New Report Reveals The Alarming Reach Of North Korea’s Crypto Hackers
- The report emphasizes that Pyongyang not only excels at theft but also possesses sophisticated methods for liquidating the illicit gains.
- The MSMT is a multinational coalition of 11 countries, including the US, South Korea, and Japan.
- It was established in October 2024 to support the implementation of UN Security Council sanctions against North Korea.
- According to the MSMT, the $2.83 billion stolen from 2024 to September 2025 is a critical figure.
What Happened
According to a report released by the Multilateral Sanctions Monitoring Team (MSMT), North Korea-linked hackers stole a staggering $2.83 billion in virtual assets between 2024 and September 2025.
Hacking Revenue Fuels One-Third of Nation’s Foreign Currency
The Bybit Hack and the TraderTraitor Syndicate
The MSMT identified the February 2025 hacking of the global exchange Bybit as a major contributor to the surge in illicit revenue in 2025. The attack was attributed to TraderTraitor, one of North Korea’s most sophisticated hacking organizations.
The investigation revealed that the group collected information related to SafeWallet, the multi-signature wallet provider used by Bybit. They then gained unauthorized access via phishing emails.
The MSMT noted that in major hacks over the past two years, North Korea often prefers to target third-party service providers connected to exchanges. This is done rather than attacking the exchanges themselves.
Market Context
The report emphasizes that Pyongyang not only excels at theft but also possesses sophisticated methods for liquidating the illicit gains.
The MSMT is a multinational coalition of 11 countries, including the US, South Korea, and Japan. It was established in October 2024 to support the implementation of UN Security Council sanctions against North Korea.
Why It Matters
According to the MSMT, the $2.83 billion stolen from 2024 to September 2025 is a critical figure.
“North Korea’s virtual asset theft proceeds in 2024 amounted to approximately one-third of the country’s total foreign currency income,” the team noted.
Details
The scale of theft has accelerated dramatically, with $1.64 billion stolen in 2025 alone, representing an increase of over 50% from the $1.19 billion taken in 2024, despite the 2025 figure not including the final quarter.
They utilized malicious code to access the internal network, disguising external transfers as internal asset movements. This allowed them to hijack control of the cold wallet’s smart contract.
The Nine-Step Laundering Mechanism
The MSMT detailed a meticulous nine-step laundering process North Korea uses to convert the stolen virtual assets into fiat currency:
1. Attackers swap stolen assets for cryptocurrencies like ETH on a Decentralized Exchange (DEX).
2. They ‘mix’ the funds using services such as Tornado Cash, Wasabi Wallet, or Railgun.
3. They convert ETH to BTC via bridge services.
4. They move the funds to a cold wallet after passing through centralized exchange accounts.
5. They disperse the assets to different wallets after a second round of mixing.
6. They swap BTC for TRX (Tron) using bridge and P2P trades.
7. They convert TRX to the stablecoin USDT.
8. They transfer the USDT to an Over-the-Counter (OTC) broker.
9. The OTC broker liquidates the assets into local fiat currency.
Global Network Facilitates Cash-Out