North Korea Stole $2.83B in Crypto Since 2024

The Multilateral Sanctions Monitoring Team (MSMT), a coalition of 11 countries formed in October 2024 to track North Korean sanctions evasion, reveals that the $2.83 billion stolen between January 2024 and September 2025 represents a critical funding source for the isolated nation. The 2025 surge to $1.64 billion stolen in just nine months marks a 50% increase from the $1.19 billion taken in 2024, indicating both the sophistication and ambition of North Korea’s cybercrime operations. This massive theft accounts for nearly one-third of the country’s total foreign currency income in 2024, highlighting how cryptocurrency theft has become central to Pyongyang’s ability to bypass international sanctions and fund its operations.

The February attack on cryptocurrency exchange Bybit emerged as the single largest contributor to this year’s staggering totals. The hack was attributed to the TraderTraitor group, also known as Jade Sleet or UNC4899, which targeted SafeWallet – a multi-signature wallet provider for Bybit. Using phishing emails and malware to infiltrate internal systems, the hackers employed sophisticated techniques to disguise external transfers as internal transactions, allowing them to take control of the cold wallet’s smart contract and move funds undetected. This approach reflects a broader strategy where North Korean hackers avoid direct attacks on exchanges, instead focusing on third-party service providers where security may be less robust.

North Korean hacking groups including TraderTraitor, CryptoCore, and Citrine Sleet have developed increasingly sophisticated methods for infiltrating cryptocurrency systems. These groups employ fake developer profiles, stolen identities, and detailed knowledge of software supply chains to carry out their attacks. The MSMT report notes that hackers have worked with Russian-speaking cybercriminals since the 2010s, with 2025 seeing actors linked to Moonstone Sleet leasing ransomware tools from the Russia-based group Qilin, indicating growing international collaboration among cybercriminals.

In one notable case detailed in the report, the Web3 project Munchables lost $63 million in a hack, though the funds were later returned after the hackers reportedly faced problems during the laundering process. This incident underscores both the vulnerability of decentralized finance projects and the challenges even sophisticated hackers face when attempting to convert stolen digital assets into usable currency. The return of funds suggests that the complex laundering process doesn’t always proceed smoothly, though such outcomes remain rare in the broader pattern of North Korean crypto theft.

The MSMT analysis reveals a meticulously engineered nine-step process that North Korean hackers use to clean and convert stolen cryptocurrency into cash. The process begins with swapping stolen assets for Ethereum (ETH) on decentralized exchanges, then using mixing services such as Tornado Cash and Wasabi Wallet to obscure transaction trails. The ETH is subsequently converted to Bitcoin (BTC) through bridge platforms, mixed again for additional anonymity, stored in cold wallets, and then traded for Tron (TRX) before final conversion to USDT stablecoins.

The final stage involves sending USDT to over-the-counter brokers who exchange the digital currency for cash. The report identifies brokers and companies in China, Russia, and Cambodia as key players in this laundering ecosystem. In China, nationals Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology, along with trader Wang Yicong, facilitated fund movement and created fake identities to obscure the money trail. Russian intermediaries converted approximately $60 million from the Bybit hack through OTC brokers, while Cambodia’s Huione Pay was used to transfer stolen funds despite its license not being renewed by the country’s central bank.

In response to these findings, the 11 jurisdictions comprising the MSMT issued a joint statement urging United Nations member countries to raise awareness about North Korean cyber activities and calling on the UN Security Council to restore its Panel of Experts “in the same strength and structure it had prior to its disbandment.” This appeal highlights the growing concern among international policymakers about the scale and sophistication of North Korea’s cryptocurrency theft operations and their implications for global financial security.

The dramatic increase in stolen funds between 2024 and 2025, coupled with the elaborate money laundering infrastructure spanning multiple countries, presents significant challenges for international regulators and law enforcement. The use of cryptocurrencies BTC, ETH, TRX, and USDT in these schemes demonstrates how digital assets have become both the target and the vehicle for sanctions evasion on an unprecedented scale. As North Korea continues to refine its techniques and expand its international criminal partnerships, the pressure mounts on global institutions to develop more effective countermeasures against this evolving threat to the cryptocurrency ecosystem and international financial stability.