How North Korea Cashes Out Stolen Cryptocurrency to Fiat

North Korea doesn’t need to mine Bitcoin. It steals it. And then it turns that digital theft into real cash-cash that buys missiles, bombs, and nuclear fuel. Between 2017 and 2025, state-backed hackers stole over $3 billion in cryptocurrency. That’s not a typo. And nearly $2.1 billion of it has already been converted into usable fiat money, funding a regime under some of the strictest sanctions in history.

The Theft Is Just the First Step

The hacking part is brutal but straightforward. North Korea’s Lazarus Group doesn’t break into vaults. They break into wallets. They use phishing emails, fake software updates, and supply chain attacks to get into the accounts of exchanges, DeFi platforms, and individual users. In June 2023, they stole $100 million from Atomic Wallet by compromising its software update system. In February 2025, they pulled off the biggest single crypto heist ever: $1.5 billion from Bybit.

But stealing crypto is like stealing gold bars-you can’t walk into a bank and spend them. You need to turn them into dollars, euros, or yuan. That’s where the real operation begins.

How the Money Moves: The Four-Phase Laundering Machine

North Korea doesn’t use one trick. It uses a system. Experts call it a four-phase laundering pipeline:

1. Immediate movement-Within minutes of stealing crypto, the hackers move it across multiple blockchains. Ethereum? Sent to Binance Smart Chain. Then to Solana. Then to Polygon. This isn’t random. It’s designed to confuse blockchain analysts by scattering digital footprints across 3 to 5 different networks.
2. Cross-chain bridges-They use bridges like Ren Bridge and Avalanche Bridge to swap tokens between chains. These bridges let them convert stolen ETH into wrapped BTC, USDC, or other tokens without going through a centralized exchange. Between 2021 and 2024, North Korea-linked actors moved over $1.2 billion through these bridges alone.
3. Convert to Bitcoin-About 82% of stolen crypto ends up as Bitcoin. Why? Because Bitcoin is the most liquid, most widely accepted digital asset. It’s easier to sell BTC for cash than obscure altcoins. Even if the original theft was in Ethereum or Solana, it gets turned into BTC before the final step.
4. Fiat conversion-This is the hardest part. You can’t just withdraw $100 million to a bank account without raising alarms. So North Korea uses hidden channels: unregulated exchanges, OTC desks, and cash-heavy hubs.

The Cash-Out Hubs: Cambodia, China, and the Shadow Networks

The final step-turning crypto into cash-happens in places where no one asks questions.

Cambodia is ground zero. The U.S. Treasury has officially named Huione Group as a major money laundering hub. Huione’s subsidiaries run crypto cafes in Sihanoukville, where people walk in with digital wallets and walk out with bundles of cash. No ID needed. No paperwork. Just a QR code scan and a handshake. Each of the 14 known North Korean-controlled crypto cafes there processes between $500,000 and $2 million per month.

China still plays a role, even under heavy scrutiny. In February 2024, the U.S. Justice Department indicted two Chinese nationals for moving $250 million in North Korean crypto through 37 bank accounts. They used shell companies, fake invoices, and cash deposits under the reporting threshold ($10,000) to avoid detection.

Macau’s casinos are another weak point. A 2024 TRM Labs report found that 15% of stolen funds flowed through gambling platforms that only required 5% identity verification-compared to 95% in regulated markets. A hacker deposits crypto, bets a little, then cashes out in chips, then cash. The casino doesn’t care where the money came from.

The Human Network: IT Workers as Frontlines

North Korea doesn’t just rely on hackers. It has an army of IT workers-thousands of them-living abroad under false identities.

These people are trained in computer science at state-run academies. Then they’re sent to China, Russia, Vietnam, and Cambodia. They get jobs at crypto exchanges, fintech startups, or remote tech firms. Once inside, they create backdoors, delay fraud alerts, or approve suspicious withdrawals.

FBI data shows 89% of these workers use fake Vietnamese or Indian identities. They use VPNs to make it look like they’re working from the U.S. or Europe. In 2024, CSIS documented 27 cases where North Korean employees at Chinese exchanges enabled transfers from stolen wallets to local bank accounts-with only 12 hours’ notice before the money disappeared. That’s faster than most banks can freeze an account.

They don’t just work for companies. Many are freelancers. They create fake profiles on Upwork or Fiverr, offer blockchain development services, get paid in crypto, then convert it to cash through local exchange kiosks. No one asks where the crypto came from.

Why Bitcoin? Why Not Stablecoins?

You might wonder: Why not just convert stolen ETH or SOL directly into USDC or USDT? Stablecoins seem perfect-1:1 backed by USD, easy to move.

But here’s the catch: USDC and USDT are issued by companies based in the U.S. and regulated jurisdictions. If you try to move $50 million in USDC through a regulated exchange, the system flags it. The issuer can freeze it. The bank can refuse the withdrawal.

Bitcoin is different. It’s decentralized. No company owns it. No one can freeze it. It’s the only digital asset that truly operates outside the traditional financial system. That’s why North Korea uses it as the middleman-convert stolen crypto to BTC, then BTC to cash.

The Counterattack: Why It’s Getting Harder

For years, North Korea had a free pass. But the world is catching up.

In 2022, the U.S. sanctioned Tornado Cash, the main mixing service North Korea used to hide transactions. That cut off $1.2 billion in laundering capacity overnight. So they switched tactics. Now, instead of hiding, they run fast. 78% of stolen crypto is converted to cash within 72 hours-up from 120 hours in 2021. Speed is their new shield.

The Crypto-Asset Reporting Framework, launched in late 2024, now requires over 100 countries to share customer data across exchanges. That’s a big deal. It means if you try to withdraw $2 million in crypto to a bank in Singapore, the bank in Cambodia gets flagged.

The result? Treasury Department data shows a 22% drop in successful North Korean cash-outs in Q1 2025 compared to the last quarter of 2024.

The Future: Stablecoin Arbitrage and Custom Protocols

North Korea isn’t giving up. It’s evolving.

A March 2025 CSIS report revealed they’re testing something called “stablecoin arbitrage laundering.” Here’s how it works: steal crypto → convert to USDC on a decentralized exchange → send it to a less-regulated exchange in Asia → exploit tiny price differences between markets → cash out in local currency. The trail disappears because no single transaction looks suspicious.

They’ve also recruited 37 former crypto developers to build custom cross-chain protocols. These aren’t public tools. They’re private, encrypted bridges designed to move $500 million+ without leaving a trace.

But experts warn: the clock is ticking. Treasury Secretary Janet Yellen said in May 2025 that North Korea’s success rate could drop to 40% by 2027. Why? Because global cooperation on crypto regulation is finally working.

What This Means for the Rest of Us

This isn’t just about North Korea. It’s about how easily digital money can be abused when regulation lags behind technology.

Every time you use a decentralized exchange or an unregulated crypto platform, you’re part of a system that North Korea exploits. The same tools that give freedom to users in authoritarian states also give freedom to thieves.

The solution isn’t to ban crypto. It’s to demand better standards. Exchanges need to enforce KYC. Regulators need to share data. Developers need to build traceability into protocols-not just privacy.

North Korea will keep adapting. But they can’t win if the world closes the doors.