Imagine stealing $1.5 billion in digital assets and needing to turn it into cold, hard cash without triggering a single alarm bell at the world’s major banks. For most criminals, this is an impossible task. For North Korea, specifically its state-sponsored hacking units, it is a daily routine.
In February 2025, the Bybit exchange hack made headlines as the largest single cryptocurrency theft in history. But the real story wasn’t just the theft-it was what happened next. How does a regime under heavy international sanctions convert billions of stolen tokens into fiat currency like US dollars or Chinese yuan? The answer lies in a sophisticated, multi-layered money laundering machine that has evolved significantly since 2017.
The 'Flood the Zone' Strategy
Gone are the days when North Korean hackers simply moved funds to a few known mixing services. Today, they use a technique described by Nick Carlsen, a former FBI expert and current lead at TRM Labs, as "flood the zone." This method involves executing hundreds of high-frequency transactions across multiple blockchain networks simultaneously to overwhelm analysts.
When the Lazarus Group-the primary hacking unit behind these attacks-steals assets, their first move is speed. In the Bybit incident, hackers routed portions of the stolen Ethereum through Binance Smart Chain and Solana networks before converting 87% of the assets directly to Bitcoin within 72 hours. Why Bitcoin? It remains the preferred intermediary currency due to its deep liquidity and widespread acceptance in illicit markets, representing 82% of final conversion targets according to recent data.
This process typically follows four distinct technical phases:
- Initial Theft: Usually via phishing or infrastructure compromise (accounting for 68% of attacks per FBI data).
- Cross-Chain Movement: Using bridges like Ren Bridge or Avalanche Bridge to obscure the origin. In 2024 alone, these bridges processed $1.2 billion in North Korean-linked transactions.
- Conversion to Bitcoin: Consolidating diverse altcoins into a single, liquid asset.
- Fiat Conversion: Moving funds through third-party networks with minimal Know Your Customer (KYC) requirements.
A critical shift has occurred away from traditional mixing services. After the U.S. sanctioned Tornado Cash in September 2022-which had processed $1.2 billion in stolen funds for Pyongyang between 2019 and 2022-the regime adapted. Now, 73% of stolen assets pass through at least three different blockchain networks before any attempt at cash-out, making forensic tracking exponentially harder.
Cambodia: The Primary Fiat Gateway
If you want to understand where the money ends up, look at Southeast Asia. Cambodia has emerged as the primary hub for converting North Korean cryptocurrency into fiat currency. The country’s loosely regulated financial sector provides the perfect environment for large-scale laundering operations.
In May 2025, the Financial Crimes Enforcement Network (FinCEN) designated Cambodia’s Huione Group as a primary money laundering concern. Documents revealed that Huione processed $37.6 million in North Korean-linked cryptocurrency between 2021 and 2025. More alarmingly, there were direct ties confirmed between Huione executives and North Korean actors.
Huione operates through subsidiaries that facilitate the final cash-out phase. Huione Guarantee provides infrastructure for scams, while Huione Crypto issues non-freezable stablecoins. These stablecoins allow illicit assets to be converted into ostensibly legitimate value, bypassing traditional banking rails entirely.
As of March 2025, FinCEN documented 14 North Korean-controlled "crypto cafes" operating in Cambodia’s Sihanoukville region. Each cafe processes between $500,000 and $2 million monthly in cash transactions with no identification required. This physical layer is crucial because it breaks the digital trail, turning blockchain entries into untraceable banknotes.
| Region/Hub | Primary Function | Key Entity/Partner | Risk Level |
|---|---|---|---|
| Cambodia | Final Fiat Conversion | Huione Group | Critical (Primary Hub) |
| China | Bank Account Structuring | Indictment-linked Networks | High (Increasing Scrutiny) |
| Macau | Gambling Platform Integration | Casino Operators | Medium (Low KYC) |
| Russia | IT Worker Deployment | Local Tech Firms | Medium (Sanctions Evasion) |
The Human Element: IT Workers Abroad
Technology alone doesn’t move money; people do. North Korea strategically deploys thousands of IT workers abroad to facilitate the fiat conversion process. According to the UN Panel of Experts’ December 2024 report, these workers generate an estimated $600 million annually for the regime.
These individuals assume false identities to gain employment with cryptocurrency exchanges and financial technology firms in countries like China, Russia, and Southeast Asia. Once inside, they create backdoors for fund movement. CSIS documented 27 specific cases in 2024 where North Korean IT workers at Chinese exchanges enabled direct wallet-to-bank transfers with only 12-hour notification periods, effectively bypassing standard 72-hour fraud detection windows.
To maintain cover, these workers use sophisticated location masking techniques. They employ virtual private networks and remote monitoring software to appear as legitimate remote workers based in the United States or Europe. According to the FBI's Cyber Division 2025 threat assessment, 89% of these workers use falsified Indian or Vietnamese identities. Their primary function is establishing clean withdrawal channels-when working as freelancers, they create fake profiles to secure cryptocurrency payment contracts, then convert digital assets to fiat through local exchange networks with minimal oversight.
Why Traditional Sanctions Are Failing
You might wonder why UN Security Council Resolution 2397, which caps North Korea's annual oil imports at 500,000 barrels, hasn't stopped this flow. The simple answer is that cryptocurrency allows the regime to circumvent traditional banking systems entirely. The United Nations estimates that cryptocurrency operations now provide 20-30% of North Korea's foreign currency reserves.
Between 2017 and 2025, the Harvard Belfer Center reported that $2.1 billion in stolen cryptocurrency was successfully converted to fiat, directly funding weapons programs. This isn't opportunistic crime; it's strategic resource extraction. Dr. Kim Heung Kwang, a defector and former computer science professor, noted in a March 2025 interview that the Lazarus Group operates with "military precision," treating each hack as a mission rather than a random act of theft.
The Atomic Wallet hack in June 2023 demonstrated this sophistication perfectly. After stealing $100 million from 4,100 individual addresses, hackers executed 1,842 cross-chain transactions within 48 hours. They funneled funds through 17 different Over-The-Counter (OTC) desks, keeping average transaction sizes below $10,000 to avoid reporting thresholds. James Chappell, Co-Founder of Digital Shadows, noted that North Korean launderers now achieve a 92% success rate in converting stolen crypto to fiat within 90 days, up from 65% in 2020.
Emerging Threats: DeFi and Stablecoin Arbitrage
As regulatory pressure mounts, North Korea is innovating. A March 2025 CSIS investigation revealed the regime is testing "stablecoin arbitrage laundering." In this model, stolen assets are converted to non-sanctionable stablecoins like USDC through decentralized exchanges. These are then exploited through price discrepancies between regional exchanges to generate clean fiat with minimal transaction trails.
The FBI's April 2025 Cyber Threat Advisory warned that North Korea has recruited 37 blockchain developers from defunct crypto projects to build custom cross-chain protocols. These tools could process $500 million+ transactions while maintaining plausible deniability. This shift toward Decentralized Finance (DeFi) exploits regulatory gaps that haven't yet been closed by global authorities.
However, the window may be closing. Treasury Secretary Janet Yellen stated in May 2025 that coordinated international action could drop North Korea's success rates to 40% by 2027. The implementation of the Crypto-Asset Reporting Framework, requiring exchanges to share beneficiary information across 100+ jurisdictions, has already led to a 22% decrease in successful cash-outs in Q1 2025 compared to the previous quarter. But as long as loopholes exist in regions like Cambodia and within the DeFi ecosystem, the regime will continue to adapt.
How much money has North Korea stolen via cryptocurrency?
According to TRM Labs, North Korean state-sponsored hacking groups have stolen over $3 billion in cryptocurrency between 2017 and 2023. This figure excludes the massive $1.5 billion Bybit hack in February 2025. The Harvard Belfer Center reports that $2.1 billion of this total was successfully converted to fiat currency between 2017 and 2025.
What is the role of the Huione Group in North Korea's crypto laundering?
The Huione Group, based in Cambodia, serves as a primary money laundering hub. FinCEN documented $37.6 million in North Korean-linked cryptocurrency processed through Huione between 2021 and 2025. Its subsidiary, Huione Crypto, issues non-freezable stablecoins that help convert illicit assets into legitimate-looking value, facilitating the final step of cash-out operations.
Why did North Korea stop using Tornado Cash?
Tornado Cash was sanctioned by the U.S. government in September 2022 after processing $1.2 billion in stolen funds for North Korea between 2019 and 2022. Following this shutdown, the regime shifted to more complex methods, including cross-chain bridges and high-frequency transaction flooding, to avoid detection.
Who is the Lazarus Group?
The Lazarus Group is the primary state-sponsored hacking unit operated by North Korea. Responsible for major breaches like the Bybit and Atomic Wallet hacks, they operate with military precision to steal cryptocurrency for the regime's weapons programs and foreign currency reserves.
How do North Korean IT workers help launder money?
North Korea deploys thousands of IT workers abroad using false identities. Working at exchanges and fintech firms, they create backdoors to enable direct wallet-to-bank transfers, bypassing standard fraud detection windows. They also establish clean withdrawal channels by creating fake freelancer profiles to convert crypto to fiat locally.
0 Comments