TLDR
- North Korean hackers stole $2.83B in crypto from 2024 to September 2025.
- Crypto theft funded nearly one-third of North Korea’s 2024 foreign income.
- TraderTraitor group was behind the $1.64B crypto theft in 2025 alone.
- Laundered crypto through China, Russia, and Cambodia using OTC brokers.
North Korea-linked hackers have stolen $2.83 billion in crypto assets between 2024 and September 2025, according to a new report by the Multilateral Sanctions Monitoring Team (MSMT). The report shows that these cyberattacks are not only growing but also helping fund nearly one-third of North Korea’s total foreign income. It reveals a detailed nine-step laundering method and international support from networks in China, Russia, and Cambodia.
North Korea’s Crypto Theft Reaches $2.83 Billion
The MSMT, a group of 11 countries formed in October 2024, shared detailed findings about North Korea’s virtual asset theft. According to the report, hackers stole $2.83 billion in digital assets between January 2024 and September 2025. This money made up about one-third of North Korea’s total foreign currency revenue for 2024.
The amount stolen grew sharply in 2025, with $1.64 billion taken in just the first nine months. This was a 50% increase compared to $1.19 billion in 2024, even though 2025 figures do not include the last quarter.
A major part of the 2025 amount came from a February attack on Bybit, a global cryptocurrency exchange. The hack was linked to the TraderTraitor syndicate, a well-known North Korean hacking group.
Bybit Hack and the TraderTraitor Group
The February 2025 Bybit breach was among the largest attacks noted in the report. The hackers gained access by targeting SafeWallet, the multi-signature wallet provider used by Bybit.
They used phishing emails and malware to enter the exchange’s internal systems. Once inside, they hid their actions by making external transfers look like internal transactions. This allowed them to gain control of the cold wallet’s smart contract.
The MSMT said that North Korean hackers often avoid attacking exchanges directly. Instead, they focus on third-party service providers connected to these platforms.
Complex Nine-Step Laundering Process Identified
The report explains how the stolen assets are cleaned and turned into fiat currency through a nine-step method.
Hackers start by swapping stolen funds for Ethereum (ETH) using decentralized exchanges. Then, they use mixing services such as Tornado Cash and Wasabi Wallet to hide transaction trails. ETH is later converted to Bitcoin (BTC) through bridge platforms.
Funds are stored in cold wallets and moved again after further mixing. BTC is then traded for TRX (Tron) and later converted into USDT, a stablecoin.
The USDT is finally sent to Over-the-Counter (OTC) brokers, who help exchange it into fiat currency.
Support from Global Network in Cash-Out Phase
The final step, converting crypto into cash, is the hardest and involves outside help. The MSMT found that brokers and companies in China, Russia, and Cambodia played a major role.
In China, nationals Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology were named. Another Chinese trader, Wang Yicong, was also involved. They helped with fake IDs and asset movement.
In Russia, intermediaries assisted with converting about $60 million from the Bybit attack. These funds were traced to Russian-linked OTC brokers.
Cambodia’s Huione Pay was also used for cashing out. The MSMT said that a North Korean national had direct contact with Huione Pay staff and worked with them to move stolen assets in late 2023.
Although Cambodia’s central bank did not renew Huione Pay’s license, the company reportedly still operates. The MSMT raised this issue with Cambodian officials in late 2024.
