In a startling revelation, North Korea-linked hackers have pilfered a staggering $2.83 billion in cryptocurrency from January 2024 to September 2025, as detailed by the Multilateral Sanctions Monitoring Team (MSMT). This extensive cyber theft has not only showcased the growing sophistication of North Korean cybercriminals but has also played a crucial role in funding nearly one-third of the country’s total foreign income for 2024.
The MSMT, formed in October 2024 and comprising 11 countries, released its findings which indicate a sharp rise in theft activity, particularly in the year 2025. During the first nine months of 2025 alone, hackers were responsible for stealing $1.64 billion, marking a significant increase from the $1.19 billion stolen in 2024. Alarmingly, these figures do not even account for the entire year of 2025, suggesting that the total could be much higher.
A significant portion of this year’s haul stemmed from a high-profile attack on Bybit, a global cryptocurrency exchange, in February 2025. This breach was attributed to the notorious TraderTraitor group, a known North Korean hacking syndicate.
The Bybit Breach: A Masterclass in Cybercrime
The Bybit hack in February 2025 stands out as one of the most significant breaches in recent history. Cybercriminals gained entry by exploiting vulnerabilities in SafeWallet, the multi-signature wallet provider utilized by Bybit. By leveraging phishing emails and malware, the hackers infiltrated the exchange’s internal systems.
Once inside, they cleverly disguised their actions, making external transfers appear as internal transactions. This strategy allowed them to seize control of the cold wallet’s smart contract, thereby facilitating a massive transfer of assets.
The MSMT report highlights a trend among North Korean hackers: rather than attacking exchanges directly, they prefer to target third-party service providers associated with these platforms.
A Nine-Step Laundering Process: The Path to Cash
According to the report, the process of laundering the stolen assets involves a complex nine-step method. Initially, hackers swap the stolen funds for Ethereum (ETH) on decentralized exchanges. They then utilize mixing services, such as Tornado Cash and Wasabi Wallet, to obscure transaction trails. Following this, ETH is converted into Bitcoin (BTC) through bridge platforms.
After storing the funds in cold wallets, hackers further mix the assets before converting BTC into TRX (Tron) and subsequently into USDT, a popular stablecoin. The final step involves sending the USDT to Over-the-Counter (OTC) brokers, who facilitate the exchange into fiat currency.
International Collaboration in the Cash-Out Phase
The most challenging aspect of this operation is converting cryptocurrency into cash, which often requires external assistance. The MSMT has identified various brokers and companies in China, Russia, and Cambodia that play pivotal roles in this phase.
In China, individuals such as Ye Dinrong and Tan Yongzhi from Shenzhen Chain Element Network Technology, along with another trader Wang Yicong, have been implicated in facilitating the movement of stolen assets using fake identities.
Russian intermediaries have also been identified as crucial players, assisting in the conversion of approximately $60 million from the Bybit attack. These funds were traced back to Russian-linked OTC brokers.
Moreover, Cambodia’s Huione Pay was reportedly involved in cashing out the stolen assets. Despite the Cambodian central bank’s decision not to renew Huione Pay’s license, reports suggest that the company continues to operate, raising questions about regulatory enforcement.
As the MSMT continues to investigate these activities, it remains clear that the global cryptocurrency community must remain vigilant against such sophisticated cyber threats.
