According to a report released by the Multilateral Sanctions Monitoring Team (MSMT), hackers linked to North Korea stole a staggering $2.83 billion in virtual assets between 2024 and September 2025.
The report highlights that North Korea is not only good at theft, but also has sophisticated methods for liquidating illicit profits.
Revenue hacking enriches one-third of country’s foreign exchange
MSMT is a multinational coalition of 11 countries, including the United States, South Korea, and Japan. It was established in October 2024 to help implement UN Security Council sanctions against North Korea.
The $2.83 billion stolen from 2024 to September 2025 is a significant figure, according to MSMT.
The research team pointed out, “In 2024, North Korea’s proceeds from virtual asset theft amounted to about one-third of the country’s total foreign exchange income.”
The scale of theft has accelerated dramatically, with $1.64 billion stolen in 2025 alone, an increase of more than 50% from $1.19 billion in 2024, even though the 2025 numbers do not include the final quarter.
Bybit Hack and TraderTraitor Syndicate
MSMT identified the February 2025 hack of global exchange Bybit as the main cause of the 2025 illicit revenue spike. The attack is believed to be by TraderTraitor, one of North Korea’s most sophisticated hacking organizations.
The investigation revealed that the group collected information related to SafeWallet, a multisig wallet provider used by Bybit. After that, I received unauthorized access via a phishing email.
They leveraged malicious code to access internal networks and disguise outbound transfers as internal asset movements. This allowed them to take over control of the cold wallet’s smart contract.
MSMT noted that in major hacks over the past two years, North Korea has often targeted third-party service providers connected to exchanges. This is done rather than attacking the exchange itself.
9-step laundering mechanism
MSMT detailed the elaborate nine-step laundering process North Korea uses to convert stolen crypto assets into fiat currency.
1. The attacker exchanges the stolen assets for cryptocurrencies such as ETH on a decentralized exchange (DEX).
2. “Mix” your funds using services like Tornado Cash, Wasabi Wallet, and Railgun.
3. Convert ETH to BTC via bridge service.
4. Move the funds to your cold wallet after passing through the central exchange account.
5. After the second mix, distribute your assets to different wallets.
6. They use bridge trading and P2P trading to exchange BTC for TRX (Tron).
7. Convert TRX to stablecoin USDT.
8. Transfer USDT to an over-the-counter (OTC) broker.
9. OTC brokers liquidate assets into local fiat currency.
Promote cash conversion with our global network
The most difficult stage is converting the cryptocurrency into usable fiat currency. This is done using OTC brokers and financial companies in third countries such as China, Russia, and Cambodia.
The report named specific individuals. They include Chinese nationals Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology Co., Ltd., and P2P trader Wang Yicong.
They allegedly collaborated with North Korean organizations to provide fraudulent identities and facilitate asset laundering. Russian intermediaries were also involved in the liquidation of approximately $60 million from the Bybit hack.
In addition, Huione Pay, a financial services provider under Cambodia’s Huione Group, was used to launder funds.
“The North Korean national maintained a personal relationship with Huione Pay employees and collaborated with them to convert their virtual assets into cash in late 2023,” MSMT said.
MSMT raised concerns with the Cambodian government in October and December 2024. These concerns concerned Huione Pay’s activities in support of UN-designated North Korean cyber hackers. As a result, the National Bank of Cambodia refused to renew Huione Pay’s payment license. However, the company continues to operate in the country.
The post “New report reveals alarming reach of North Korean crypto hackers” was first published on BeInCrypto.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
