Since the beginning of 2024, hacker groups linked to North Korea have stolen a total of $2.83 billion in cryptocurrency. According to the latest report from the Multinational Sanctions Monitoring Team (MSMT), $1.64 billion worth of cryptocurrency was illicitly acquired in the first nine months of this year alone. This amount constitutes approximately one-third of the nation’s foreign exchange income for 2024.
Bybit Attack Becomes Biggest Source of Crypto Loss
In October 2024, MSMT was established by 11 countries to monitor North Korea’s evasion of sanctions through cybercrimes. The group’s recent report highlights a 50% increase in cryptocurrency theft in 2025 compared to the previous year. The largest loss came from an attack targeting the Bybit exchange in February. Hackers affiliated with the TraderTraitor group infiltrated Bybit’s multi-signature wallet provider, SafeWallet, and seized the cold wallet smart contract through transactions that appeared to be internal transfers.
The report indicated that hackers often target third-party service providers rather than exchanges directly. Groups like TraderTraitor, CryptoCore, and Citrine Sleet have deepened their attacks using fake developer profiles, identity theft, and supply chain information. The loss of $63 million from the Munchables Web3 project is cited as an example of these techniques. Although the funds were eventually returned, challenges during the laundering process were noted.
Complex Laundering Network and Global Collaborations
According to MSMT’s analysis, stolen assets are converted into cash through a nine-step process. Initially, cryptocurrencies are converted into Ethereum (ETH) 
$2,332 on decentralized exchanges and their traces are erased using mixing services like Tornado Cash and Wasabi Wallet. Ethereum is then exchanged for Bitcoin (BTC) 
$78,302, passed through bridging platforms, and further mixed. The BTC stored in cold wallets is converted to USDT through Tron (TRX) and finally transferred to over-the-counter (OTC) brokers for cash.
Individuals and companies based in China, Russia, and Cambodia play crucial roles in this chain. Employees of Shenzhen Chain Element Network Technology, Ye Dinrong and Tan Yongzhi, along with trader Wang Yicong, were identified as creators of fake identities and accounts. Russian intermediaries laundered $60 million acquired from the Bybit attack, while Cambodia’s Huione Pay continued to be used in transfers despite not having its license renewed.
MSMT noted that groups linked to Pyongyang have been collaborating with Russian-speaking cybercriminals since the 2010s, and the Moonstone Sleet acquired ransomware from Russia-based Qilin group in 2025. The organization has urged all UN member states to increase awareness of cyber threats and called upon the Security Council to reactivate the dissolved Panel of Experts.
