North Korea relies on state-backed hacking groups like Lazarus to finance its military, with stolen crypto accounting for nearly a third of its foreign currency earnings and providing a steady, illicit cash flow immune to traditional sanctions.
- North Korea has stolen at least $2.8 billion in cryptocurrency since 2024, with the funds supplying nearly a third of its foreign currency earnings.
- State-backed hacker groups targeted exchanges and custody providers through advanced supply-chain and social-engineering attacks.
- The stolen assets are laundered through mixers, cross-chain bridges, and Chinese OTC brokers, converting crypto into fiat for use in weapons and missile programs.
In an Oct. 22 report, the Multilateral Sanctions Monitoring Team said that between January 2024 and September 2025 North Korean actors orchestrated cryptocurrency thefts totaling at least $2.8 billion, through state-backed hacking groups and cyber-actors targeting the digital-assets sector.
The bulk of the haul stemmed from major incidents, including the February 2025 exploit of Bybit, which alone accounted for roughly half of the total. The report attributes these exploits to familiar North-Korean threat actors using sophisticated supply-chain, social-engineering and wallet-compromise methods.
North Korea’s sophisticated arsenal of theft and evasion
North Korea’s crypto operations revolve around a tight ecosystem of state-linked hacker groups, chief among them Lazarus, Kimsuky, TraderTraitor and Andariel, whose fingerprints appear in nearly every major digital asset breach of the past two years.
According to cybersecurity analysts, these teams operate under the Reconnaissance General Bureau, Pyongyang’s primary intelligence arm, coordinating attacks that mimic private-sector efficiency. Their primary innovation has been to bypass exchanges entirely, instead targeting the third-party digital asset custody providers that exchanges use for secure storage.
By compromising infrastructure from companies like Safe(Wallet), Ginco, and Liminal Custody, North Korean actors gained a master key to pilfer funds from clients including Bybit, Japan’s DMM Bitcoin, and India’s WazirX.
The attack on DMM Bitcoin, which led to a $308 million loss and the exchange’s eventual shutdown, was initiated months earlier when a TraderTraitor actor, posing as a recruiter on LinkedIn, tricked a Ginco employee into opening a malicious file disguised as a pre-interview test.
Other state-sponsored groups operate in concert with this main effort. The CryptoCore collective, while less sophisticated, conducts high-volume social engineering, posing as recruiters and business executives to infiltrate targets.
Meanwhile, Citrine Sleet has developed a reputation for deploying trojanized cryptocurrency trading software. In one detailed incident from October 2024, a Citrine Sleet actor posing as a trusted former contractor on Telegram delivered a malicious ZIP file to a developer at Radiant Capital, leading to a $50 million theft.
The laundering trail points back to North Korea
Once stolen, the digital assets enter a complex, nine-step laundering process designed to obscure their origin and convert them into usable fiat currency. The DPRK’s cyber actors systematically swap stolen tokens into established cryptocurrencies like Ethereum or Bitcoin, then utilize a suite of mixing services including Tornado Cash and Wasabi Wallet.
They then leverage cross-chain bridges and aggregators like THORChain and LI.FI to hop between blockchains, often converting the mixed assets into Tron-based USDT to stage them for cash-out. Investigators said this entire operation hinges on a network of over-the-counter brokers, predominantly in China, who accept the laundered USDT and deposit equivalent fiat currency into DPRK-controlled bank accounts via Chinese UnionPay cards.
This relentless campaign of digital theft has direct and grave real-world consequences. The billions siphoned from the crypto ecosystem do not vanish into a bureaucratic void. The MSMT report concludes that this revenue stream is critical for procuring materials and equipment for the DPRK’s unlawful weapons of mass destruction and ballistic missile programs.
By providing a massive, illicit cash flow that is immune to traditional financial sanctions, the global cryptocurrency industry has been weaponized, becoming an unregulated and unwilling financier of Pyongyang’s military ambitions. The heists are not merely crimes of profit; they are acts of state policy, funding a military buildup that threatens global security.
