How North Korea Cashes Out Stolen Cryptocurrency to Fiat

North Korea doesn’t steal cryptocurrency for fun. It steals it to fund missiles, nuclear warheads, and a regime that survives on secrecy and sabotage. Since 2017, state-backed hacking teams have ripped off over $3 billion in digital assets-more than any other nation or criminal group in history. But stealing crypto is only half the battle. The real challenge? Turning that digital loot into real, usable cash without getting caught. And they’ve gotten terrifyingly good at it.

The Theft: Fast, Targeted, and Unstoppable

North Korea’s main weapon isn’t brute force. It’s precision. Their hacking group, known as Lazarus, doesn’t crash systems. They slip in quietly. One common method? Supply chain attacks. In June 2023, they compromised the Atomic Wallet software update, infecting 4,100 users without them ever knowing. Within hours, $100 million vanished from their wallets. Another favorite target? Exchange APIs and crypto bridges-software that moves assets between blockchains. The Ronin Bridge hack in March 2022 stole $625 million by hijacking just five validator keys. No one saw it coming.

The goal isn’t just to steal. It’s to move fast. In the February 2025 Bybit hack-the largest single theft ever-hackers moved 87% of the stolen Ethereum into Bitcoin within 72 hours. Why Bitcoin? Because it’s the most liquid, hardest to trace, and easiest to convert into cash. Every second counts. North Korea’s team now runs 400 to 500 transactions per day across multiple chains, flooding blockchain analysts with noise. It’s not about hiding one transaction. It’s about drowning the system in a million tiny ones.

The Laundering: Crossing Chains, Hiding Trails

Once stolen, the crypto doesn’t sit still. It gets shuffled. First, it’s moved from Ethereum to Binance Smart Chain, then to Solana, then to Polygon. Each jump adds a layer of confusion. Why? Because most forensic tools are built to track money on one chain. Jumping between them breaks the trail.

They’ve abandoned old-school mixers like Tornado Cash-shut down by U.S. sanctions in 2022 after processing $1.2 billion in stolen funds. Now, they use cross-chain bridges like Ren Bridge and Avalanche Bridge. Between 2021 and 2024, these bridges handled over $1.2 billion in North Korean-linked transactions. These bridges don’t ask questions. They just move coins. And they’re built into decentralized finance (DeFi) platforms, which operate with almost no oversight.

After crossing chains, the funds are almost always converted into Bitcoin. Why? Because Bitcoin has the deepest markets. You can sell $50 million in BTC without crashing the price. Ethereum or altcoins? Too volatile. Too many red flags. Bitcoin is the cleanest bridge to cash.

The Final Step: Turning Crypto Into Cash

This is where things get dangerous-and local. North Korea doesn’t try to cash out in New York or London. They go where no one asks for ID.

Cambodia is ground zero. Specifically, the city of Sihanoukville. Since 2021, North Korean operatives have set up at least 14 crypto cafes there. These aren’t tourist spots. They’re cash-out factories. No ID needed. No questions asked. Each one processes between $500,000 and $2 million per month in cash transactions. The money comes in as crypto. It goes out as U.S. dollars, packed into suitcases or wired through shell companies.

One key player? The Huione Group. U.S. Treasury documents show Huione Crypto issues non-freezable stablecoins-digital tokens pegged to the dollar but immune to sanctions. Stolen crypto is swapped for these tokens, then sold to local buyers who turn them into cash. Huione Guarantee runs scams on the side. Huione Crypto? It’s the money laundering arm. And its executives? They’ve been directly linked to North Korean intelligence.

China still plays a role too. In February 2024, two Chinese nationals were indicted for moving $250 million in stolen crypto through 37 bank accounts. They didn’t need to explain where the money came from. Just a phone call and a bank transfer.

And then there’s Macau. Gambling hubs there accept crypto deposits with only 5% verification-compared to 95% in regulated markets. North Korean agents deposit stolen crypto into casino accounts, then cash out as winnings. No audit. No paper trail.

The Human Network: IT Workers as Trojan Horses

North Korea doesn’t just rely on hackers. It relies on thousands of IT workers-real people with real jobs-placed across Southeast Asia, Russia, and China. The UN estimates they generate $600 million a year for the regime.

These workers aren’t criminals. They’re employees. They work remotely for crypto exchanges, fintech startups, or even government tech agencies. But they’re not who they claim to be. 89% use fake identities-mostly Indian or Vietnamese passports. They log in from VPNs that make them look like they’re in Germany or California. Their job? To create backdoors.

One CSIS report from 2024 found 27 cases where North Korean employees at Chinese exchanges enabled instant wallet-to-bank transfers. Normally, fraud detection takes 72 hours. These workers cut that to 12 hours. They didn’t hack the system. They were the system.

Why It’s Still Working (For Now)

You’d think blockchain analysis would stop this. After all, every transaction is recorded forever. But North Korea has adapted faster than regulators can keep up. In 2020, only 65% of stolen crypto made it to cash. By 2025? It’s 92%. Why?

Because they’ve stopped trying to hide. They’re running so fast, no one can catch them. They use automated scripts to split funds into tiny chunks-under $10,000-just below reporting thresholds. They exploit regulatory gaps in DeFi. They use stablecoin arbitrage: swap stolen ETH for USDC on one exchange, then sell it on another where the price is slightly higher, pocketing the difference as “profit.”

Even the U.S. Treasury admits it’s a losing race. In Q1 2025, successful cash-outs dropped 22% from the previous quarter-thanks to new global reporting rules. But that’s not because North Korea got weaker. It’s because they’re being forced to change tactics. And they’re always ready to change.

The Future: What Comes Next?

North Korea is now building its own crypto infrastructure. A March 2025 CSIS report revealed they’ve hired 37 blockchain developers from failed startups to create custom cross-chain protocols. These aren’t just tools. They’re weapons. Designed to move $500 million in a single transaction without leaving a trace.

They’re also testing stablecoin laundering on a massive scale. Instead of converting stolen crypto to Bitcoin, they convert it to USDC, then move it through decentralized exchanges in unregulated countries. The money never touches a traditional bank. It’s clean by design.

But the clock is ticking. Treasury Secretary Janet Yellen warned in May 2025 that North Korea’s success rate could drop to 40% by 2027. Why? Because more than 100 countries are now sharing beneficiary data. Exchanges are forced to report. And every time a North Korean agent tries to cash out, they’re more likely to be flagged.

Still, the regime won’t quit. As Dr. Kim Heung Kwang, a former North Korean computer scientist who defected, put it: “They’ll keep adapting until cryptocurrency itself becomes regulated-or disappears.”