Imagine waking up to find billions of dollars have vanished from a digital exchange, only for that money to reappear as hard cash funding a missile program thousands of miles away. This isn't a movie plot; it's the daily operational reality for state-sponsored hackers. North Korea has turned the theft of digital assets into a professionalized industrial pipeline. By stealing over $3 billion between 2017 and 2023, the regime has bypassed global sanctions and filled its coffers with a critical source of foreign currency.
The real magic-or rather, the crime-isn't in the theft itself, but in the "cash-out." Moving millions of dollars in cryptocurrency is easy; turning that into spendable fiat currency without getting caught by global regulators is where it gets complicated. To do this, North Korea uses a multi-stage process that blends high-tech blockchain hopping with old-school criminal networks in Southeast Asia.
The Digital Shell Game: Obscuring the Trail
The moment assets are stolen, the clock starts ticking. If the funds sit still, blockchain analysts can flag and freeze them. To prevent this, the regime uses what experts call a "flood the zone" technique. Instead of moving one giant lump sum, they execute 400 to 500 high-frequency transactions every day. This creates a massive amount of noise, designed to overwhelm the analysts trying to track the money.
In the massive Bybit hack of February 2025, where $1.5 billion was stolen, the hackers didn't just hold the assets. Within 72 hours, they routed Ethereum through the Binance Smart Chain and Solana networks, eventually converting 87% of the loot into Bitcoin. Bitcoin is the preferred choice here because it has the highest liquidity, making it easier to sell in bulk without crashing the price.
The process generally follows four technical phases:
- The Breach: Initial theft via phishing or infrastructure compromise (this accounts for about 68% of their attacks).
- Cross-Chain Hopping: Using tools like cross-chain bridges (such as Ren Bridge) to move assets between different blockchains.
- Consolidation: Converting various tokens into Bitcoin to simplify the final exit.
- The Exit: Converting that Bitcoin into fiat through networks with almost no identity checks.
Turning Code Into Cash: The Role of Global Hubs
You can't buy a missile or pay a general with a private key; you need actual cash. This is where North Korea leverages geographic "blind spots" in global regulation. While China used to be the main hub, increased scrutiny has shifted the focus to Cambodia. The regime has essentially built a shadow financial system there to facilitate the final conversion.
A major player in this ecosystem has been the Huione Group in Cambodia. Between 2021 and 2025, this entity processed over $37 million in North Korean-linked crypto. They use subsidiaries like Huione Crypto to issue stablecoins that act as a bridge, turning illicit digital assets into seemingly legitimate value that can then be withdrawn as cash.
| Hub Location | Primary Method | KYC Strictness | Key Entity/Vector |
|---|---|---|---|
| Cambodia | Crypto Cafes & Stablecoins | Very Low | Huione Group |
| China | OTC Desks & Bank Accounts | Moderate | Private Money Transfer Networks |
| Macau | Casino Deposits | Low (approx. 5% verification) | Gambling Platforms |
Beyond professional money laundering firms, North Korea utilizes the gambling industry. In Macau, some casinos accept cryptocurrency deposits with a verification rate of only 5%, compared to the 95% required in regulated markets. This allows the regime to "wash" the money through gambling accounts and then withdraw it as clean casino winnings.
The Human Element: Sleeper Agents in Fintech
The most dangerous part of this operation isn't the code, but the people. North Korea deploys thousands of IT workers globally who act as a human bridge to fiat. These workers don't just code; they infiltrate. By using fake identities-often pretending to be from India or Vietnam-they land jobs at cryptocurrency exchanges and fintech firms.
Once inside, these employees create backdoors. Instead of using a public interface that triggers a fraud alert, they can enable direct wallet-to-bank transfers. In some cases, they've managed to reduce the notification period for large transfers to just 12 hours, bypassing the standard 72-hour window that security teams use to catch suspicious activity. These workers generate an estimated $600 million annually, providing both a steady income for the regime and the necessary "clean" channels to move stolen funds.
The Evolution of the Game
The Lazarus Group, the primary hacking arm of the regime, operates with military precision. They've moved away from simple mixing services. For years, they relied on Tornado Cash, but after that service was sanctioned in 2022, they adapted. They now prioritize speed, converting 78% of stolen assets within 72 hours to stay ahead of the investigators.
We are also seeing a shift toward Decentralized Finance (DeFi). The regime is now testing "stablecoin arbitrage laundering." This involves converting stolen assets into stablecoins like USDC through decentralized exchanges and exploiting price differences between regional platforms. This generates clean fiat with almost no transaction trail for analysts to follow.
Despite these tricks, the window is closing. The implementation of the Crypto-Asset Reporting Framework is forcing exchanges in over 100 countries to share beneficiary information. This has led to a 22% decrease in successful cash-outs in early 2025. However, as long as there is a single unregulated exchange or a corrupt casino in the world, the regime will find a way to turn a digital theft into a physical weapon.
Why does North Korea prefer Bitcoin for cashing out?
Bitcoin has the highest liquidity of any cryptocurrency. Because there are so many buyers and sellers globally, the regime can convert massive amounts of other stolen tokens into Bitcoin and then sell that Bitcoin for fiat currency without causing a massive price swing that would alert market monitors.
What is "cross-chain hopping"?
Cross-chain hopping is the process of moving cryptocurrency from one blockchain (like Ethereum) to another (like Solana) using bridges. This breaks the linear trail of the transaction, making it much harder for blockchain forensics tools to track the funds from the original theft to the final cash-out point.
How do North Korean IT workers help launder money?
These workers gain employment at crypto exchanges using fake identities. Once they have internal access, they can bypass KYC (Know Your Customer) checks, create fraudulent accounts, and facilitate direct transfers from crypto wallets to bank accounts, effectively acting as a "clean" exit point for stolen funds.
Is Tornado Cash still used by North Korea?
Significantly less than before. While it was a primary tool for years, the 2022 US sanctions made it a high-risk option. The regime has shifted toward using decentralized exchanges and cross-chain bridges to achieve the same mixing effect without relying on a single, sanctionable service.
Which countries are the biggest hubs for these operations?
Cambodia has emerged as a primary hub due to its loose financial regulations and the presence of entities like the Huione Group. China remains a secondary hub, while Macau is frequently used for laundering through the casino industry.