North Korea’s Cryptocurrency Heist: Unveiling the Billion-Dollar Cyber Crimes

The Multinational Sanctions Monitoring Team (MSMT) has revealed staggering cryptocurrency theft figures linked to North Korean hackers in their latest report. A colossal $2.83 billion worth of digital currency has allegedly been stolen since early 2024, making up a significant part of North Korea’s foreign income for the year. Within the first nine months of 2025 alone, $1.64 billion was illicitly seized, showcasing a sharp rise in cybercriminal activities.

What Led to Bybit’s Massive Loss?

The largest breach for 2025 occurred at Bybit, where hackers from the TraderTraitor group exploited the exchange’s multi-signature wallet provider, SafeWallet. By manipulating internal transactions, they controlled Bybit’s cold wallet smart contract. This attack represents a 50% leap in crypto theft compared to last year.

Rather than targeting exchanges directly, these hackers often focus on third-party service providers. The report cites groups like TraderTraitor, CryptoCore, and Citrine Sleet using tactics such as fake developer identities, identity theft, and compromised supply chain information. A significant instance was the infiltration of the Munchables Web3 project, which, after much difficulty, managed to recover the $63 million stolen funds.

How Complex is the Laundering Network?

The mechanics of transforming stolen digital assets into cash are intricate, involving a nine-step method. Initially, the assets are changed into Ethereum (ETH) on decentralized platforms and their trails obscured with services like Tornado Cash. They are then exchanged for Bitcoin (BTC) and further anonymized before being moved to cold storage. Finally, the BTC is converted to USDT through Tron (TRX) and handed to OTC brokers in return for cash.

Entities in China, Russia, and Cambodia are pivotal in this laundering process. Fake identities and accounts were crafted by Shenzhen Chain Element Network Technology’s employees, while Russian conduits laundered funds, including $60 million taken in the Bybit heist. Despite its license expiration, Cambodia’s Huione Pay still facilitated fraudulent transactions.

MSMT highlighted long-standing collaboration between Pyongyang-linked groups and Russian cybercriminals, revealing that Moonstone Sleet acquired ransomware from Russia’s Qilin group. They urged international vigilance against these threats and recommended that the UN Security Council reinstate its dissolved Panel of Experts.

The increased sophistication and frequency of these hacking activities culminate in several critical insights:

• North Korean hackers contribute substantially to the illicit acquisition of foreign currency through crypto theft.
• The Bybit heist underlines the vulnerability of exchanges to multi-layered cyber-attacks.
• Global cybercrime coordination highlights the need for robust international regulations.

A spokesperson from MSMT emphasized the gravity of the situation, stating,

“The increasing sophistication and scale of these cyber-attacks necessitate comprehensive global countermeasures to safeguard digital economies.”

This escalating threat urges heightened collaborative efforts to protect the integrity of the cryptocurrency ecosystem worldwide.