July 7, 2026
More Than 65% of All Stolen Crypto Now Traces to North Korea
The Signature That Emptied a Vault

By David SEHYEON Baek
34 min read
The Signature That Emptied a Vault
On the morning of February 21, 2025, a small group of people at one of the world's largest cryptocurrency exchanges sat down to do something they had done many times before. It was routine treasury work, the digital equivalent of moving cash from a bank vault into a teller drawer. Bybit needed to shift a large amount of Ethereum out of one of its cold wallets, the deep-storage accounts that are supposed to sit offline and untouched, into a wallet closer to daily operations. The transfer moved through Safe, a multi-signature platform that requires several authorized people to review and approve a transaction before it executes. More than one human being had to look at the details on screen and say yes.
They looked. The screen showed a normal transfer. The addresses looked right. The amounts looked right. Each signer approved what appeared to be an ordinary, legitimate movement of company funds. At approximately 12:30 PM UTC, they signed.
What they had actually approved, according to the forensic investigations later published by Bybit and confirmed by the FBI, was not a transfer at all. It was a change to the control logic of the wallet itself. In the space of a single approval, control of a cold wallet holding more than 400,000 ETH passed to an address operated by hackers working for the government of North Korea. Roughly $1.5 billion in digital assets left the building. No alarm rang, no vault door was forced, no gun was drawn. The people guarding the money did the stealing with their own hands, because the screen in front of them had been quietly rewritten to lie.
Two minutes after the malicious transaction executed, according to the Tel Aviv forensics firm Sygnia, the attackers uploaded clean versions of the tampered code to cover their tracks. By the time Bybit understood what had happened, the largest cryptocurrency theft in history was already complete, and, according to the Multilateral Sanctions Monitoring Team, possibly the largest theft of any kind ever recorded.
That single morning tells you almost everything you need to know about how North Korea has come to dominate cryptocurrency crime. The regime did not out-hack the exchange in some frontal assault. It got inside the trust. And once it was inside, the money was gone before anyone could agree on what they were looking at.
A Number That Keeps Climbing
The claim that North Korean-linked hackers are responsible for more than half of the value stolen from the global cryptocurrency sector is not hyperbole. If anything, the honest reading of the data is that the claim is conservative.
According to Chainalysis, North Korean hackers stole at least $2.02 billion in cryptocurrency in 2025, the highest annual total ever attributed to the regime, and a 51 percent increase over the prior year. That figure represented roughly 59 to 60 percent of the more than $3.4 billion stolen worldwide that year. The rival blockchain intelligence firm TRM Labs, working from its own attribution methodology, put North Korea's 2025 share slightly higher, at 64 percent. The two firms do not use identical data or identical definitions, and their small disagreement is itself worth pausing on. When two independent analytics companies arrive at figures that both land far above half, the finding becomes harder to wave away as a modeling artifact. Both are describing the same reality from slightly different angles.
The concentration grew sharper in 2026. According to TRM Labs, North Korean-linked actors stole roughly $643 million in the first half of the year, about 66 percent of the $972 million taken from the sector worldwide during that period. Earlier in the year the share ran even higher. Through the first four months of 2026, TRM assessed that North Korea accounted for about $577 million, equal to 76 percent of all crypto hacking losses at that point, a temporary peak driven almost entirely by two enormous incidents in April.
Trace the yearly arc that TRM has published and the trajectory becomes hard to misread. North Korea's share of global crypto theft sat below 10 percent in 2020 and 2021. It rose to 22 percent in 2022, 37 percent in 2023, 39 percent in 2024, 64 percent in 2025, and past two thirds in the first half of 2026. This is not a country dabbling at the edge of a criminal market. This is a country that has, over five years, become the market's center of gravity.
The mechanism behind those percentages matters as much as the percentages themselves. North Korea does not win by volume. In the first half of 2026, according to TRM Labs, the sector recorded 207 separate hacks, the most in any six-month period on record, more than double the 83 incidents in the first half of 2025. Yet total dollar losses fell by more than half, because the enormous outlier events that defined 2025 were mostly absent. North Korea's own two April operations accounted for nearly 90 percent of its half-year total. The median hack in that period cost about $219,000, according to TRM, while the mean was about $4.7 million, a gap of more than twenty times that tells you the average is being dragged upward by a handful of catastrophic breaches. North Korea lives at the top of that distribution. Fewer operations, vastly larger hauls. That is precisely why the "more than half" claim understates the case. When you win the tail of the distribution, you win the year.
A State That Learned to Steal in Code
To understand why a nation would build an industrial cryptocurrency theft operation, you have to start with the fact that North Korea is one of the most heavily sanctioned countries on earth. Its access to the formal global banking system is largely cut off. Its legitimate export revenue is constrained by layers of United Nations and unilateral sanctions. The ordinary financial oxygen that most states breathe is, for Pyongyang, rationed and policed.
Cryptocurrency solves a specific problem for a regime in that position. It offers value that can be moved across borders without a correspondent bank, seized from a distance without physical presence, and converted into usable currency through channels that sit outside the compliance perimeter that sanctions are meant to enforce. For a state that cannot easily earn dollars, stealing them in a form that ignores national borders is not a side hustle. It is infrastructure.
The people carrying out these operations are not freelancers. The majority of North Korean cryptocurrency heists are conducted by actors working on behalf of the Reconnaissance General Bureau, the regime's premier intelligence organization, according to the U.S. State Department. This is a chain of command that runs from field operators up to the machinery of the state itself. The most visible operational label is the Lazarus Group, but Lazarus is best understood not as a single team but as an umbrella that intelligence agencies and private firms have stretched over a whole family of related units. Analysts describe subgroups with names like TraderTraitor, BlueNoroff, and Andariel, some of which also carry other tracking names such as Jade Sleet, Slow Pisces, and UNC4899. The boundaries between them blur, and outsiders cannot always tell where one ends and another begins. What is clear is the shape of the whole. North Korea has assembled a state-supported cyber apparatus capable of espionage, financial theft, malware deployment, fraudulent employment schemes, and large-scale money laundering, and it points a meaningful share of that apparatus at the crypto sector.
The regime treats this work as a career track. According to South Korea's National Intelligence Service, the number of personnel in North Korea's cyber divisions grew from about 6,800 in 2022 to roughly 8,400 in 2024. Intelligence services recruit top graduates from institutions such as Kim Chaek University of Technology, train them in hacking, foreign languages, and social engineering, and reward them with wages and internet access that are luxuries inside the country. When Andrew Fierman of Chainalysis told reporters that the regime appears to be integrating artificial intelligence into its laundering workflows, moving stolen funds with a consistency and fluidity that suggests automation, he was describing an operation that has passed well beyond the improvisation of ordinary cybercriminals. This is a bureaucracy. It has budgets, headcount, and a mandate.
From the Bank Heist to the Blockchain
North Korea did not begin with cryptocurrency. It arrived there, and the path it took explains why it is so good at what it now does.
The regime's modern financial cybercrime era announced itself in February 2016, when hackers working for Pyongyang attempted to steal nearly a billion dollars from the account that Bangladesh's central bank held at the Federal Reserve Bank of New York, exploiting the SWIFT interbank messaging system that moves money between the world's banks. Most of the fraudulent transfers were blocked, some reportedly by a spelling error in the instructions, but roughly $81 million got out and vanished through casinos in the Philippines. It was, at the time, one of the most audacious bank robberies ever attempted, and it was carried out entirely through a keyboard. The unit responsible, which analysts track as APT38, was the same Lazarus-linked apparatus that would later turn to crypto.
In May 2017 the same broad apparatus was tied to WannaCry, the ransomware worm that spread across more than a hundred countries and crippled hospitals, factories, and government offices, including much of Britain's National Health Service. WannaCry demanded ransom in Bitcoin. It was crude, and it earned relatively little, but it pointed at the future. The regime was learning that value could be extracted at global scale, from a distance, in a currency that no central bank could claw back.
When the exchanges and protocols of the crypto economy filled with real money, North Korea followed the money. The turning points came in a rapid series of enormous thefts. In March 2022, Lazarus-linked operators drained roughly $625 million from the Ronin Bridge, the network that supported the game Axie Infinity, in what was then the largest crypto theft on record, and they did it by compromising the validator keys that secured the bridge, again through social engineering that reportedly began with a fake job offer to an engineer. That June, the Harmony Horizon Bridge lost about $100 million to the same broad set of actors. In 2024 the Japanese exchange DMM Bitcoin lost roughly $308 million, a theft that contributed to the company's collapse and was, until Bybit, among the largest ever. Each of these was a rehearsal. Each taught the operation something about bridges, validators, custody, and the human beings who hold the keys, and each fed the tradecraft that would culminate in the billion-and-a-half-dollar morning at Bybit.
Read in sequence, the arc is coherent. A state that started by trying to trick the world's banking messages learned to break blockchain bridges, then learned to compromise the vendors that exchanges trust, then learned to walk in through the hiring process. Every stage kept what worked from the last one. The social engineering that fooled a Ronin engineer in 2022 is recognizably the same craft that fooled a Safe developer in 2025. North Korea did not stumble into crypto crime. It trained for it, in public, one record-breaking theft at a time.
Anatomy of the Largest Heist
Return to Bybit, because the Bybit operation is the clearest window into how this bureaucracy actually works.
The attackers did not break into Bybit. According to the forensic reviews by Sygnia and Verichains, and the statement from the Safe Ecosystem Foundation, the intrusion began weeks earlier and somewhere else entirely, on the laptop of a developer who worked for Safe, the third-party multi-signature platform that Bybit relied on to approve transactions. That developer's machine was compromised, most likely through the social engineering methods that North Korean operators have used for years against blockchain engineers, the fake job offer, the malicious file delivered through a professional platform, the poisoned coding test.
From that one machine, the attackers stole active Amazon Web Services session tokens. This detail is worth dwelling on, because it explains how a company with multi-factor authentication and multiple signers could still be gutted. Session tokens are temporary credentials issued after a user has already authenticated. Once issued, they do not require the user to prove their identity again. By stealing live tokens rather than passwords, the attackers walked straight past the multi-factor authentication that was supposed to be the last line of defense. They were inside Safe's cloud infrastructure without ever triggering a login challenge.
With that access, they injected malicious JavaScript into the Safe web application. The code was surgical. According to Sygnia, it was written to activate only when the transaction involved Bybit's specific contract address or one other address the attackers controlled. For every other Safe user in the world, the interface behaved normally. For Bybit's signers, and only for Bybit's signers, the screen showed a benign transfer while the underlying transaction quietly rewrote who controlled the wallet. The multi-signature process was not bypassed by stolen keys. It was subverted by a lie painted onto the screen the signers trusted. Every one of them approved in good faith. Every one of them was looking at a forgery.
The FBI publicly attributed the theft to North Korea on February 26, 2025, naming the activity cluster TraderTraitor, an operation that sits under the Lazarus umbrella and, according to the FBI, under the sponsorship of the Reconnaissance General Bureau. The independent investigator known as ZachXBT had already connected the Bybit funds to earlier North Korean thefts by tracing them to an Ethereum address previously used in the Phemex, BingX, and Poloniex hacks, a link that TRM Labs and Elliptic then corroborated. The attribution was not a guess. It was a chain of on-chain fingerprints matched against a decade of prior work.
What the Bybit case proved was operational, not merely technical. North Korea had already stolen from bridges and DeFi protocols. Bybit showed that its operators could compromise high-value institutional infrastructure through a trusted vendor, patiently, over roughly seventeen days of undetected access, and then drain a billion and a half dollars in the seconds it took a routine transfer to clear. It also proved something about the industry's memory. The same supply-chain pattern, compromising a third party with access to an exchange's signing workflow, had appeared in the WazirX theft in July 2024. The lesson was available. It was not learned in time.
The Names Behind the Name
The public tends to hear one name, Lazarus, and imagine a single dark room full of hackers. The reality is a set of specialized units, and understanding their division of labor helps explain why North Korea can attack so many different parts of the crypto ecosystem at once.
Lazarus is the oldest and most famous label, linked over the past decade to some of the regime's most visible operations, from the 2014 attack on Sony Pictures to a long series of financial thefts. In the crypto context, Lazarus-linked operators have gone after exchanges, bridges, DeFi protocols, wallet infrastructure, and the companies that build all of it. Their signature is the fusion of technical exploitation with human manipulation. They do not merely scan for vulnerable code. They study the people who hold the keys.
TraderTraitor is the cluster most central to the crypto sector, the one the FBI named for Bybit. According to the FBI, once TraderTraitor had the Bybit assets, the funds were rapidly converted into Bitcoin and other virtual assets and dispersed across thousands of addresses on multiple blockchains, with further laundering and conversion to fiat expected to follow. That is the classic North Korean pattern in miniature. Move fast in the opening hours, break the obvious links, fragment the money, convert into more liquid assets, and route the pieces through intermediaries who can eventually cash out.
BlueNoroff is the group most associated with financially motivated social engineering against banks, venture capital firms, crypto startups, and the individuals who work inside the digital asset industry. Its tradecraft runs on deception, fake investment approaches, fake job opportunities, malicious documents, counterfeit meeting software, and the impersonation of trusted professionals. The goal is almost always initial access. Once a target opens the wrong file, signs the wrong transaction, or grants the wrong permission, the operation shifts from deception to theft.
Andariel has historically been discussed more in connection with defense, aerospace, and infrastructure targets, but the wall between espionage and revenue generation inside North Korea's cyber program is thin and getting thinner. A unit that compromises an IT vendor or a software supply chain may use that foothold for intelligence collection, for future disruption, or for financial theft, and in Pyongyang's case those missions are not cleanly separated. Espionage can enable theft. Theft funds sanctions evasion. Sanctions evasion funds weapons. The categories feed one another in a loop.
The April 2026 operations offered a small but telling piece of evidence that the family is larger than the familiar names. According to TRM Labs, the Drift Protocol attack was carried out by a North Korean subgroup distinct from TraderTraitor, one still under investigation, while the KelpDAO exploit was tied to TraderTraitor itself. Two units, two different targets, two different laundering styles, in the same month. The apparatus is not a single team having a good year. It is a portfolio.
Two Mornings in April
If Bybit defined 2025, two operations in April 2026 defined the year that followed, and together they show how the same organization can wear very different masks.
The first struck Drift Protocol on April 1. Drift is a Solana-based exchange for perpetual futures, and the theft drained roughly $285 million. What made it remarkable was not only the code but the patience behind it. According to TRM Labs, on-chain preparation began around March 11, and the operation was preceded by months of groundwork, including in-person meetings between North Korean proxies and Drift employees. Drift itself later described the incident as a structured intelligence operation that took roughly six months to execute. The technical payload exploited a Solana feature called a durable nonce, which allows a transaction to be signed in advance and executed later. On the day of the attack, according to analysts cited by CoinMarketCap, thirty-one withdrawals were completed in about twelve minutes, pulling out stablecoins and other assets. The stolen funds were then bridged to Ethereum and left to sit. TRM assessed that this group would likely hold the proceeds dormant for months or years before executing a slow, multi-phase cashout. This was a heist designed to disappear into time.
The second struck KelpDAO on April 18 and netted roughly $292 million, the single largest crypto theft of the half-year. KelpDAO is a DeFi platform that lets users earn yield on deposits, and the attack targeted the machinery of trust that keeps a cross-chain bridge honest. According to TRM Labs, the attackers compromised two internal remote procedure call nodes and then launched a denial-of-service campaign against the external nodes, forcing the bridge's single verifier to rely entirely on the poisoned data sources the attackers controlled. With the verifier fed false information, the attackers drained roughly 116,500 rsETH.
What happened next is the most instructive part, because it shows both the strength and the fragility of the defensive response. The Arbitrum Security Council used emergency powers to freeze roughly $75 million of the stolen funds still sitting on its network. That freeze was a genuine win, a demonstration that the transparent portion of the system can bite when it acts fast. But the attackers had already moved. According to TRM, about $175 million in ETH was converted into Bitcoin through THORChain, a cross-chain protocol with no identity verification requirement, the same venue that had processed the bulk of the Bybit proceeds a year earlier. The remaining laundering, TRM noted, was handled largely by Chinese intermediaries rather than the North Koreans themselves.
Two mornings, two philosophies. Drift was the long con, hold and wait. KelpDAO was the sprint, convert and vanish before the freeze catches up. The same state ran both. That flexibility, the ability to choose patience or speed depending on the target and the laundering conditions, is exactly what makes the operation so difficult to counter with any single defensive posture.
How a Billion Dollars Disappears
Stealing the money is only the first half of the problem. A theft of a billion dollars is worthless if the thief cannot turn it into something spendable, and here the blockchain creates a genuine paradox for the attacker. Every transaction is public and permanent. In principle, the whole world can watch the stolen funds move. North Korea's real achievement is not the theft. It is the laundering, the systematic exploitation of the gap between what investigators can see and what they can stop.
The process tends to unfold in stages, and it helps to walk through them the way an investigator would.
The first stage is consolidation and conversion. In the opening hours after a theft, attackers swap the stolen assets into forms with deeper liquidity and fewer freeze points, typically Ethereum or Bitcoin, sometimes routing through decentralized exchanges to avoid centralized compliance checks. Speed is everything, because this is the window in which the defenders have their best shot. If a stablecoin issuer freezes tokens, or a bridge or chain governance body intervenes, the attacker can lose a large slice of the haul. The $75 million Arbitrum freeze after KelpDAO happened precisely in this window, and it is the clearest evidence that the window is real.
The second stage is chain hopping. Funds are pushed across blockchains through bridges, cross-chain liquidity protocols, wrapped assets, and swaps. The point is not to make tracing mathematically impossible, because on a public ledger it rarely is. The point is to make the response slow, fragmented, and legally complicated. A single theft may touch Ethereum, Bitcoin, Arbitrum, THORChain, and other networks, and each hop adds delay and jurisdictional friction. By the time compliance teams across a dozen platforms agree on what is happening and who should act, the money has moved again.
The third stage is mixing and obfuscation, and this is where a caution belongs. Mixing services break the direct on-chain link between where funds came from and where they end up. The U.S. Treasury sanctioned the mixer Sinbad in November 2023, describing it as a preferred laundering tool for Lazarus and stating that it had processed proceeds from major North Korean heists including the Axie Infinity and Horizon Bridge thefts. U.S. authorities seized Sinbad's infrastructure that same month. Tornado Cash, an earlier and larger mixer, tells a more complicated story that the crypto sector should not misremember. OFAC sanctioned Tornado Cash in August 2022, accusing it of laundering hundreds of millions in Lazarus proceeds. But in November 2024 the Fifth Circuit ruled that OFAC had overstepped its authority, holding that Tornado Cash's immutable smart contracts could not be treated as "property" subject to sanction because no person controlled them, and on March 21, 2025 the Treasury formally lifted the designation. The mixer is not currently sanctioned. What that episode revealed is a hard truth for policymakers. Sanctioning code that no one owns runs into the limits of law, and the tools that work against companies do not always work against protocols.
The fourth stage is fragmentation. Stolen funds are split across many wallets and moved in deliberately small pieces. According to Chainalysis, more than 60 percent of the volume it tracked from North Korean thefts moved on-chain in amounts below $500,000 per transaction, compared with the larger transfers that other actors tend to use. The FBI said the Bybit proceeds were dispersed across thousands of addresses. This generates operational noise. Instead of one large wallet to watch, investigators face thousands of flows moving at different times through different paths. Some funds sit dormant for months. Others are tested with tiny transactions before larger amounts follow. Chainalysis has described a roughly 45-day laundering cycle that North Korea tends to run after a major theft, a pattern consistent enough across years that it has become a piece of intelligence in its own right, a rhythm that defenders can anticipate even when they cannot stop each step.
The fifth stage is liquidation, the moment digital value becomes spendable. According to Chainalysis, North Korean actors use fictitious accounts at mainstream exchanges and, in all likelihood, unregulated over-the-counter brokers to consolidate and cash out. Over-the-counter brokers matter enormously here, because they convert crypto into fiat, goods, or other value outside normal retail channels. Chinese-language laundering services and intermediary networks appear again and again in the analysis of North Korean cashout behavior. And according to the State Department, North Korea has now converted the entire Bybit haul into fiat currency. The largest crypto theft in history is already, in the end, cash.
The Wallets of Ordinary People
The headline figures are dominated by the giants, the billion-dollar exchange breach, the quarter-billion-dollar DeFi drain. But underneath them runs a quieter epidemic that reshapes how the whole problem should be understood.
According to Chainalysis, personal wallet compromises surged to roughly 158,000 incidents in 2025, nearly triple the number recorded in 2022, affecting at least 80,000 unique victims. The total value taken from individuals actually fell, to about $713 million from a 2024 peak of $1.5 billion, which means attackers are reaching many more people while taking less from each. Solana, one of the blockchains with the largest number of active personal wallets, saw by far the most incidents. This is the retail underside of the same machine, ordinary people losing life savings to phishing links and social engineering rather than institutions losing treasury reserves to supply-chain attacks.
Not all of that individual theft is North Korean, and this is where the distinction between the two intelligence firms becomes useful rather than confusing. Chainalysis and TRM Labs both attribute the majority of high-value, service-level theft to North Korea, the exchange and protocol breaches where a single compromise moves enormous sums. The vast, diffuse stream of personal wallet compromises is a more crowded field, populated by a wide range of criminal actors, of whom North Korea is only one. When the reports say North Korea accounts for two thirds of stolen value, they are describing a picture in which a handful of state-run mega-thefts outweigh tens of thousands of smaller crimes combined. That is the mathematical shape of the threat. A few operations, run by one government, tower over everything else.
It also means the true North Korean figure is probably an undercount rather than an exaggeration. TRM Labs has cautioned that the $643 million it attributed to North Korea in the first half of 2026 reflects only the on-chain heists it could confidently attribute, and that the regime continues to generate cryptocurrency through phishing, fraud, scams, and the covert IT worker operations that never show up as a discrete "hack" at all. Elliptic has made the same point about the cumulative totals, noting that the real figure may run higher than the confirmed one. When investigators tell you their number is conservative, it is worth believing them.
The Marketplace of Choice
If you want to see where the transparent world hands the money off to the opaque one, look at Cambodia.
On May 1, 2025, the Treasury's Financial Crimes Enforcement Network designated the Cambodia-based Huione Group a "primary money laundering concern" under Section 311 of the USA PATRIOT Act, the most severe tool in that statute, and proposed to sever the group entirely from the U.S. financial system. According to FinCEN, Huione and its network of businesses laundered at least $4 billion in illicit proceeds between August 2021 and January 2025, a sum that included proceeds from North Korean cyber heists as well as the industrial-scale "pig butchering" investment scams run out of Southeast Asian fraud compounds. Treasury Secretary Scott Bessent called Huione "the marketplace of choice for malicious cyber actors like the DPRK and criminal syndicates."
The structure of Huione reads like a purpose-built laundering machine. According to FinCEN, it ran Huione Pay, a fiat payment platform with no meaningful anti-money-laundering controls, Huione Crypto, a virtual asset service provider, and Haowang Guarantee, an online marketplace, operated largely over Telegram, that brokered stolen data, fake identities, phishing kits, and laundering services. Huione had even launched its own dollar-pegged stablecoin, which FinCEN described as intentionally designed to avoid the ability to freeze funds, a stablecoin built to be unfreezable. Investigators including Elliptic estimated the group had processed sums that ran far higher than the confirmed $4 billion, possibly around $11 billion once the full scope of its activity was counted.
There is a political dimension that no honest account can skip. According to reporting by DL News, Elliptic, and Kharon, one prominent figure connected to the Huione network is Hun To, a cousin of Cambodian Prime Minister Hun Manet and a nephew of former Prime Minister Hun Sen. A laundering hub of this scale did not operate in a vacuum. It sat inside a region where scam compounds, human trafficking, and state-adjacent money have grown intertwined, and where political proximity offered a measure of cover.
The enforcement arc that followed shows both the reach and the limits of the response. FinCEN finalized its rule severing Huione from the U.S. financial system in October 2025, coordinated with a parallel action by the United Kingdom. Telegram deleted thousands of channels tied to Huione and to a related marketplace called Xinbi. In June 2026, the Justice Department seized a cloud computing account hosting the backend infrastructure for Huione's subsidiaries, and FinCEN moved to extend its ban to a successor entity called H-Pay Service, guarding against exactly the kind of rebrand that these networks reliably attempt. Yet Chainalysis, watching the aftermath, cautioned that Huione was never the only guarantee service. Others continue to operate in plain sight, serving the same Chinese-speaking clientele, offering the same escrow and laundering functions. Knock down the largest node and the traffic disperses to the smaller ones. The network is resilient by design.
The Employee Who Never Existed
Not every dollar North Korea extracts from the crypto sector comes from a spectacular heist. A quieter and in some ways more unsettling stream comes from a scheme in which the regime does not break into a company at all. It gets hired.
For years, North Korea has dispatched IT workers abroad, or had them work remotely from inside the country and from China and Russia, using stolen and fabricated identities to land legitimate remote jobs at Western companies. According to U.S. government estimates cited in court filings and public reporting, a team of these workers can earn up to $3 million a year, and individual operatives can pull in salaries in the hundreds of thousands, much of it funneled back to the regime. According to the Multilateral Sanctions Monitoring Team, individual workers earn between roughly $3,500 and $10,000 a month, with top performers generating as much as $100,000 a month, and some operatives maintain up to a dozen false identities at once.
The mechanics of the scheme run through a piece of Americana that no one would think to suspect, the ordinary suburban home. Because a North Korean cannot plausibly appear on a video call claiming to sit in Arizona while their internet traffic originates in Pyongyang, the operation relies on domestic facilitators who host "laptop farms," rooms full of company-issued laptops that the overseas workers access remotely, making the traffic appear to come from inside the United States.
The case of Christina Chapman put a face on it. Chapman, an American from Arizona, ran a laptop farm that at its peak handled as many as ninety devices. According to the Justice Department, her operation touched more than 300 U.S. companies and generated over $17 million for the North Korean government before she was caught. Photos released by prosecutors showed rows of labeled laptops on open shelves in a small room. In July 2025 she was sentenced to 102 months in federal prison. Among the companies that unknowingly paid a North Korean operative through the scheme was Nike, which, according to the Justice Department, paid out more than $75,000 before conducting a review. The supporting cast extended well beyond U.S. borders. Oleksandr Didenko, a Ukrainian, pleaded guilty to running a service that sold stolen American identities to North Korean workers, managing as many as 871 proxy identities and helping operatives get hired at 40 companies.
The scale of the infiltration is difficult to overstate. According to Mandiant, now part of Google Cloud, nearly every Fortune 500 chief information security officer the firm interviewed admitted to having hired at least one North Korean IT worker. The cybersecurity firm SentinelOne reported receiving roughly a thousand job applications tied to North Korean operatives. In one widely discussed case, the security training company KnowBe4 discovered that a newly hired engineer known as "Kyle," who had passed background checks and identity verification, was in fact a North Korean operative who began loading malware onto his company laptop almost immediately.
The state has pushed back hard. In late June 2025, according to the Justice Department, coordinated actions across the country included searches of 29 known or suspected laptop farms across 16 states and the seizure of roughly 200 laptops, alongside indictments, an arrest, and the seizure of financial accounts and fraudulent websites. By November 2025, the DOJ reported that facilitators in the United States and Ukraine had helped North Korean workers gain employment at more than 136 victim companies. And yet the investigators chasing this scheme describe it with a kind of exhausted realism. One analyst quoted by CNN called it a game of whack-a-mole, noting that for every laptop farm the FBI raids, new ones appear, and that the operatives have begun using real-time AI deepfakes to make their fake candidates more convincing in video interviews. The regime is not merely persistent. It is adapting faster than the vetting processes built to catch it.
What makes the IT worker scheme so dangerous is that it collapses the distinction between an outside attacker and an insider. A company can harden its perimeter against intruders, but the North Korean operative is not trying to get past the perimeter. The operative is being invited through the front door, handed a laptop, granted credentials, and paid a salary, sometimes at the very crypto and AI firms whose assets and source code make the most attractive targets. According to the Justice Department, in one case North Korean IT workers who gained employment at an Atlanta-based blockchain company stole more than $900,000 in virtual currency directly from their employer. The employee who never existed is the perfect attacker, because the company built its own vulnerability into its org chart.
The Machine Is Getting Smarter
There is a newer dimension to all of this that should worry defenders more than any single heist, and it runs through the one technology that amplifies every part of the operation at once.
On the laundering side, the volume and consistency of North Korea's money movement has grown to a point that human hands alone struggle to explain. Andrew Fierman, head of national security intelligence at Chainalysis, told reporters that the regime facilitates the laundering of its heists with a consistency and fluidity indicative of the use of artificial intelligence, describing a workflow that combines mixers, DeFi protocols, and bridges early in the process to convert funds across many assets at a scale and speed that suggests automation is doing the work a room full of operators once did. When you are moving a billion dollars in tranches below $500,000 across thousands of addresses on a 45-day clock, software that never tires and never fumbles the pattern is an enormous advantage, and North Korea appears to have it.
On the intrusion side, the same tools are sharpening the human deception that opens the door. According to the Multilateral Sanctions Monitoring Team and multiple security vendors, North Korean IT workers now use AI to generate and maintain false identities, to translate and localize their communications so a worker in Pyongyang reads as a developer in Denver, and, in a development that investigators find especially troubling, to run real-time deepfakes in video interviews so that the face on the call is not the face doing the work. In the Drift Protocol case, according to analysts cited by CoinMarketCap, researchers speculated that the group was integrating AI into its reconnaissance and social engineering. The fake recruiter becomes more convincing. The fake candidate passes more checks. The coding test that hides malware looks more legitimate. Every point of human judgment that North Korea has spent a decade learning to exploit is now being exploited with machine assistance.
The strategic implication is uncomfortable. For years the practical ceiling on North Korea's operation was headcount, the number of trained operators the regime could field. Artificial intelligence loosens that constraint. It lets a fixed number of operators run more identities, launder more money, and social-engineer more targets than they ever could by hand. The defenders, meanwhile, are still largely relying on human vetting, human transaction review, and human suspicion. A contest between an AI-accelerated attacker and a manually defended target does not trend in the target's favor. The machine that steals is getting smarter faster than the machine that guards.
Where the Money Goes
It would be a mistake to file all of this under financial crime and stop there. The reason North Korea's crypto theft rises to the level of a national security problem, rather than merely a very large fraud, is what the money buys.
According to the U.S. Treasury, North Korea explicitly tasks its hackers with raising revenue through illicit means, and the proceeds flow toward the regime's weapons of mass destruction and ballistic missile programs. This is not an inference drawn from the general direction of the money. It is the stated conclusion of the government that has tracked it most closely. Under Secretary of the Treasury John Hurley put it plainly in November 2025, saying that North Korean state-sponsored hackers steal and launder money to fund the regime's nuclear weapons program, and that by generating revenue for Pyongyang's weapons development, these actors directly threaten U.S. and global security.
The Multilateral Sanctions Monitoring Team, a coalition of eleven nations that replaced the United Nations Panel of Experts after Russia used its Security Council veto to dissolve that body in 2024, has put numbers and specifics to the connection. According to the MSMT's October 2025 report, North Korea stole at least $2.8 billion in cryptocurrency between January 2024 and September 2025. The report traced how the stolen funds were used to procure military hardware, describing purchases that ranged from armored vehicles to portable air-defense missile systems, and it described a feedback loop in which the regime's cyber espionage targets sensitive industries including semiconductors, uranium processing, and missile technology, so that financial crime and military capability feed one another. State Department Principal Deputy Assistant Secretary Jonathan Fritz described the logic in blunt human terms when he briefed the press in early 2026, explaining that a North Korean IT worker can live in Laos, steal the identity of a Ukrainian, defraud an American company into hiring them, and that North Korea then uses the money to fund nuclear bombs and ballistic missiles meant to target the United States and its allies. The daily grind of identity theft and DeFi exploitation connects, at the end of a long laundering chain, to warheads.
That endpoint is what should reframe how the crypto sector thinks about its own losses. When a DeFi protocol is drained, the harm is not confined to the users who lost funds or the investors who took the hit. A portion of that value, laundered and converted, becomes procurement money for a nuclear-armed state under international sanction. The exchange breach and the missile test are two ends of the same wire.
The Slow Machinery of the Response
The response to all of this has grown more serious, more coordinated, and more international, and it is worth giving that response its due before assessing where it falls short.
The Multilateral Sanctions Monitoring Team is the structural centerpiece. Its eleven members, the United States, Australia, Canada, France, Germany, Italy, Japan, South Korea, the Netherlands, New Zealand, and the United Kingdom, have taken up the monitoring function that the UN Panel of Experts once performed, and crucially they have pulled the private sector in alongside them, working with firms including Chainalysis, Google's threat intelligence group, and Palo Alto Networks. According to the MSMT, more than 40 countries have been victimized by or otherwise caught up in North Korean cryptocurrency theft, IT worker fraud, and identity theft, which makes clear that this is not a bilateral American problem but a global one.
The enforcement actions have been steady. In November 2025, according to the Treasury, OFAC sanctioned eight individuals and two entities for laundering North Korean cybercrime and IT worker proceeds, including bankers tied to a sanctioned North Korean financial institution and a company that managed IT worker delegations, and it added more than fifty cryptocurrency addresses to the sanctions list while freezing several million dollars in linked funds. The Justice Department has moved against the IT worker facilitators, the laptop farm hosts, and the Huione infrastructure. The FBI has published address lists after major thefts and called on exchanges, bridges, analytics firms, and DeFi services to block transactions tied to North Korean laundering, as it did after Bybit when it released dozens of Ethereum addresses connected to the TraderTraitor cashout.
At the diplomatic level, the issue has climbed the agenda. At the G7 summit at Évian-les-Bains, France, in June 2026, the leaders for the first time included North Korea's cryptocurrency theft and cybercrime in their joint statement, expressing deep concern about the regime's nuclear and ballistic missile ambitions and the researcher and UN findings linking those programs to crypto theft, and calling for members to jointly address the problem.
And North Korea's response to all this attention has been the response of a state that considers the operation too valuable to abandon. According to its state news agency, a Foreign Ministry spokesperson dismissed the TRM Labs findings as "absurd slander" and a political tool of American hostility. Denial, not retreat.
Here, though, an honest investigator has to name the caveat, because it matters both for accuracy and for policy. Attribution in cyber operations is probabilistic, not certain. The public reporting from Chainalysis, TRM Labs, the FBI, and the Treasury provides strong grounds for tying the major thefts to North Korea, and the on-chain fingerprints that connect one heist to the next are genuine evidence. But the precise internal boundaries between Lazarus, TraderTraitor, BlueNoroff, Andariel, and the newer subgroups can be unclear from the outside, and some incidents carry the hallmarks of North Korean activity without rising to the level of definitive attribution. The disciplined way to speak about this is the way the analysts themselves increasingly do, as "North Korean-linked" or "DPRK-linked" rather than as a clean assignment of every theft to one named unit. That caution is not a weakness in the case. It is what makes the case credible.
The States That Look Away
No account of North Korea's crypto operation is complete without naming the geography that makes it possible, because the regime does not launder billions in isolation. It does so through, and often with the tolerance of, other states.
The most consequential development on this front was quiet and procedural, and it deserves more attention than it received. For years the United Nations Panel of Experts on North Korea served as the independent body that monitored and documented sanctions violations, publishing detailed reports that named names and traced money. In 2024, Russia used its veto on the Security Council to block the renewal of the Panel's mandate, effectively dissolving it. A monitoring mechanism that had functioned for more than a decade was switched off by a single vote from a permanent member. The Multilateral Sanctions Monitoring Team was created to fill the vacuum, and it has done credible work, but it is a coalition of the willing rather than a UN organ, and its findings do not carry the same institutional weight inside the Security Council. The country that blocked the monitor is also, according to U.S. officials, one of the two countries most in need of monitoring.
The geography of the laundering tells the rest of the story. According to the State Department, North Korea relies on networks of its own nationals abroad together with foreign-based facilitators in China, Russia, Argentina, Cambodia, Vietnam, and the United Arab Emirates to convert stolen digital assets into fiat. The IT worker operations run substantially out of China and Russia. The final conversion of stolen crypto into cash flows heavily through Chinese-language intermediary networks and over-the-counter brokers, and the KelpDAO laundering, according to TRM Labs, was handled largely by Chinese intermediaries. The Huione network operated from Cambodia under the shelter of political connection. This is the part of the problem that no exchange security team and no OFAC designation can reach, because it lives inside the sovereignty of states that have chosen, for reasons of their own, not to enforce the resolutions they are formally bound by. The MSMT said as much directly, singling out China and Russia as countries that need to implement the UN Security Council resolutions in order to put a stop to North Korea's activities.
That is the uncomfortable center of the policy problem. The technical defenses can be hardened. The laundering hubs can be named and cut off, one at a time. But so long as the regime enjoys safe passage through the jurisdictions where its money is converted and its operators are housed, the operation has somewhere to breathe. Sanctions evasion is not only a story about North Korea. It is a story about the states willing to look away.
What the Industry Keeps Getting Wrong
For all the sophistication on the attacker's side, a large share of the losses trace back to a defensive error that the industry keeps repeating. Too many crypto companies still think about security as if it were mainly a matter of code, of auditing smart contracts and managing cold wallets. That framing is too narrow, and North Korea has built its entire model around exploiting the gap it leaves.
The pattern across the major thefts is that the code was often not the weak point. Bybit's smart contracts were not broken. Its signers were shown a forgery. The Safe developer whose machine was compromised was not defeated by a flaw in the wallet's logic but by social engineering that started, in all likelihood, with something as human as a fake job offer. Drift was breached after months of in-person social engineering that Drift itself called an intelligence operation. In each case, the attackers went around the cryptography by attacking the people, the process, and the infrastructure surrounding it.
This is why a clean smart contract audit provides false comfort. A perfect contract does not protect a company whose signer approves a transaction on a screen that has been rewritten. A sound cold-wallet policy does not help when the approval interface itself is the thing that has been compromised. A strong engineering team can still be undone by a poisoned open-source package, a malicious coding test, a fake meeting application, or a contractor who turns out to be a foreign intelligence operative with a fabricated identity. The North Korean model treats the whole organization as the attack surface, the developers and the recruiters and the vendors and the signing workflow, and it succeeds because most defenders are still guarding only one part of it.
The defensive implications follow directly from the attack pattern. Security has to extend to transaction simulation and independent verification, so that a signer can confirm what a transaction actually does rather than trusting what a possibly compromised interface displays. It has to include hardware-backed approval and off-chain validation for large transfers, so that a corrupted user interface cannot be the sole source of truth. It has to cover developer and vendor security, because the supply chain is now a primary route in, as Bybit and WazirX both proved. And it has to include the human perimeter that most companies never think of as security at all, the hiring pipeline, where identity verification, awareness of fake-recruiter tactics, and monitoring for insider anomalies now sit squarely in the threat model. The biggest losses of the past two years came not from a single broken line of code but from the intersection of code, people, governance, and process. That intersection is where the defense has to live.
What Governments Keep Getting Wrong
The policy side has its own recurring error, and it is the belief that sanctions alone can solve a problem that is fundamentally about speed and conversion.
Sanctions do real work. They raise costs, they close off some services, they create legal exposure for facilitators, and the cumulative pressure of OFAC designations, the Huione action, the mixer takedowns, and the IT worker prosecutions has genuinely complicated North Korea's operations. But sophisticated actors adapt, and the record shows it. When Tornado Cash sat under sanction, Lazarus shifted toward other tools; when the government's legal theory for sanctioning open-source code failed in court, the designation itself came off. When Huione was severed from the U.S. financial system, the traffic began migrating to successor entities and rival guarantee services. Sanctions are a tax on the operation, not a wall against it.
The harder truth, and the one that should shape policy, is that the difficult part of stopping North Korea is not seeing the stolen funds. On a public ledger, the funds are often visible. The difficult part is stopping their conversion into usable value before they leave the transparent portion of the system. The KelpDAO episode is the proof of concept in both directions. The $75 million that Arbitrum's Security Council froze was money that defenders reached in time. The $175 million that moved through THORChain into Bitcoin was money that got out the door first. The entire contest lives in that narrow window between theft and cashout.
That reframing points toward what an effective response actually requires, and it is not any single instrument. It is a real-time collaboration among the parties that touch the funds in the crucial hours, the exchanges, the bridges, the stablecoin issuers, the RPC operators, the analytics firms, and law enforcement, operating as a coordinated response network rather than a sequence of independent decisions. It requires the private-public intelligence sharing that the MSMT has begun to institutionalize, extended and accelerated so that a North Korean-linked address identified by one firm becomes actionable across every major platform within minutes rather than days. It requires sustained pressure on the over-the-counter brokers and the Chinese-language intermediary networks that perform the final conversion, because that is the chokepoint where transparent value becomes spendable cash. And it requires the diplomatic will to make sanctions implementation real in the jurisdictions where North Korean operators and their facilitators actually sit, which means, uncomfortably, in China and Russia above all, the two states the MSMT has singled out for failing to enforce the UN resolutions already on the books.
The G7 statement in June 2026 illustrated both the progress and the gap. Naming the problem at that level, for the first time, was a meaningful diplomatic step. But the statement stopped short of specifying enforcement mechanisms, mentioning neither systematic exchange screening nor countermeasures against laundering venues, which left it unclear how member states would translate concern into action. Concern is not a control. Until the response operates at the speed of the theft, the declarations will keep trailing the money.
The Clock
Stand back from the individual cases and a single dynamic organizes all of them. This is a race against time, and time is currently on the attacker's side.
Every stage of what North Korea has built is designed to win the hours immediately after a theft. The surgical precision of the intrusion, the fake identities, the pre-signed transactions, the instant chain hopping, the fragmentation into thousands of wallets, the cross-chain conversion through venues with no identity checks, all of it serves the goal of putting distance, in time and in jurisdiction, between the moment of theft and the moment anyone can act. The defenders' best weapon, and the KelpDAO freeze proved it is a real weapon, is the ability to reach the funds inside that window and stop them. Everything that shortens the window helps the defense. Everything that lengthens it helps Pyongyang.
The uncomfortable conclusion is that the cryptocurrency sector has become one of the most productive foreign-currency targets available to a sanctioned nuclear state. As long as the industry keeps combining high-value assets, irreversible transactions, fragmented governance, uneven identity controls, deep cross-chain liquidity, and inconsistent compliance, North Korean operators will keep attacking it, because it works, and because it funds the one program the regime values above all others.
The debate over whether North Korea is responsible for more than half of global crypto theft is, at this point, settled. The data from two independent firms says it is, and in the first half of 2026 the figure ran to roughly two thirds. That question is closed. The open question, the one that will determine whether the next several years look better or worse than the last two, is narrower and more operational. It is whether the crypto industry and the governments arrayed against this threat can compress the time between theft, detection, freezing, and recovery, and do it before the next billion-dollar morning arrives. Because it is coming. The only real uncertainty is whether the people guarding the money will be looking at the truth when it does.