North Korea's billion-dollar cybercurrency heists face laundering gridlock

By Robert Stanley | 2025-03-31

North Korea's cyber hacking spree is netting so much stolen cryptocurrency that Pyongyang is struggling to launder the massive haul into usable dollars and euros it needs to keep Kim Jong Un's regime afloat, according to security reports.

Hackers linked to North Korea have stolen over $6 billion in crypto assets since 2017, and the proceeds may have been spent on the country's ballistic missile program, Elliptic, a cybersecurity firm, reported March 5.

Pyongyang's most recent big heist uncovered so far is a $1.46 billion theft of Ethereum coins from cryptocurrency exchange Bybit in February, the largest cyber theft in history, according to the US Federal Bureau of Investigation (FBI).

But like drug dealers and terrorists, hackers for North Korea, referred to as the Lazarus Group by crypto-watchers, are having to be careful about how they unload their haul.

Instead of major exchanges, the hackers have to "look to exchanges globally that don't have compliance controls in place," Ari Redbord, global head of policy at blockchain analytics firm TRM Labs, told CoinDesk.

"Everyone uses Chinese money laundering organizations. The [drug] cartels use them to move funds. There's a network there that North Koreans have used for years," added Redbord, a former adviser on terrorism and criminal finance at the US Treasury Department.

Raising 'alarming questions'

Initial reports suggest malware was used to trick the Bybit exchange into approving transactions that sent the funds to North Korea, according to Elliptic.

"What makes this attack terrifying?" Gautham Santhosh, a co-founder of Polynomial Protocol, a firm that develops tools for cryptocurrency derivative trading, asked in a series of posts on X. "The hacker didn't break the code. They broke the HUMANS."

The North Korean hackers tricked the Bybit exchange's human overseers into thinking the transaction they saw on their screens was legitimate, when in fact it was a piece of code that allowed the hackers to steal the cryptocurrency."

"This is next-level social engineering," said Santhosh.

"What sets this hack apart is the extraordinary pace of post-hack laundering," Redbord, who also is global head of policy at TRM Labs, told Cyberscoop, an online news site covering cybersecurity.

Within two days of the crypto attack, the North Korean threat group funneled $160 million through illicit channels, "an amount that would have been unimaginable to move this quickly just a year ago," Redbord said.

"This shift raises alarming questions about whether North Korea's laundering capacity has expanded," he said. "Criminal financial networks have never moved this quickly to process funds."

Nick Carlsen, TRM's North Korea expert, said the Bybit heist shows the Kim regime is intensifying its "flood the zone" technique.

They are "overwhelming compliance teams, blockchain analysts and law enforcement agencies with rapid, high-frequency transactions across multiple platforms, thereby complicating tracking efforts," Carlsen said in a blog post.

Drug cartel similarities

North Korea's cashing out problems recall the issues Colombian drug lord Pablo Escobar had laundering his money.

When Colombian police and US Drug Enforcement Agency agents overran his farm outside Medellin, they found stacks of $100 bills stashed in walls and buried in holes around his house.

The Cali Cartel, which took control of most of Colombia's cocaine trafficking after Escobar's death, needed to mask its source of revenue, so it bought a discount drugstore chain, which was seized by the Colombian government in 2004.

"You're inevitably seeing these funds sit in wallets over long periods of time," Redbord told CoinDesk. "I don't think that's them setting up a strategic reserve of some kind; they're just not being able to off-ramp the funds."

"In every world, North Korea wants to get those funds off-chain as fast as they can," he added.

The rise in crypto theft by North Korea comes as illicit crypto transactions are declining, down 24% in 2024 to about $45 billion, according to TRM's 2025 Crypto Crime Report.

Crypto is still a favorite tool of so-called sanctioned entities -- criminals, criminal regimes and terrorists facing sanctions from the US government.

In its annual report on crypto crime, TRM said that sanctioned entities accounted for a third of all illicit crypto trading in 2024, underscoring what it said was "the continued use of crypto to circumvent global financial restrictions, despite increased enforcement efforts."