North Korea’s shadowy cyber operatives have stolen nearly $3 billion in cryptocurrency since early 2024, fueling the regime’s foreign income and evading international sanctions, according to a sweeping new report by the Multilateral Sanctions Monitoring Team (MSMT). The revelations, released in October 2025 and corroborated by several international news outlets including the Associated Press, CyberNews, and the International Business Times, paint a picture of an increasingly sophisticated state-sponsored cybercrime apparatus that has become central to Pyongyang’s economic survival and weapons development.
The MSMT, a coalition of 11 countries formed after Russia blocked the renewal of the United Nations Panel of Experts, was established in 2024 to monitor North Korea’s compliance with U.N. sanctions and track its growing cyber activity. Its latest 138-page report details how North Korean hackers, leveraging advanced techniques and global criminal networks, have siphoned off approximately $2.84 billion in crypto assets between January 2024 and September 2025. This staggering sum accounted for nearly one-third of North Korea’s total foreign currency revenue in 2024, underscoring the regime’s reliance on cybercrime as a lifeline.
According to the MSMT, the scale of theft escalated sharply in 2025, with $1.65 billion stolen in just the first nine months—a 50% jump from the $1.19 billion taken in all of 2024. High-profile targets included major cryptocurrency exchanges such as Bybit in the United Arab Emirates, DMM Bitcoin in Japan, WazirX in India, and Singapore-based BingX and Phemex. The February 2025 Bybit breach alone, attributed to the notorious North Korean hacking group known as TraderTraitor (also called Jade Sleet or UNC4899), netted $1.5 billion in ethereum, making it one of the largest crypto heists ever recorded.
Rather than attacking exchanges directly, North Korean hackers have increasingly targeted third-party service providers, such as SafeWallet, which offer multi-signature wallet solutions to platforms like Bybit. As the MSMT explains, hackers deploy phishing emails and malware to infiltrate these providers, then mask their tracks by disguising external transfers as routine internal transactions. This method grants them control over cold wallets and access to vast sums of digital assets with minimal detection.
Once assets are stolen, North Korea employs a complex, nine-step laundering process to convert crypto into usable cash. The stolen funds are first swapped for ethereum via decentralized exchanges, then funneled through mixing services like Tornado Cash and Wasabi Wallet to obscure the transaction trail. Next, the assets are converted into bitcoin using bridge platforms, further mixed, and eventually traded for other cryptocurrencies such as TRX (Tron) and USDT (a stablecoin). The final—and most challenging—step involves cashing out through Over-the-Counter (OTC) brokers, with the MSMT identifying extensive networks in China, Russia, Hong Kong, and Cambodia as key facilitators.
Chinese nationals, including Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology, as well as Wang Yicong, played a central role in forging identification documents and providing access to payment systems, according to the report. North Korean operatives also exploited China’s financial infrastructure, using UnionPay credit cards and commercial banks to move money internationally. In Russia, intermediaries helped convert about $60 million from the Bybit attack, while in Cambodia, payment platform Huione Pay was used to cash out stolen funds. Despite Cambodia’s central bank declining to renew Huione Pay’s license, the platform reportedly remains operational, prompting MSMT member states to raise concerns with the Cambodian government.
“North Korea’s cyber actions have been directly linked to the destruction of physical computer equipment, endangerment of human lives, private citizens’ loss of assets and property, and funding for the DPRK’s unlawful weapons of mass destruction and ballistic missile programs,” the MSMT wrote, as quoted by the Associated Press. The report also highlights how Pyongyang’s cyber units have cooperated with foreign cybercriminals, particularly Russian-speaking groups, since the 2010s. Notably, since February 2025, North Korean actors associated with Moonstone Sleet have leased ransomware tools from the Russia-based Qilin group, a non-state actor that offers ransomware-as-a-service to external affiliates.
Beyond direct cyber theft, North Korea’s overseas IT workforce has emerged as another critical revenue stream. The MSMT estimates that between 1,000 and 2,000 North Korean tech professionals—often working under false identities—are embedded in companies across at least eight countries, including China, Russia, Laos, Cambodia, Nigeria, and Tanzania. In 2024, these workers generated between $350 million and $800 million for the regime, with about half of their earnings funneled back to Pyongyang. Many of these tech workers secure remote contracts with firms in the United States and Europe, specializing in areas such as artificial intelligence, blockchain, and web development. Their activities are overseen by organizations linked to North Korea’s Reconnaissance General Bureau and Ministry of Defence, directly supporting military and weapons development efforts.
Occasionally, North Korean hackers have demonstrated a surprising degree of operational flexibility. In one unusual case, the Web3 project Munchables lost $63 million in a hack, but the funds were ultimately returned by DPRK IT workers after they encountered insurmountable obstacles in laundering the assets, as reported by CyberNews. This rare refund, however, is the exception rather than the rule in North Korea’s relentless pursuit of foreign currency.
International efforts to curb North Korea’s cyber onslaught have intensified in the wake of these findings. The MSMT’s report has prompted calls for tighter coordination among financial regulators, enhanced surveillance of foreign IT contracts, and improved global cybersecurity standards. The governments of the U.S., Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea, and the U.K.—all MSMT members—issued a joint statement urging United Nations member states to “raise awareness about the DPRK’s malicious cyber activities and hold responsible parties accountable for United Nations Security Council Resolution violations.” They also called for the reestablishment of the U.N. Panel of Experts to strengthen oversight and enforcement.
As North Korea’s cyber operations grow ever more sophisticated, the international community faces an uphill battle to keep pace. The MSMT’s findings make clear that Pyongyang’s hackers are not only funding the regime’s most dangerous ambitions but are also reshaping the global landscape of cybercrime, one heist at a time.
