A hacker responsible for the recent $1.4 billion Bybit exploit has been moving stolen assets through decentralized exchanges (DEXs) to convert them into Dai (DAI), a stablecoin that lacks a freeze function.

Blockchain data shows that wallets tied to the Bybit breach have interacted with Sky (formerly MakerDAO), Uniswap, and OKX DEX. Copy trading platform LMK reported that the hacker transferred $3.64 million worth of ETH to a single address, which was then swapped for DAI. Unlike centralized stablecoins such as USDT and USDC, DAI is not controlled by an issuing entity, making it a preferred asset for illicit activities.

Adding to the controversy, the hacker has been splitting the stolen DAI into multiple wallets, with some funds being funneled into the non-KYC crypto exchange eXch. Other portions have been swapped back into ETH. Despite increasing scrutiny, eXch has refused to freeze the hacker’s funds, unlike other exchanges that have cooperated with Bybit to mitigate losses.

In an email leaked on Bitcointalk, eXch defended its stance, citing previous disputes with Bybit. Meanwhile, Tether CEO Paolo Ardoino confirmed that the company had frozen $181,000 in USDT linked to the hack, though some transactions have slipped through, including a 30,000 USDC deposit to eXch.

Blockchain investigator ZachXBT has reinforced suspicions that North Korea’s Lazarus Group orchestrated the Bybit attack. The same addresses were reportedly involved in breaches of Phemex, BingX, and Poloniex—further implicating the state-backed hacking syndicate.

Despite mounting pressure, eXch denies any role in laundering funds for Lazarus or other illicit actors. The incident highlights ongoing vulnerabilities in the crypto sector and the challenges of enforcing security measures in decentralized finance.