North Korea’s Crypto Theft Reaches $2.83B Since 2024

A new report by the Multilateral Sanctions Monitoring Team (MSMT) shows that North Korean hackers stole $2.83 billion in cryptocurrency between January 2024 and September ￰0￱ figure accounts for nearly one-third of the country’s total foreign currency income in ￰1￱ Exploit Was the Largest Contributor The MSMT a coalition of 11 countries formed in October 2024 was created to track how North Korea evades international sanctions through ￰2￱ latest findings reveal that the scale of crypto theft rose in 2025 with hackers stealing $1.64 billion in the first nine months alone

marking a 50% increase from the $1.19 billion stolen last ￰3￱ of this year’s total came from a February attack on Bybit which was linked to the TraderTraitor group also known as Jade Sleet or ￰4￱ hackers targeted SafeWallet a multi-signature wallet provider for Bybit

using phishing emails and malware to gain access to internal ￰5￱ then disguised external transfers to appear as internal ones allowing them to take control of the cold wallet’s smart contract and move the funds ￰6￱ to the MSMT North Korean hackers often avoid attacking exchanges directly instead targeting third-party service ￰7￱ such as TraderTraitor

CryptoCore and Citrine Sleet have used fake developer profiles stolen identities and detailed knowledge of software supply chains to carry out their ￰8￱ one notable case

the Web3 project Munchables lost $63 million in a hack although the funds were later returned after they reportedly faced problems during ￰9￱ the Laundering Works The analysis reveals a nine-step process used to clean and convert stolen crypto into ￰10￱ begin by swapping stolen assets for Ethereum (ETH) on decentralized exchanges then use mixing services such as Tornado Cash and Wasabi Wallet to hide transaction ￰11￱ ETH is then converted to Bitcoin (BTC) through bridge platforms mixed again

stored in cold wallets and then traded for Tron (TRX) before being converted to ￰12￱ final step involves sending USDT to over-the-counter brokers who exchange it for ￰13￱ and companies in China Russia and Cambodia were identified as key players in this ￰14￱ China

nationals Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology along with trader Wang Yicong helped move funds and create fake ￰15￱ intermediaries converted about $60 million from the Bybit hack through OTC brokers while Cambodia’s Huione Pay was used to transfer stolen funds despite its license not being renewed by the central ￰16￱ MSMT also said that North Korean hackers have worked with Russian-speaking cybercriminals since the ￰17￱ 2025

actors linked to Moonstone Sleet leased ransomware tools from the Russia-based group ￰18￱ response the 11 jurisdictions making up the MSMT issued a joint statement urging UN member countries to raise awareness on these cyber activities and called on the UN Security Council to restore its Panel of Experts “in the same strength and structure it had prior to its disbandment.”