Where’s my crypto, Dude? The Ultimate Guide to Crypto Money Laundering
2025-08-09,
Microsoft
https://media.defcon.org/DEF%20CON%2033/DEF%20CON%2033%20presentations/Thomas%20Roccia%20-%20Where%E2%80%99s%20My%20Crypto%2C%20Dude%20The%20Ultimate%20Guide%20to%20Crypto%20Money%20Laundering%20%28and%20How%20to%20Track%20It%29.pdf
Thomas20Roccia20-20WhereE28099s20My20Crypto2C20Dude20The20Ultimate_DRjKi72.pdf, 56.2 MB
#Bybit #MoneyLaundering #Slides
https://media.defcon.org/DEF%20CON%2033/DEF%20CON%2033%20presentations/Thomas%20Roccia%20-%20Where%E2%80%99s%20My%20Crypto%2C%20Dude%20The%20Ultimate%20Guide%20to%20Crypto%20Money%20Laundering%20%28and%20How%20to%20Track%20It%29.pdf
Thomas20Roccia20-20WhereE28099s20My20Crypto2C20Dude20The20Ultimate_DRjKi72.pdf, 56.2 MB
#Bybit #MoneyLaundering #Slides
Contents
Where’s my crypto, Dude?
The Ultimate Guide to Crypto Money Laundering
(and how to track it)
Thomas Roccia | @fr0gger_
Sr. Threat Researcher @ Microsoft
Las Vegas - Aug 7-10
WHOAMI
What we will cover
Overview of the ByBit Case Study
Crypto Money Laundering techniques
Investigation Methods
Can we track the money with an AI Agent?
The ByBit Case
$1.46 BILLION
STOLEN • FEBRUARY 21, 2025
The ByBit Case
The Timeline
FEB 02, 2025
FEB 5-17, 2025
FEB 20, 2025
FEB 21, 2025
FEB 21, 2025
1
2
3
4
5
Initial Access
Reconnaissance
JS Code Injection
Funds Transfer
Response
Safe{Wallet}
developer's
AWS infrastructure mapping
Web interface deployment
Code injection
Manipulated transaction
compromised via a
Docker project.
pipeline identified
Preparation for code injection
visualization
Preserved malicious
parameters
Standard token transfer disguise
Unusual transaction
Delegatecall to attacker's
contract
alerts
Security team
Malicious code removed postexploitation
mobilized
Initial damage: $1.46B
Funds moved via sweep
functions to attacker wallets
Emergency protocols
activated
What happened in details?
Bybit Cold Wallet
Attacker’s Contract
Blind
Sig
nin
g
Off-chain Attack
Safe{Wallet}
Monitoring: Tracked
Runs inside proxy
context via
delegatecall
Deployed a spoofing contract
with a function that can
overwrite slot 0
0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4
Goal: change masterCopy
execTransaction()
The code ran only when Bybit’s
Ethereum multisig cold wallet
was accessed.
storage and delegates execution to
Tampering: Modified data live
0 = CALL, 1 = …
The Ultimate Guide to Crypto Money Laundering
(and how to track it)
Thomas Roccia | @fr0gger_
Sr. Threat Researcher @ Microsoft
Las Vegas - Aug 7-10
WHOAMI
What we will cover
Overview of the ByBit Case Study
Crypto Money Laundering techniques
Investigation Methods
Can we track the money with an AI Agent?
The ByBit Case
$1.46 BILLION
STOLEN • FEBRUARY 21, 2025
The ByBit Case
The Timeline
FEB 02, 2025
FEB 5-17, 2025
FEB 20, 2025
FEB 21, 2025
FEB 21, 2025
1
2
3
4
5
Initial Access
Reconnaissance
JS Code Injection
Funds Transfer
Response
Safe{Wallet}
developer's
AWS infrastructure mapping
Web interface deployment
Code injection
Manipulated transaction
compromised via a
Docker project.
pipeline identified
Preparation for code injection
visualization
Preserved malicious
parameters
Standard token transfer disguise
Unusual transaction
Delegatecall to attacker's
contract
alerts
Security team
Malicious code removed postexploitation
mobilized
Initial damage: $1.46B
Funds moved via sweep
functions to attacker wallets
Emergency protocols
activated
What happened in details?
Bybit Cold Wallet
Attacker’s Contract
Blind
Sig
nin
g
Off-chain Attack
Safe{Wallet}
Monitoring: Tracked
Runs inside proxy
context via
delegatecall
Deployed a spoofing contract
with a function that can
overwrite slot 0
0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4
Goal: change masterCopy
execTransaction()
The code ran only when Bybit’s
Ethereum multisig cold wallet
was accessed.
storage and delegates execution to
Tampering: Modified data live
0 = CALL, 1 = …