From Hacked Wallets to Warheads: North Korea's Crypto-Fueled Arsenal

Generated by AI AgentCoin WorldReviewed byAInvest News Editorial Team
Sunday, Oct 26, 2025 4:34 pm ET1min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
TORN
--
ETH
--
BTC
--
USDT
--
Aime RobotAime Summary

- North Korea siphoned $2.83B in crypto since 2024, with $1.4B stolen from Bybit via a 2025 multi-signature wallet breach.

- Hackers used phishing/malware to disguise transfers, laundering funds through Tornado Cash and OTC brokers in China/Russia/Cambodia.

- The regime deploys 40,000+ IT workers abroad under false identities and collaborates with Russian ransomware groups like Qilin.

- International efforts include OFAC sanctions and blockchain tracing, but Pyongyang's tactics evolve to evade UN sanctions and fund weapons programs.

North Korea's cyber operations have siphoned over $2.83 billion in cryptocurrency since 2024, with the scale of theft accelerating sharply in 2025, according to a

Cryptopotato report
. The largest single incident, a February 2025 attack on Bybit, netted $1.4 billion for Pyongyang through a sophisticated breach of the exchange's multi-signature wallet provider, SafeWallet. The hackers used phishing emails and malware to infiltrate internal systems, disguising external transfers as internal ones to seize control of a cold wallet's smart contract.

The MSMT report details a nine-step laundering process to convert stolen crypto into fiat currency, involving decentralized exchanges, mixing services like Tornado Cash, and multiple conversions between

Ethereum
,
Bitcoin
, and stablecoins like
USDT
. Funds are eventually funneled through over-the-counter brokers in China, Russia, and Cambodia, with intermediaries such as Shenzhen Chain Element Network Technology and Cambodia's Huione Pay playing key roles. These operations fund North Korea's weapons programs, including procurement of armored vehicles and missile systems, according to a
Coinotag report
.

Beyond direct hacks, North Korea has deployed thousands of IT workers abroad under false identities to generate illicit revenue. The MSMT identified deployments in eight countries, including 1,000–1,500 workers in China and plans for 40,000 in Russia, as reported by

Cryptopolitan
. These workers, often securing remote tech jobs with Western firms like Amazon and HBO Max, bypass UN sanctions prohibiting North Korean labor exports. The regime has also collaborated with Russian cybercriminals, leasing ransomware tools from groups like Qilin, the Cryptopotato report said.

International efforts to counter these activities are intensifying. The U.S. Office of Foreign Assets Control (OFAC) has sanctioned fraudulent IT worker networks, while blockchain analytics firm Chainalysis reports growing success in tracing and recovering stolen assets. Andrew Fierman, Chainalysis' National Security Intelligence head, noted that "the ability to identify associated risks and fight back is growing," citing the recovery of tens of millions from the Bybit hack.

Despite these measures, North Korea's cyber capabilities remain a significant threat. The MSMT urged the UN Security Council to reinstate its Panel of Experts to bolster monitoring efforts. As Pyongyang continues to refine its tactics, the global response—combining sanctions, blockchain surveillance, and cross-border collaboration—will be critical in curbing the regime's access to illicit funding streams, as detailed by

BeInCrypto
.