New Report Reveals the Alarming Reach of North Korea’s Crypto Hackers

According to a report released by the Multilateral Sanctions Monitoring Team (MSMT), North Korea-linked hackers stole a staggering $2.83 billion in virtual assets between 2024 and September 2025.

The report emphasizes that Pyongyang not only excels at theft but also possesses sophisticated methods for liquidating the illicit gains.

Hacking Revenue Fuels One-Third of Nation’s Foreign Currency

The MSMT is a multinational coalition of 11 countries, including the US, South Korea, and Japan. It was established in October 2024 to support the implementation of UN Security Council sanctions against North Korea.

According to the MSMT, the $2.83 billion stolen from 2024 to September 2025 is a critical figure.

“North Korea’s virtual asset theft proceeds in 2024 amounted to approximately one-third of the country’s total foreign currency income,” the team noted.

The scale of theft has accelerated dramatically, with $1.64 billion stolen in 2025 alone, representing an increase of over 50% from the $1.19 billion taken in 2024, despite the 2025 figure not including the final quarter.

The Bybit Hack and the TraderTraitor Syndicate

The MSMT identified the February 2025 hacking of the global exchange Bybit as a major contributor to the surge in illicit revenue in 2025. The attack was attributed to TraderTraitor, one of North Korea’s most sophisticated hacking organizations.

The investigation revealed that the group collected information related to SafeWallet, the multi-signature wallet provider used by Bybit. They then gained unauthorized access via phishing emails.

They utilized malicious code to access the internal network, disguising external transfers as internal asset movements. This allowed them to hijack control of the cold wallet’s smart contract.

The MSMT noted that in major hacks over the past two years, North Korea often prefers to target third-party service providers connected to exchanges. This is done rather than attacking the exchanges themselves.

The Nine-Step Laundering Mechanism

The MSMT detailed a meticulous nine-step laundering process North Korea uses to convert the stolen virtual assets into fiat currency:

1. Attackers swap stolen assets for cryptocurrencies like ETH on a Decentralized Exchange (DEX).

2. They ‘mix’ the funds using services such as Tornado Cash, Wasabi Wallet, or Railgun.

3. They convert ETH to BTC via bridge services.

4. They move the funds to a cold wallet after passing through centralized exchange accounts.

5. They disperse the assets to different wallets after a second round of mixing.

6. They swap BTC for TRX (Tron) using bridge and P2P trades.

7. They convert TRX to the stablecoin USDT.

8. They transfer the USDT to an Over-the-Counter (OTC) broker.

9. The OTC broker liquidates the assets into local fiat currency.

Global Network Facilitates Cash-Out

The most challenging stage is converting crypto into usable fiat. This is accomplished using OTC brokers and financial companies in third-party countries, including China, Russia, and Cambodia.

The report named specific individuals. These include Chinese nationals Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology and P2P trader Wang Yicong.

They allegedly cooperated with North Korean entities to provide fraudulent IDs and facilitate asset laundering. Russian intermediaries were also implicated in the liquidation of approximately $60 million from the Bybit hack.

Furthermore, Huione Pay, a financial service provider under Cambodia’s Huione Group, was utilized for laundering.

“A North Korean national maintained a personal relationship with Huione Pay associates and cooperated with them to cash out virtual assets in late 2023,” the MSMT stated.

The MSMT raised concerns with the Cambodian government in October and December 2024. These concerns regarded Huione Pay’s activities supporting UN-designated North Korean cyber hackers. As a result, the National Bank of Cambodia refused to renew Huione Pay’s payment license; however, the company continues to operate in the country.