North Korea Crypto Hacks Fuel Weapons Program

North Korea has stolen a staggering $2.84 billion in cryptocurrency since January 2024, with at least $1.65 billion taken between January and September alone, according to the Multilateral Sanctions Monitoring Team. The MSMT, which includes participation from the United States, Japan, Germany, France, Canada, Australia and other Western nations, found that much of this year’s theft resulted from February’s massive Bybit hack. These figures underscore the systematic nature of Pyongyang’s crypto-hacking activities, which the report describes as “a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia.”

The DPRK’s cyber operations represent one of the most significant threats to the cryptocurrency ecosystem, with stolen funds directly supporting the country’s weapons programs. Andrew Fierman, Head of National Security Intelligence at blockchain analytics firm Chainalysis, emphasized that “these actors were designated for their involvement in schemes that funnel DPRK IT worker-derived revenue to support DPRK weapons of mass destruction and ballistic missile programs.” The systematic nature of these operations demonstrates North Korea’s evolving capability to exploit digital financial systems for military funding.

Beyond direct hacking, North Korea has developed a sophisticated international IT worker program that violates UN Security Council Resolutions 2375 and 2397, which explicitly forbid the employment of North Korean workers abroad. The MSMT report details how this program has expanded into at least eight countries, including China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria and Tanzania. Between 1,000 to 1,500 DPRK workers were based in China alone, with Pyongyang planning to send as many as 40,000 workers to Russia.

This expansion represents a strategic move to generate additional revenue streams while evading international sanctions. The IT worker program supplements the country’s hacking activities by providing cover for cyber operations and creating additional channels for financial transfers. The scale of this operation, particularly the planned deployment to Russia, indicates North Korea’s determination to circumvent sanctions through multiple parallel approaches, creating a complex challenge for international enforcement agencies.

Despite the growing sophistication of North Korean operations, Western agencies and private firms are increasingly adapting to the threat. Andrew Fierman of Chainalysis noted that “while North Korea-linked hackers represent a significant threat, law enforcement, national security agencies and private sectors’ ability to identify associated risks and fight back is growing.” This improved capability was demonstrated in August when the U.S. Office of Foreign Assets Control sanctioned a fraudulent IT worker network linked to the DPRK.

Recovery efforts have shown tangible results, with tens of millions of dollars worth of cryptocurrency recovered from February’s Bybit hack. Private sector companies are playing a crucial role in this defense, with Binance’s chief security officer revealing that the exchange discards resumes from North Korean attackers on a daily basis. Similarly, Kraken’s efforts in May 2025 demonstrated the private sector’s increasing effectiveness in identifying DPRK IT worker threats. These coordinated efforts between government agencies and private companies represent a significant advancement in combating state-sponsored crypto crime.

The ultimate destination of stolen cryptocurrency reveals the grave implications of North Korea’s activities. According to Fierman, “The MSMT report details how these funds are being used to procure everything from armored vehicles to portable air-defense missile systems.” This direct connection between crypto theft and weapons procurement creates what Fierman describes as “a dangerous feedback loop between their financial crimes and military capabilities.”

Looking forward, Fierman and Chainalysis recommend comprehensive countermeasures including “implementing comprehensive blockchain monitoring, developing enhanced due diligence for IT contractor hiring, deploying advanced threat detection systems, maintaining regular security audits, and establishing clear protocols for large transactions.” The involvement of multiple cybersecurity firms in the MSMT report—including Google Cloud’s Mandiant, DTEX, Palo Alto Networks, Upwork and Sekoia.io—demonstrates the collaborative approach needed to address this complex threat. As Fierman emphasized, “Data-sharing initiatives, government advisories, real-time security solutions, advanced tracing tools, and targeted training can empower stakeholders to quickly identify and neutralize malicious actors while building the resilience needed to safeguard crypto assets.”