Where’s My Crypto, Dude? The Ultimate Guide to Crypto Money Laundering (and How to Track It)

Presented at DEF CON 33 (2025), Aug. 9, 2025, 10 a.m. (45 minutes).

Cryptocurrency is everywhere now. Billion-dollar companies are built on it, entire economies run on Bitcoin, and cybercriminals love using it to finance their operations or hide stolen money. Cryptocurrencies promise anonymity, yet blockchain transactions are fully public, and make it tricky to hide funds. In February 2025, the Bybit breach exposed two advanced attack vectors. First, a third-party wallet tool was compromised through malicious JavaScript injected into its logic, allowing attackers to manipulate smart contract behavior. Second, a SAFE Wallet developer was tricked through social engineering into running a fake Docker container, giving attackers persistent access to his machine. With control established, they hijacked proxy contracts and executed stealth withdrawals of ETH and ERC-20 tokens. The stolen assets were laundered through decentralized exchanges, split across multiple wallets, bridged to Bitcoin, and passed through mixers like Wasabi Wallet. So how do attackers manage to launder crypto, and how can we stop them? Using the 1.46 billion dollar Bybit hack by North Korea’s Lazarus Group as a case study, this talk breaks down each laundering step and explains how to automate tracking and accelerate investigations using AI. References: - [link](https://x.com/zachxbt/status/1893211577836302365) - [link](https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/) - [link](https://cdn.halbornmainframe.com/How_Seraph_Offers_Protection_Against_Bybit_Style_Hacks_5d1c87810a.pdf) - [link](https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/)

Presenters:

• Thomas "fr0gger_" Roccia
  Thomas Roccia is a Senior Security Researcher at Microsoft with over 15 years of experience in the cybersecurity industry. His work focuses on threat intelligence and malware analysis. Throughout his career, he has investigated major cyberattacks, managed critical outbreaks, and collaborated with law enforcement while tracking cybercrime and nation-state campaigns. He has traveled globally to respond to threats and share his expertise. Thomas is a regular speaker at leading security conferences and an active contributor to the open-source community. Since 2015, he has maintained the Unprotect Project, an open database of malware evasion techniques. In 2023, he published Visual Threat Intelligence: An Illustrated Guide for Threat Researchers, which became a bestseller and won the Bronze Foreword INDIES Award in the Science & Technology category.

Similar Presentations:

• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Social Engineering Like you’re Picard
• DEF CON 33 (2025) / Edge of Tomorrow: Foiling Large Supply Chain Attacks By Taking 5k Abandoned S3 Buckets from Malware and Benign Software