North Korea’s Cyber Theft Operations
In a startling revelation, the Multilateral Sanctions Monitoring Team (MSMT) has reported that North Korea has amassed approximately $2.8 billion through sophisticated cyber thefts targeting the cryptocurrency sector. This financial influx, sourced mainly from state-supported hacking groups such as Lazarus, is crucial for funding the nation’s military initiatives, which include advancing its weapons of mass destruction programs. The report highlights that between January 2024 and September 2025, North Korean cybercriminals successfully executed a series of major thefts, significantly contributing to the regime’s foreign currency reserves, nearly one-third of which now comes from stolen digital assets.
Major Breaches and Hacking Groups
Notably, a significant portion of these illicit gains stemmed from a breach of Bybit in February 2025, which itself accounted for roughly 50% of the total stolen amount. According to cybersecurity experts, these orchestrated thefts are a collaborative effort among several hacker factions, including Lazarus, Kimsuky, TraderTraitor, and Andariel. Operating under the aegis of the Reconnaissance General Bureau, North Korea’s main intelligence entity, these groups exploit advanced tactics like supply-chain attacks and social engineering schemes to infiltrate and commandeer cryptocurrency resources.
High-Profile Incidents
One particularly alarming case involved the DMM Bitcoin exchange, which suffered a devastating loss of $308 million. A TraderTraitor member, masquerading as a personnel recruiter on LinkedIn, managed to manipulate an employee from Ginco into executing a harmful file, thus facilitating the breach. In addition to these high-profile incidents, less complex state-sponsored collectives such as CryptoCore carry out high-volume phishing scams, while others like Citrine Sleet have gained notoriety for their use of trojanized cryptocurrency trading applications. For example, Citrine Sleet was implicated in a $50 million theft in October 2024, where similar social engineering tactics were employed to compromise the security of Radiant Capital.
Money Laundering Operations
Once these cyber actors secure the stolen digital assets, they engage in a meticulous nine-step money laundering scheme aimed at obscuring the origins of these funds. This complex operation often involves transforming stolen tokens into well-established cryptocurrencies, followed by utilizing mixing services like Tornado Cash and Wasabi Wallet to mask their source. They then navigate across various blockchain networks using aggregators like THORChain and LI.FI, ultimately converting the laundered assets into Tether (USDT) for easier cash-out. A significant portion of this illicit financial operation relies on a network of over-the-counter brokers located mainly in China, who facilitate the deposit of fiat currency into bank accounts controlled by the North Korean regime.
Global Security Implications
The implications of these cybercrimes extend far beyond the digital world; they represent not just illegal financial gain but are part of a broader strategy to fortify North Korea’s military capabilities, endangering global security. The MSMT report succinctly concludes that the funds obtained from these operations play a pivotal role in the procurement of materials for the regime’s weapons programs, thereby underscoring the critical need for greater oversight within the cryptocurrency industry, which has unwittingly become a facilitator of Pyongyang’s militant ambitions.
