hack on February 21, 2025, the speed and sophistication of the subsequent laundering operation presented an unprecedented challenge for blockchain analysts. Within 48 hours, $160 million had already moved through intermediary wallets, decentralized exchanges, and cross-chain bridges. By February 23, that figure exceeded $200 million. This tutorial examines the advanced transaction monitoring techniques used to trace stolen funds across multiple blockchains — essential knowledge for security researchers, compliance professionals, and anyone building on-chain monitoring systems.
The Objective
The goal of cross-chain transaction monitoring is to maintain visibility over funds as they move across different blockchain networks, through various DeFi protocols, and into different token formats. In the Bybit case, stolen Ethereum was converted into multiple cryptocurrencies, routed through Binance Smart Chain and Solana networks, and dispersed across hundreds of wallets. The objective is to trace these movements in real time, identify the destination of stolen funds, and generate actionable intelligence for law enforcement and exchanges to freeze recoverable assets.
Prerequisites
To follow this walkthrough, you should have familiarity with blockchain explorers (Etherscan, BscScan, Solscan), basic understanding of Ethereum transaction structure (from address, to address, value, gas, input data), and awareness of how decentralized exchanges and cross-chain bridges operate. Access to professional blockchain analytics platforms such as TRM Labs, Chainalysis, or Elliptic will provide the most comprehensive monitoring capabilities, but the techniques described here can also be implemented using public blockchain data and open-source tools.
Understanding the context is critical: at the time of the hack, Ethereum traded at $2,659.66 and Bitcoin at $96,125.54, according to CoinMarketCap. The 401,347 ETH stolen represented a massive volume that would create significant on-chain footprint regardless of the laundering techniques employed. This scale actually aided monitoring efforts — moving billions through DeFi protocols inevitably leaves traces on public blockchains.
Step-by-Step Walkthrough
Step 1: Establish source wallets and initial tagging. Begin by identifying the wallet addresses that received the stolen funds directly from Bybit’s compromised cold wallet. In the Bybit case, TRM Labs quickly identified and tagged these addresses as “Hacked” and “Stolen Funds,” establishing a dedicated tracking entity labeled “Bybit Exploiter Feb 2025.” This initial tagging creates the foundation for all subsequent monitoring. Use blockchain explorers to document every transaction from the compromised wallet, recording destination addresses, amounts, timestamps, and transaction hashes.
Step 2: Map the first-hop distribution. Track where funds move from the initial receiving wallets. The Lazarus Group typically disperses stolen funds across multiple intermediary wallets within hours of the initial theft. Monitor each destination wallet for outgoing transactions, building a tree structure that maps the flow of funds. Pay particular attention to transactions interacting with DEX contracts (Uniswap, PancakeSwap, 1inch), bridge contracts (across Ethereum, BSC, Solana), and mixing services.
Step 3: Track cross-chain movements. When funds move through bridges, they leave the source chain and appear on the destination chain in a different token format. Ethereum bridged to BSC becomes BEP-20 ETH; Ethereum bridged to Solana becomes wrapped ETH. Each bridge maintains its own transaction records, and correlating source-chain burns with destination-chain mints requires matching transaction hashes, amounts, and timestamps across both networks. The Bybit launderers specifically used multiple bridges to fragment the fund trail, requiring analysts to maintain parallel monitoring across several blockchains simultaneously.
Step 4: Identify conversion patterns. Watch for token swaps on DEXs that convert stolen assets into different cryptocurrencies. The Lazarus Group’s strategy in the Bybit case involved converting portions of the stolen ETH into stablecoins (USDT, USDC), privacy-focused assets, and wrapped tokens across multiple chains. Each swap creates two on-chain records — the input token transfer and the output token receipt — which can be correlated to maintain the trail. Automated monitoring scripts using DEX aggregator APIs can flag swaps involving addresses previously tagged as suspicious.
Step 5: Flag exchange deposits and freeze requests. The ultimate goal of monitoring is identifying when stolen funds reach centralized exchanges, where they can potentially be frozen before withdrawal. Set up alerts for any tagged address interacting with known exchange deposit wallets. The faster these interactions are identified, the greater the chance that exchange compliance teams can freeze the incoming funds. In the Bybit case, this race against time was particularly challenging given the volume and speed of the laundering operation.
Troubleshooting
Several challenges commonly arise during cross-chain monitoring. Bridge delays can create temporary gaps in the fund trail — transactions may take minutes or hours to complete, during which the funds appear to vanish from both chains. Use bridge-specific explorers and API endpoints to track pending transfers. Privacy mixers like Tornado Cash can break deterministic tracing, though the $1.5 billion volume in the Bybit case exceeded the practical capacity of most mixing services. When mixers are encountered, heuristic analysis — looking at timing patterns, amounts, and behavioral fingerprints — can provide probabilistic attributions even when deterministic tracing fails.
Another common issue is false positives during address clustering. Many users interact with the same DEX contracts and bridges, so not every transaction from a flagged address necessarily involves stolen funds. Context matters: the size, timing, and pattern of transactions should be evaluated holistically rather than treating every interaction as suspicious in isolation.
Mastering the Skill
Advanced transaction monitoring is an evolving discipline that requires continuous learning. Stay current with new laundering techniques — the Lazarus Group’s shift from traditional mixers to multi-chain DEX routing in the Bybit case demonstrates how quickly tactics evolve. Build relationships with other analysts and compliance professionals through industry forums and working groups. Experiment with open-source blockchain analysis tools like Blockscout, Dune Analytics, and custom scripts that combine on-chain data with off-chain intelligence. The cat-and-mouse game between hackers and analysts will only intensify as the crypto ecosystem grows, making transaction monitoring expertise one of the most valuable and in-demand skills in the blockchain security profession.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
$160M moved through DEXes and bridges in 48 hours. the laundering speed is honestly impressive in a morbid way
the article mentions BSC and Solana as destination chains. wonder how many centralized exchanges ended up with the washed tokens without knowing
laserbeam most CEXes have pretty weak deposit screening. by the time tokens hit a hot wallet the trail is already cold
$160M in 48 hours and only 13% got frozen. the good guys are losing this race badly
cross-chain monitoring is severely underfunded compared to the scale of the problem. most compliance teams are playing catchup
underfunded is an understatement. most teams have like 3 people monitoring chains while hackers have entire state sponsored units
the cross-chain bridge exploitation is the real problem. every new L2 and sidechain adds another laundering route
every bridge is basically a laundering ATM. compliance teams are years behind the cross-chain mixing techniques