North Korea doesn’t need banks to move money. It doesn’t even need traditional smuggling routes. Instead, it uses blockchain technology - the same system that powers decentralized finance - to turn stolen digital coins into cash, weapons, and missiles. Since 2017, North Korean hackers have stolen over $3 billion in cryptocurrency, and by 2025, an estimated $2.1 billion of that had already been converted into usable fiat currency. This isn’t random hacking. It’s a state-run operation, carefully designed to bypass sanctions, evade detection, and fund a nuclear program that the rest of the world is trying to stop.
How the Theft Begins
The process starts with a digital break-in. North Korea’s most notorious hacking group, Lazarus, doesn’t rely on brute force. It uses phishing, fake job postings, and supply chain attacks to get inside exchanges, wallets, and crypto platforms. In 2023, they hacked Atomic Wallet by compromising a software update, stealing $100 million from over 4,000 users in one go. In February 2025, they pulled off the biggest heist in crypto history: $1.5 billion from Bybit, a major centralized exchange. These aren’t one-off events. They’re scheduled, rehearsed, and repeated.What makes these attacks so effective? They target human error, not just code. North Korean operatives pose as recruiters on LinkedIn, offering high-paying remote jobs in blockchain development. Once hired, they gain access to internal systems and quietly route funds out before anyone notices. The FBI estimates that 68% of all crypto thefts linked to North Korea start with this kind of insider access.
From Stolen Crypto to Clean Money
Stealing the coins is only half the battle. The real challenge? Turning them into cash you can spend on a missile factory.Early on, hackers just withdrew stolen ETH or BTC directly to exchanges. But as regulators caught on, North Korea adapted. Now, they use what experts call a “flood the zone” strategy. For every $10 million stolen, they execute 400 to 500 transactions in under 72 hours - moving money across Bitcoin, Ethereum, Solana, and Binance Smart Chain. Each hop makes it harder to trace. The goal isn’t to hide the money forever. It’s to make it look like it came from somewhere else.
They don’t use mixing services like Tornado Cash anymore - that was shut down in 2022. Instead, they use cross-chain bridges. These are tools designed to let users move crypto between blockchains. But they’re poorly regulated. Between 2021 and 2024, over $1.2 billion in North Korean-linked crypto passed through bridges like Ren Bridge and Avalanche Bridge. Once the funds are scattered across multiple chains, they get converted into Bitcoin. Why? Because BTC is the most liquid, most widely accepted crypto in the world. Over 82% of all stolen assets are ultimately funneled into Bitcoin before the final cash-out.
The Final Step: Turning Crypto Into Cash
This is where geography matters. North Korea doesn’t have its own banks. So it outsources the dirty work.Cambodia has become the main hub. The country’s financial oversight is weak, and its crypto scene is barely monitored. The U.S. Treasury has identified a company called Huione Group as a key player. Huione’s subsidiaries operate “crypto cafes” in Sihanoukville - small shops where people walk in with digital wallets and walk out with cash. No ID. No questions. Each cafe processes $500,000 to $2 million per month. As of March 2025, there were 14 of them operating openly.
China is still a secondary hub. Even though Beijing has cracked down on crypto, underground networks persist. In February 2024, the U.S. Department of Justice indicted two Chinese nationals for moving $250 million in North Korean crypto through 37 bank accounts. The money came in as crypto, got converted to yuan, and was funneled into real estate, luxury goods, and shell companies.
Macau’s casinos are another weak link. Unlike regulated casinos in Las Vegas or Singapore, many Macau venues accept crypto deposits with less than 5% identity verification. A 2024 TRM Labs report showed that 15% of stolen crypto from North Korean hacks ended up at these tables - converted into chips, then cashed out as clean money.
The Human Network Behind the Scenes
You can’t run this operation with just hackers. You need people on the ground.North Korea has deployed over 10,000 IT workers abroad - mostly in China, Russia, and Southeast Asia. These aren’t spies. They’re engineers, customer support reps, and freelance developers. They use fake identities - often pretending to be from India or Vietnam - to get hired by crypto firms. Once inside, they exploit their access to move funds. In 2024, CSIS documented 27 cases where North Korean workers at Chinese exchanges set up backdoors that allowed transfers from crypto wallets directly into bank accounts - all with only a 12-hour notice window. Standard fraud detection systems take 72 hours. They had a 5-day window to disappear.
These workers also create fake freelance profiles on Upwork and Fiverr, offering “blockchain consulting.” Clients pay them in crypto. They cash out locally, send the fiat to North Korea, and keep a cut. It’s a low-risk, high-reward system. The UN estimates this network brings in $600 million per year.
Why It’s Working - And Why It’s Starting to Fail
For years, North Korea had the upper hand. Blockchain was new. Regulators were slow. Exchanges didn’t talk to each other. But things are changing.The Crypto-Asset Reporting Framework, rolled out in late 2024, now requires over 100 countries to share transaction data. That means if someone tries to cash out $50,000 in Cambodia, the exchange has to report who sent it, where it came from, and who received it. This has already caused a 22% drop in successful cash-outs in Q1 2025.
At the same time, blockchain analytics have gotten smarter. Companies like TRM Labs and Chainalysis can now trace transactions across multiple chains with 90% accuracy. In 2020, North Korea had a 65% success rate in converting stolen crypto to cash within 90 days. By 2025, that number jumped to 92%. But now, the pressure is mounting. The U.S. Treasury says success rates will drop to 40% by 2027.
Still, North Korea isn’t giving up. They’re building their own tools. A March 2025 CSIS report revealed they’re testing “stablecoin arbitrage laundering” - using price differences between regional exchanges to convert stolen USDC into local currency with almost no trail. They’ve also recruited 37 former crypto developers to build custom cross-chain protocols that could move $500 million without leaving a trace.
What’s Next?
The game is shifting. North Korea can’t rely on the same tricks forever. But they don’t need to. They just need one weak point - one unregulated exchange, one corrupt official, one country that won’t cooperate.The real question isn’t whether they can still cash out. It’s whether the world will act before they fund their next missile test. Every dollar they launder buys more uranium. Every successful hack funds another submarine. And while blockchain experts race to close loopholes, North Korea keeps adapting - faster than anyone expected.
For now, the system still works. But the clock is ticking. And the next $1 billion heist might be the last one they pull off.
How much cryptocurrency has North Korea stolen?
Between 2017 and 2025, North Korean hacking groups have stolen over $3 billion in cryptocurrency, according to TRM Labs and Chainalysis. The largest single theft was the $1.5 billion Bybit hack in February 2025, the biggest in crypto history.
How does North Korea turn crypto into cash?
They use a multi-stage process: first, moving stolen assets across multiple blockchains to obscure origin; second, converting them into Bitcoin (the most liquid crypto); and third, cashing out through unregulated exchanges in Cambodia, China, and Macau. Final conversion often happens at crypto cafes with no ID checks.
Why Cambodia?
Cambodia has weak financial oversight and no strict KYC rules for crypto. The U.S. Treasury has identified Huione Group as a key laundering entity, operating 14 crypto cafes in Sihanoukville that process millions monthly with zero identification.
Do North Korean hackers use mixing services?
They used to. Tornado Cash was a major tool, processing $1.2 billion in stolen funds before it was sanctioned in 2022. Since then, they’ve shifted to cross-chain bridges and high-frequency transactions to avoid detection.
How do North Korean workers help with cash-outs?
Thousands of North Korean IT workers are placed in crypto firms across Asia. Using fake identities, they gain access to internal systems and create backdoors to move funds. Some work as freelancers, getting paid in crypto and converting it locally, then sending the cash home.
Is North Korea’s crypto laundering getting harder to do?
Yes. Global cooperation, mandatory reporting frameworks, and better blockchain analytics have reduced successful cash-outs by 22% in early 2025. Experts predict success rates will fall to 40% by 2027, but North Korea continues to innovate with custom protocols and stablecoin arbitrage.