Global Watch
Global Issues

North Korea's crypto-to-weapons pipeline creates tangible geopolitical risk

From billion-dollar exchange heists to 'digital laundromats' that blur the trail, Pyongyang has built a pipeline that turns hacked tokens into cash and critical resources for its weapons programs.

People sit in front of a television screen showing a news broadcast with file footage of a North Korean missile test, at a train station in Seoul on January 4. [Jung Yeon/AFP]
People sit in front of a television screen showing a news broadcast with file footage of a North Korean missile test, at a train station in Seoul on January 4. [Jung Yeon/AFP]

Global Watch |

North Korea's nuclear ambitions begin with large-scale cryptocurrency theft, carried out by state-sponsored groups like the Lazarus Group.

These cyber units target cryptocurrency exchanges, decentralized finance (DeFi) platforms and digital wallets, exploiting vulnerabilities to siphon billions of dollars in digital assets.

Recent reports highlight how North Korea is increasingly leveraging artificial intelligence (AI) to enhance these operations, from sophisticated phishing schemes to automated financial thefts, making their cyber crimes more efficient and harder to detect.

In 2022 alone, North Korean-linked cyber actors stole an estimated $1.7 billion in cryptocurrency.

Illustration of the buying, selling and trading platform and cryptocurrency, Bybit application, in Paris, November 22, 2021. [Antoine Wdo/Hans Lucas/AFP]
Illustration of the buying, selling and trading platform and cryptocurrency, Bybit application, in Paris, November 22, 2021. [Antoine Wdo/Hans Lucas/AFP]

Meanwhile, in early 2025, a single operation reportedly netted $1.5 billion from the exchange Bybit.

These thefts are not random -- they are systematic and strategic, designed to fund Pyongyang's nuclear weapons and missile programs.

Digital money laundering

But stealing cryptocurrency is only the beginning.

Unlike cash, most cryptocurrencies are inherently traceable, with transactions recorded on public blockchains that create a permanent ledger of fund movements.

For North Korea, this transparency presents a major challenge: stolen funds are difficult to use without drawing attention.

To overcome the traceability of blockchain technology, North Korean cyber operators rely on cryptocurrency "mixers," also known as tumblers.

These services obscure transaction histories by pooling funds from many users and redistributing them in ways that cut the visible link between sender and recipient.

A useful analogy is to think of mixers as cryptocurrency laundromats.

Stolen cryptocurrency, clearly identifiable as illicit, goes in. Inside the system, those funds are combined with assets from thousands of other users and algorithmically scrambled.

After a delay, an equivalent amount can be withdrawn to a new wallet address, making it nearly impossible to tie a specific deposit to a specific withdrawal.

Turning crypto into hardware

The final step in North Korea's cryptocurrency strategy is the most consequential: converting laundered digital assets into real-world resources that support its weapons programs.

This is where an abstract cyber threat becomes a tangible geopolitical risk.

After passing through mixers and moving across multiple blockchains, the cryptocurrency must be converted into something usable.

One primary mechanism is a global network of over-the-counter (OTC) brokers. These brokers operate outside formal exchanges, often in jurisdictions with weak regulatory oversight, such as parts of China and Southeast Asia.

Using front companies, false identities and intermediaries, North Korean agents provide these brokers with laundered cryptocurrency. In return, cash or bank deposits are delivered to accounts ultimately controlled by the regime.

Once converted, these funds support a range of activities critical to weapons development.

While sanctions make it difficult to purchase complete weapon systems, they do not fully prevent access to dual-use goods -- items with both civilian and military applications.

These include specialized metals, industrial materials and advanced electronics needed for missile airframes and guidance systems.

The same funds also pay the salaries of scientists and engineers, maintain research facilities and sustain the industrial infrastructure behind the programs.

Economic battlefield

Taken together, this process represents a significant evolution in sanctions evasion.

North Korea has transformed cyberspace into a critical economic battlefield, exploiting gaps in the digital economy to finance its most dangerous ambitions.

Counter-proliferation efforts can no longer focus solely on shipping ports, customs inspections or bank compliance offices --they must extend deep into cyberspace and onto the blockchain itself.

The international community faces a growing challenge: how to close the loopholes in the digital economy that allow North Korea to bypass sanctions and fund its weapons programs.

North Korea's ability to steal, launder and cash out cryptocurrency also highlights the intersection of technology and global security.

This risk is amplified by ongoing collaborations, such as North Korea's troop deployments to support Russia's war in Ukraine, potentially in exchange for advanced nuclear and military technologies.

What begins as a cybercrime ends as a geopolitical risk, with stolen digital assets fueling the development of nuclear weapons and advanced missile systems.

As the digital economy continues to expand, the tools of sanctions evasion are becoming more sophisticated.

Addressing this threat requires coordinated international action, combining cybersecurity measures with financial oversight to disrupt the pipeline from stolen cryptocurrency to weapons development.

Do you like this article?