Chinese, Russian and Cambodian intermediaries reportedly played a key role in moving and cashing the stolen funds.
A new report from the Multilateral Sanctions Monitoring Team (MSMT) shows that North Korean hackers stole $2.83 billion in cryptocurrency between January 2024 and September 2025.
This figure will account for almost a third of the country’s total foreign exchange earnings in 2024.
Bybit Exploit was the largest contributor
The MSMT, a coalition of eleven countries formed in October 2024, was formed to monitor North Korea’s evasion of international sanctions through cybercrime. His latest findings reveal that the scale of crypto theft has increased in 2025, with hackers stealing $1.64 billion in the first nine months alone, marking a 50% increase from the $1.19 billion stolen last year.
Most of this year’s total came from a February attack on Bybit, which was linked to the TraderTraitor group, also known as Jade Sleet or UNC4899. The hackers targeted SafeWallet, a multi-signature wallet provider for Bybit, and used phishing emails and malware to gain access to internal systems. They then disguised external transfers to appear as internal transfers, allowing them to take control of the cold wallet’s smart contract and move the funds undetected.
According to the MSMT, North Korean hackers often avoid attacking exchanges directly, instead targeting third-party service providers. Groups like TraderTraitor, CryptoCore, and Citrine Sleet have used fake developer profiles, stolen identities, and detailed knowledge of software supply chains to carry out their attacks. In one notable case, the Web3 project Munchables lost $63 million to a hack, although the money was later returned after they reportedly encountered problems during the money laundering operation.
How money laundering works
The analysis reveals a nine-step process used to clean stolen cryptocurrencies and convert them into cash. Hackers start by exchanging stolen assets for Ethereum (ETH) on decentralized exchanges and then use mixed services such as Tornado Cash and Wasabi Wallet to hide transaction traces. The ETH is then converted into Bitcoin (BTC) via bridge platforms, remixed, stored in cold wallets and then traded for Tron (TRX) before being converted into USDT. The final step involves sending USDT to over-the-counter brokers who exchange it for cash.
Brokers and companies in China, Russia and Cambodia were identified as key players in this process. In China, nationals Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology, along with trader Wang Yicong, helped transfer money and create fake IDs. Russian intermediaries exchanged around $60 million from the Bybit hack through OTC brokers, while Cambodia’s Huione Pay was used to transfer stolen funds despite its license not being renewed by the central bank.
You might also like:
The MSMT also said that North Korean hackers have been working with Russian-speaking cybercriminals since 2010. In 2025, actors associated with Moonstone Sleet rented ransomware tools from the Russia-based group Qilin.
In response, the eleven jurisdictions that make up the MSMT issued a joint statement urging UN member states to raise awareness of these cyber activities and calling on the UN Security Council to restore its panel of experts “in the same strength and structure as before its dissolution.”
Binance Free $600 (excluding CryptoPotato): Use this link to register a new account and get an exclusive $600 welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a FREE $500 position on any coin!
#Crypto #theft #North #Korea #reached #billion