Crypto Laundering Arms Race: North Korea Outmaneuvers Sanctions with $1.65B Heist

Generated by AI AgentCoin WorldReviewed byShunan Liu
Sunday, Oct 26, 2025 2:55 am ET2min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
Aime RobotAime Summary

- North Korea laundered $1.65B in crypto since 2025, funding WMD programs via cyberattacks and sanctions evasion.

- A $1.4B heist from Bybit in February 2025 marked the largest single theft, exploiting phishing and smart contract manipulation.

- State-backed hackers and 40,000+ IT workers abroad use false identities and nine-step laundering to bypass restrictions.

- Stablecoins facilitate military procurement while intermediaries in China/Russia enabled $60M in Bybit-linked laundering.

- Global crypto firms and remote employers face risks as North Korea exploits systemic vulnerabilities to sustain 33% of its foreign income.

North Korea has laundered $1.65 billion in cryptocurrency since January 2025, with the funds directly funding its weapons of mass destruction (WMD) and ballistic missile programs, according to a report by the Multilateral Sanctions Monitoring Team (MSMT). The stolen sum includes $1.4 billion from the February 2025 hack of crypto exchange Bybit, marking the largest single incident in the nine-month period, according to

an SCMP report
. This follows $1.2 billion in illicit crypto gains in 2024, a trend described by
a Cryptopolitan article
.

The MSMT, a coalition of 11 countries including the U.S., Japan, and South Korea, revealed that North Korea's cyber operations have become a primary revenue stream amid stringent UN sanctions. State-backed hacker groups such as Lazarus and TraderTraitor target third-party service providers rather than exchanges directly, exploiting vulnerabilities in custody platforms like SafeWallet to siphon funds undetected, according to

a Crypto.news report
. For instance, the Bybit breach involved phishing emails and malware to compromise internal systems, enabling hackers to manipulate smart contracts and transfer $1.4 billion in cold storage, as detailed in
a CryptoPotato report
.

Beyond cyber heists, North Korea deploys thousands of IT workers abroad to launder funds and circumvent sanctions. These workers, disguised under false identities, secure remote contracts with companies in China, Russia, and other nations, generating income while evading restrictions on foreign earnings, an SCMP report said. The regime plans to send 40,000 laborers to Russia, including IT specialists, as part of a deepening alliance that sees Pyongyang providing military support to Moscow, Cryptopolitan noted. The stolen crypto is then funneled through a nine-step laundering process involving mixers like Tornado Cash, cross-chain bridges, and over-the-counter (OTC) brokers in China and Cambodia, ultimately converting digital assets into fiat currency, CryptoPotato found.

Stablecoins play a critical role in procurement transactions, with North Korean officials using them to purchase military equipment and raw materials such as copper, essential for munitions production, the SCMP report said. The MSMT highlighted that intermediaries in Russia and China facilitated $60 million in laundering from the Bybit hack alone, according to CryptoPotato. Meanwhile, North Korean IT workers have infiltrated projects for Western firms like Amazon and HBO Max, raising concerns about data security and potential espionage, as reported by

a Manila Times report
.

The scale of the operations—$2.83 billion in total crypto theft since 2024—accounts for nearly one-third of North Korea's foreign currency income, CryptoPotato reported. In response, the MSMT urged the UN Security Council to reinstate its disbanded Panel of Experts to monitor sanctions violations more effectively. However, enforcement remains challenging, as highlighted by Russia's veto of prior UN monitoring mechanisms, as noted in

a MarketMinute article
.

The implications extend beyond North Korea, exposing vulnerabilities in global financial systems and corporate cybersecurity. Major crypto exchanges like Bybit and DMM

Bitcoin
have suffered multimillion-dollar losses, while companies hiring remote workers face risks of unwittingly employing North Korean operatives, Crypto.news warned. Blockchain analytics firms and AML specialists are now under increased demand to track illicit flows, as regulators push for stricter compliance measures, the MarketMinute article added.