North Korea’s Crypto Hackers Stole $2.8B Since 2024 Using Sophisticated Laundering

Introduction: A New Era of State-Sponsored Crypto Crime

In a stark revelation that underscores the evolving threat landscape of digital assets, a multinational sanctions monitoring body has reported that North Korea has stolen a staggering $2.83 billion in cryptocurrency since the beginning of 2024. This illicit windfall, driven by sophisticated cyberattacks and an intricate, multi-stage laundering apparatus, is funding a significant portion of the isolated nation’s foreign operations. The findings, detailed by the Multilateral Sanctions Monitoring Team (MSMT), highlight not just a dramatic escalation in the scale of theft but a professionalization of the money-laundering processes that follow. With over half of this sum—$1.64 billion—stolen in the first three quarters of 2025 alone, the report signals an urgent and growing challenge for global security and the crypto industry.

---

Hacking Revenue Fuels One-Third of Nation’s Foreign Currency

The MSMT, a coalition of 11 countries including the United States, South Korea, and Japan established in October 2024 to enforce UN Security Council sanctions, provided a critical context for these figures. The team stated, “North Korea’s virtual asset theft proceeds in 2024 amounted to approximately one-third of the country’s total foreign currency income.” This direct linkage between cybercrime and national revenue reveals the strategic importance of these operations for the Pyongyang regime, which faces stringent international economic sanctions.

The acceleration of these activities is particularly alarming. While $1.19 billion was stolen throughout the entirety of 2024, the figure for just the first nine months of 2025 surged to $1.64 billion. This represents an increase of over 50% year-over-year, and this comparison does not even include the final quarter of 2025, suggesting the annual total could be substantially higher. This trend indicates a rapidly scaling and highly successful criminal enterprise operating with state-level resources and impunity.

The Bybit Hack and the TraderTraitor Syndicate

A significant contributor to the 2025 surge was the February 2025 hacking of the global cryptocurrency exchange Bybit. The MSMT attributed this attack to TraderTraitor, one of North Korea’s most sophisticated hacking organizations. The investigation into the breach uncovered a methodical approach that focused on exploiting third-party service providers rather than launching a direct assault on the exchange's core systems.

The attackers first collected information on SafeWallet, the multi-signature wallet provider used by Bybit. They then gained unauthorized access to internal systems through targeted phishing emails. Once inside, they deployed malicious code to disguise external fund transfers as internal asset movements, a tactic that allowed them to hijack control of the cold wallet’s smart contract. The MSMT noted that this preference for targeting third-party service providers connected to exchanges has been a common thread in major hacks linked to North Korea over the past two years.

The Nine-Step Laundering Mechanism

Perhaps more revealing than the thefts themselves is the elaborate process North Korea uses to launder and liquidate its illicit gains. The MSMT detailed a meticulous nine-step laundering mechanism designed to obfuscate the trail of stolen funds and convert them into untraceable fiat currency:

1. Initial Swap: Attackers immediately swap the stolen assets for other cryptocurrencies, such as Ethereum (ETH), on a Decentralized Exchange (DEX).
2. First Mixing: The ETH is then ‘mixed’ using privacy-focused services like Tornado Cash, Wasabi Wallet, or Railgun to break the connection to the original theft.
3. Bridge Conversion: The mixed ETH is converted to Bitcoin (BTC) via cross-chain bridge services.
4. Cold Storage Move: The BTC is moved to a cold wallet after briefly passing through accounts on centralized exchanges.
5. Dispersion and Second Mixing: The assets are dispersed to different wallets and often undergo a second round of mixing.
6. Swap to TRX: The BTC is swapped for TRX (the native token of the Tron network) using bridge services and peer-to-peer (P2P) trades.
7. Stablecoin Conversion: The TRX is converted to the stablecoin USDT (Tether).
8. OTC Transfer: The USDT is transferred to an Over-the-Counter (OTC) broker.
9. Final Cash-Out: The OTC broker liquidates the USDT into local fiat currency.

This complex chain demonstrates a deep understanding of blockchain forensics and counter-measures, leveraging multiple blockchains, privacy tools, and asset types to create a labyrinthine money trail.

Global Network Facilitates Cash-Out

The final and most critical stage—converting large volumes of crypto into usable fiat currency without detection—relies on a global network of intermediaries in third-party countries. The MSMT report identified facilitators based in China, Russia, and Cambodia.

The report named specific Chinese nationals, including Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology, as well as P2P trader Wang Yicong. These individuals allegedly cooperated with North Korean entities by providing fraudulent identification documents and facilitating the asset laundering process. Russian intermediaries were similarly implicated, specifically in the liquidation of approximately $60 million stolen from the Bybit hack.

Furthermore, the Cambodian financial service provider Huione Pay, part of the Huione Group, was utilized for laundering operations. The MSMT stated, “A North Korean national maintained a personal relationship with Huione Pay associates and cooperated with them to cash out virtual assets in late 2023.” In response to concerns raised by the MSMT in October and December 2024 regarding Huione Pay’s activities supporting UN-designated North Korean cyber hackers, the National Bank of Cambodia refused to renew the company’s payment license. Despite this regulatory action, the report notes that Huione Pay continues to operate within the country.

---

Conclusion: An Unabating Threat Demanding a Coordinated Response

The MSMT report paints a clear picture: North Korea has institutionalized cryptocurrency theft as a primary tool for revenue generation, backed by a laundering infrastructure that rivals those of major criminal organizations in its sophistication and global reach. The dramatic year-over-year increase in stolen value confirms that existing security measures at exchanges and DeFi protocols are being systematically overcome.

For participants in the crypto ecosystem, from institutional investors to individual traders, this report serves as a critical reminder of the persistent threats that exist beyond market volatility. It underscores the necessity for enhanced security protocols, particularly around third-party service providers and internal communication systems vulnerable to phishing.

Looking ahead, the international community's next steps will be crucial. The effectiveness of bodies like the MSMT in tracking these flows and pressuring intermediary nations and companies will be a key metric to watch. The continued operation of named entities like Huione Pay despite official sanctions highlights the challenges in enforcement. The crypto industry's battle is no longer just against anonymous hackers; it is against a determined nation-state with a proven playbook for theft and laundering, making global cooperation and relentless vigilance non-negotiable priorities for 2025 and beyond.