North Korea doesn’t need to mine Bitcoin. It steals it. And then it turns that digital theft into real cash-cash that buys missiles, bombs, and nuclear fuel. Between 2017 and 2025, state-backed hackers stole over $3 billion in cryptocurrency. That’s not a typo. And nearly $2.1 billion of it has already been converted into usable fiat money, funding a regime under some of the strictest sanctions in history.
The Theft Is Just the First Step
The hacking part is brutal but straightforward. North Korea’s Lazarus Group doesn’t break into vaults. They break into wallets. They use phishing emails, fake software updates, and supply chain attacks to get into the accounts of exchanges, DeFi platforms, and individual users. In June 2023, they stole $100 million from Atomic Wallet by compromising its software update system. In February 2025, they pulled off the biggest single crypto heist ever: $1.5 billion from Bybit. But stealing crypto is like stealing gold bars-you can’t walk into a bank and spend them. You need to turn them into dollars, euros, or yuan. That’s where the real operation begins.How the Money Moves: The Four-Phase Laundering Machine
North Korea doesn’t use one trick. It uses a system. Experts call it a four-phase laundering pipeline:- Immediate movement-Within minutes of stealing crypto, the hackers move it across multiple blockchains. Ethereum? Sent to Binance Smart Chain. Then to Solana. Then to Polygon. This isn’t random. It’s designed to confuse blockchain analysts by scattering digital footprints across 3 to 5 different networks.
- Cross-chain bridges-They use bridges like Ren Bridge and Avalanche Bridge to swap tokens between chains. These bridges let them convert stolen ETH into wrapped BTC, USDC, or other tokens without going through a centralized exchange. Between 2021 and 2024, North Korea-linked actors moved over $1.2 billion through these bridges alone.
- Convert to Bitcoin-About 82% of stolen crypto ends up as Bitcoin. Why? Because Bitcoin is the most liquid, most widely accepted digital asset. It’s easier to sell BTC for cash than obscure altcoins. Even if the original theft was in Ethereum or Solana, it gets turned into BTC before the final step.
- Fiat conversion-This is the hardest part. You can’t just withdraw $100 million to a bank account without raising alarms. So North Korea uses hidden channels: unregulated exchanges, OTC desks, and cash-heavy hubs.
The Cash-Out Hubs: Cambodia, China, and the Shadow Networks
The final step-turning crypto into cash-happens in places where no one asks questions. Cambodia is ground zero. The U.S. Treasury has officially named Huione Group as a major money laundering hub. Huione’s subsidiaries run crypto cafes in Sihanoukville, where people walk in with digital wallets and walk out with bundles of cash. No ID needed. No paperwork. Just a QR code scan and a handshake. Each of the 14 known North Korean-controlled crypto cafes there processes between $500,000 and $2 million per month. China still plays a role, even under heavy scrutiny. In February 2024, the U.S. Justice Department indicted two Chinese nationals for moving $250 million in North Korean crypto through 37 bank accounts. They used shell companies, fake invoices, and cash deposits under the reporting threshold ($10,000) to avoid detection. Macau’s casinos are another weak point. A 2024 TRM Labs report found that 15% of stolen funds flowed through gambling platforms that only required 5% identity verification-compared to 95% in regulated markets. A hacker deposits crypto, bets a little, then cashes out in chips, then cash. The casino doesn’t care where the money came from.
The Human Network: IT Workers as Frontlines
North Korea doesn’t just rely on hackers. It has an army of IT workers-thousands of them-living abroad under false identities. These people are trained in computer science at state-run academies. Then they’re sent to China, Russia, Vietnam, and Cambodia. They get jobs at crypto exchanges, fintech startups, or remote tech firms. Once inside, they create backdoors, delay fraud alerts, or approve suspicious withdrawals. FBI data shows 89% of these workers use fake Vietnamese or Indian identities. They use VPNs to make it look like they’re working from the U.S. or Europe. In 2024, CSIS documented 27 cases where North Korean employees at Chinese exchanges enabled transfers from stolen wallets to local bank accounts-with only 12 hours’ notice before the money disappeared. That’s faster than most banks can freeze an account. They don’t just work for companies. Many are freelancers. They create fake profiles on Upwork or Fiverr, offer blockchain development services, get paid in crypto, then convert it to cash through local exchange kiosks. No one asks where the crypto came from.Why Bitcoin? Why Not Stablecoins?
You might wonder: Why not just convert stolen ETH or SOL directly into USDC or USDT? Stablecoins seem perfect-1:1 backed by USD, easy to move. But here’s the catch: USDC and USDT are issued by companies based in the U.S. and regulated jurisdictions. If you try to move $50 million in USDC through a regulated exchange, the system flags it. The issuer can freeze it. The bank can refuse the withdrawal. Bitcoin is different. It’s decentralized. No company owns it. No one can freeze it. It’s the only digital asset that truly operates outside the traditional financial system. That’s why North Korea uses it as the middleman-convert stolen crypto to BTC, then BTC to cash.
The Counterattack: Why It’s Getting Harder
For years, North Korea had a free pass. But the world is catching up. In 2022, the U.S. sanctioned Tornado Cash, the main mixing service North Korea used to hide transactions. That cut off $1.2 billion in laundering capacity overnight. So they switched tactics. Now, instead of hiding, they run fast. 78% of stolen crypto is converted to cash within 72 hours-up from 120 hours in 2021. Speed is their new shield. The Crypto-Asset Reporting Framework, launched in late 2024, now requires over 100 countries to share customer data across exchanges. That’s a big deal. It means if you try to withdraw $2 million in crypto to a bank in Singapore, the bank in Cambodia gets flagged. The result? Treasury Department data shows a 22% drop in successful North Korean cash-outs in Q1 2025 compared to the last quarter of 2024.The Future: Stablecoin Arbitrage and Custom Protocols
North Korea isn’t giving up. It’s evolving. A March 2025 CSIS report revealed they’re testing something called “stablecoin arbitrage laundering.” Here’s how it works: steal crypto → convert to USDC on a decentralized exchange → send it to a less-regulated exchange in Asia → exploit tiny price differences between markets → cash out in local currency. The trail disappears because no single transaction looks suspicious. They’ve also recruited 37 former crypto developers to build custom cross-chain protocols. These aren’t public tools. They’re private, encrypted bridges designed to move $500 million+ without leaving a trace. But experts warn: the clock is ticking. Treasury Secretary Janet Yellen said in May 2025 that North Korea’s success rate could drop to 40% by 2027. Why? Because global cooperation on crypto regulation is finally working.What This Means for the Rest of Us
This isn’t just about North Korea. It’s about how easily digital money can be abused when regulation lags behind technology. Every time you use a decentralized exchange or an unregulated crypto platform, you’re part of a system that North Korea exploits. The same tools that give freedom to users in authoritarian states also give freedom to thieves. The solution isn’t to ban crypto. It’s to demand better standards. Exchanges need to enforce KYC. Regulators need to share data. Developers need to build traceability into protocols-not just privacy. North Korea will keep adapting. But they can’t win if the world closes the doors.How much cryptocurrency has North Korea stolen?
Between 2017 and 2025, North Korea’s state-sponsored hacking groups have stolen over $3 billion in cryptocurrency, according to TRM Labs and Chainalysis. The largest single theft was $1.5 billion from Bybit in February 2025.
What is the Lazarus Group?
The Lazarus Group is a North Korean state-sponsored hacking collective linked to the country’s military intelligence agency. It has been responsible for over 58 major cyberattacks since 2017, targeting cryptocurrency exchanges, DeFi protocols, and individual wallets to steal digital assets.
Why does North Korea use Bitcoin to launder crypto?
Bitcoin is the most liquid and decentralized cryptocurrency. Unlike stablecoins like USDC or USDT, which are issued by regulated companies and can be frozen, Bitcoin has no central authority. This makes it the ideal intermediary currency for converting stolen crypto into cash without detection.
Where does North Korea convert crypto to cash?
Cambodia is the primary hub, especially in Sihanoukville, where 14 North Korean-controlled crypto cafes operate with no ID requirements. China and Macau’s casinos are secondary hubs, with money launderers using shell companies and weak KYC rules to move funds.
How do North Korean IT workers help launder crypto?
Thousands of North Korean IT workers live abroad under fake identities, working at crypto exchanges and fintech firms. They use their access to delay fraud alerts, approve suspicious transfers, or create backdoors that let stolen crypto move directly to bank accounts in under 12 hours.
Is North Korea’s crypto laundering getting easier or harder?
It’s getting harder. Global cooperation, stricter KYC rules, and the Crypto-Asset Reporting Framework have reduced successful cash-outs by 22% in Q1 2025. But North Korea is adapting with faster laundering cycles and new tools like custom cross-chain protocols.
Comments
This is terrifying. The scale of this operation is beyond anything I've seen in cybersecurity. They're not just hackers-they're a state-funded financial weapons program. And the fact that they're using crypto cafes in Cambodia with zero KYC? That's a regulatory failure on a global scale. We need international coordination, not just sanctions.
The real story here is that the West created this monster by pushing crypto as a libertarian fantasy without any accountability. Now they're shocked that a dictatorship used it to fund nukes? Wake up. The entire system was designed to be exploited. The blockchain isn't magic-it's just another tool. And tools don't care who wields them
I work in fintech in Bangalore. We've seen North Korean devs applying for remote jobs under Indian IDs. They're good. Too good. One guy coded a smart contract that looked flawless but had a hidden backdoor. We caught it because his GitHub commits were all at 3am Indian time... but he claimed to be in Toronto. The system is broken.
The structural vulnerability here is the lack of interoperable AML frameworks across jurisdictions. When cross-chain bridges operate outside regulated financial infrastructure, they become de facto laundering corridors. The solution isn't to ban DeFi-it's to mandate on-chain compliance layers like transaction tagging and entity attribution protocols. This isn't anti-innovation; it's pro-resilience.
I don't know how anyone still thinks crypto is about freedom. This isn't freedom. This is organized crime with better PR. And the fact that people defend these unregulated platforms as 'liberty' while North Korea uses them to buy missiles... it's morally bankrupt.
It is imperative that the international community treat this not as a cybersecurity issue, but as a matter of national and global security. The laundering of over two billion dollars in illicit cryptocurrency constitutes a direct threat to the integrity of the global financial system. Sanctions must be enforced with precision, and all entities facilitating such transactions must be subjected to extraterritorial prosecution.
North Korea uses Bitcoin because it's the only crypto that can't be frozen. That's it. No magic. No secret tech. Just simple economics. Stablecoins are regulated. Bitcoin isn't. Simple as that. We keep overcomplicating it.
why do we even care if some commie regime steals crypto? theyre not stealing from us theyre stealing from other scammers and crypto bros. if you were dumb enough to leave your wallet open on a public node you deserve to lose it. also why is everyone acting like this is new? we knew this was happening since 2018
We can fix this. Not with more bans, but with better tools. Imagine if every wallet had a built-in 'trust layer'-a way to flag suspicious flows without killing privacy. We need devs, not just regulators, to step up. This isn't a war against crypto-it's a call to build better.
The real horror isn't the theft. It's how easy it is. We built a financial system that lets a nation-state move billions without leaving a trace. And we're still arguing about whether NFTs are art. We're not ready for this. We never were.
You all assume this is about money. It's not. It's about legitimacy. North Korea wants to be seen as a sovereign actor with access to global capital. This isn't theft-it's statecraft. And the West enabled it by treating crypto as a playground instead of a battlefield.
The Lazarus Group's shift from mixing to speed is brilliant. They used to rely on Tornado Cash to obscure trails. Now they move everything in under 72 hours-before chain analysis firms can even flag the pattern. It's like a digital bank run. The countermeasures haven't caught up because they're still thinking in terms of static rules, not dynamic behavior. We need real-time anomaly detection across all major chains-not just after the fact.
I mean... come ON. We're letting a rogue regime fund its entire military with digital cash? And the biggest takeaway from this article is... that Bitcoin is decentralized? Like, wow. Groundbreaking. I'm just sitting here wondering how many of these 'crypto cafes' are staffed by people who have no idea they're working for a nuclear weapons program. The human cost of this is insane.
This is the future. Not just for North Korea. For everyone. If you think your crypto is safe because you use a 'trusted' exchange, you're wrong. The real danger isn't hackers-it's the systems we built that let them slip through. We need to stop pretending this is about tech. It's about power. And right now, the bad guys are winning because we're too scared to regulate.
This is why America needs to stop being soft on China and Cambodia. These countries are enabling a nuclear-armed dictatorship to fund its war machine through digital money laundering. And what do we do? We issue press releases. We need to shut down those crypto cafes. We need to freeze those bank accounts. We need to send a message: if you help North Korea, you're not a business-you're a traitor.
I know people who work at crypto exchanges in Vietnam. They're just trying to make rent. They don't know the money's stolen. They think they're helping a startup. That’s the real tragedy. The system is designed to exploit the vulnerable, not the experts. We need better education-not just regulation.
If you're using a decentralized exchange without KYC, you're part of the problem. Not because you're evil-but because you're enabling it. Every time you trade on an unregulated platform, you're making it easier for North Korea to move their cash. You think you're being free? You're being used.
I just read this and felt sick. Not because of the money. Because of the people. The IT workers living under fake identities, terrified to go home. The cashiers in Sihanoukville who don't know they're funding missiles. This isn't a tech story. It's a human one.
The fact that we're even having this conversation is proof that our financial system is broken. We let a nation with no democratic legitimacy operate a global financial network that's more powerful than the IMF. And we call it innovation? This is not progress. This is anarchy.
I'm not surprised. I've seen how fast crypto moves. I used to work at a wallet startup. One day, we had a $2M transfer from a new user. No ID. No history. Just a single wallet. We flagged it. The CEO said 'don't touch it'. Two hours later, it was gone. That's how easy it is. We knew. We just didn't care.
The real issue isn't the laundering technique-it's the lack of accountability in the global crypto infrastructure. We have over 100 exchanges operating in jurisdictions with zero oversight, and we pretend that's acceptable because 'decentralization'. But decentralization doesn't mean lawlessness. It means responsibility distributed, not eliminated. The fact that we're still debating whether KYC is 'anti-freedom' shows how deeply we've lost our moral compass. North Korea didn't invent this exploit-they just perfected it because we let them.
Let me guess-next they'll say the CIA did it. Or maybe the NSA. Or maybe it's all a distraction so we don't notice how much our own governments are spying on us. Honestly, I think this whole thing is a psyop to justify more surveillance and control. The real thieves? The ones writing the regulations.
Canada's been letting these guys slip through for years. We're the soft underbelly of North American crypto. No one checks IDs at the Vancouver exchanges. And the Chinese diaspora? They're the ones moving the cash. We're not innocent here.
Wow. So North Korea is bad. Shocking. Next you'll tell me the moon is made of cheese. I'm just here wondering why this article is 2000 words long and didn't mention that the US has been using crypto for black ops since 2015. But sure, let's pretend only the bad guys use it.
I just want to say thank you for writing this. It's the first time I've seen this explained clearly. I didn't realize how much of this was happening right under our noses.
I'm not surprised that Canada is a weak link. Same with Panama and the UAE. The real problem isn't North Korea-it's the countries that refuse to cooperate. We need a global crypto compliance treaty. Like the Paris Accord, but for financial crime. Otherwise, this will keep happening.