How North Korea Cashes Out Stolen Cryptocurrency to Fiat
North Korea doesn’t steal cryptocurrency for fun. It steals it to fund missiles, nuclear warheads, and a regime that survives on secrecy and sabotage. Since 2017, state-backed hacking teams have ripped off over $3 billion in digital assets-more than any other nation or criminal group in history. But stealing crypto is only half the battle. The real challenge? Turning that digital loot into real, usable cash without getting caught. And they’ve gotten terrifyingly good at it.
The Theft: Fast, Targeted, and Unstoppable
North Korea’s main weapon isn’t brute force. It’s precision. Their hacking group, known as Lazarus, doesn’t crash systems. They slip in quietly. One common method? Supply chain attacks. In June 2023, they compromised the Atomic Wallet software update, infecting 4,100 users without them ever knowing. Within hours, $100 million vanished from their wallets. Another favorite target? Exchange APIs and crypto bridges-software that moves assets between blockchains. The Ronin Bridge hack in March 2022 stole $625 million by hijacking just five validator keys. No one saw it coming.The goal isn’t just to steal. It’s to move fast. In the February 2025 Bybit hack-the largest single theft ever-hackers moved 87% of the stolen Ethereum into Bitcoin within 72 hours. Why Bitcoin? Because it’s the most liquid, hardest to trace, and easiest to convert into cash. Every second counts. North Korea’s team now runs 400 to 500 transactions per day across multiple chains, flooding blockchain analysts with noise. It’s not about hiding one transaction. It’s about drowning the system in a million tiny ones.
The Laundering: Crossing Chains, Hiding Trails
Once stolen, the crypto doesn’t sit still. It gets shuffled. First, it’s moved from Ethereum to Binance Smart Chain, then to Solana, then to Polygon. Each jump adds a layer of confusion. Why? Because most forensic tools are built to track money on one chain. Jumping between them breaks the trail.They’ve abandoned old-school mixers like Tornado Cash-shut down by U.S. sanctions in 2022 after processing $1.2 billion in stolen funds. Now, they use cross-chain bridges like Ren Bridge and Avalanche Bridge. Between 2021 and 2024, these bridges handled over $1.2 billion in North Korean-linked transactions. These bridges don’t ask questions. They just move coins. And they’re built into decentralized finance (DeFi) platforms, which operate with almost no oversight.
After crossing chains, the funds are almost always converted into Bitcoin. Why? Because Bitcoin has the deepest markets. You can sell $50 million in BTC without crashing the price. Ethereum or altcoins? Too volatile. Too many red flags. Bitcoin is the cleanest bridge to cash.
The Final Step: Turning Crypto Into Cash
This is where things get dangerous-and local. North Korea doesn’t try to cash out in New York or London. They go where no one asks for ID.Cambodia is ground zero. Specifically, the city of Sihanoukville. Since 2021, North Korean operatives have set up at least 14 crypto cafes there. These aren’t tourist spots. They’re cash-out factories. No ID needed. No questions asked. Each one processes between $500,000 and $2 million per month in cash transactions. The money comes in as crypto. It goes out as U.S. dollars, packed into suitcases or wired through shell companies.
One key player? The Huione Group. U.S. Treasury documents show Huione Crypto issues non-freezable stablecoins-digital tokens pegged to the dollar but immune to sanctions. Stolen crypto is swapped for these tokens, then sold to local buyers who turn them into cash. Huione Guarantee runs scams on the side. Huione Crypto? It’s the money laundering arm. And its executives? They’ve been directly linked to North Korean intelligence.
China still plays a role too. In February 2024, two Chinese nationals were indicted for moving $250 million in stolen crypto through 37 bank accounts. They didn’t need to explain where the money came from. Just a phone call and a bank transfer.
And then there’s Macau. Gambling hubs there accept crypto deposits with only 5% verification-compared to 95% in regulated markets. North Korean agents deposit stolen crypto into casino accounts, then cash out as winnings. No audit. No paper trail.
The Human Network: IT Workers as Trojan Horses
North Korea doesn’t just rely on hackers. It relies on thousands of IT workers-real people with real jobs-placed across Southeast Asia, Russia, and China. The UN estimates they generate $600 million a year for the regime.These workers aren’t criminals. They’re employees. They work remotely for crypto exchanges, fintech startups, or even government tech agencies. But they’re not who they claim to be. 89% use fake identities-mostly Indian or Vietnamese passports. They log in from VPNs that make them look like they’re in Germany or California. Their job? To create backdoors.
One CSIS report from 2024 found 27 cases where North Korean employees at Chinese exchanges enabled instant wallet-to-bank transfers. Normally, fraud detection takes 72 hours. These workers cut that to 12 hours. They didn’t hack the system. They were the system.
Why It’s Still Working (For Now)
You’d think blockchain analysis would stop this. After all, every transaction is recorded forever. But North Korea has adapted faster than regulators can keep up. In 2020, only 65% of stolen crypto made it to cash. By 2025? It’s 92%. Why?Because they’ve stopped trying to hide. They’re running so fast, no one can catch them. They use automated scripts to split funds into tiny chunks-under $10,000-just below reporting thresholds. They exploit regulatory gaps in DeFi. They use stablecoin arbitrage: swap stolen ETH for USDC on one exchange, then sell it on another where the price is slightly higher, pocketing the difference as “profit.”
Even the U.S. Treasury admits it’s a losing race. In Q1 2025, successful cash-outs dropped 22% from the previous quarter-thanks to new global reporting rules. But that’s not because North Korea got weaker. It’s because they’re being forced to change tactics. And they’re always ready to change.
The Future: What Comes Next?
North Korea is now building its own crypto infrastructure. A March 2025 CSIS report revealed they’ve hired 37 blockchain developers from failed startups to create custom cross-chain protocols. These aren’t just tools. They’re weapons. Designed to move $500 million in a single transaction without leaving a trace.They’re also testing stablecoin laundering on a massive scale. Instead of converting stolen crypto to Bitcoin, they convert it to USDC, then move it through decentralized exchanges in unregulated countries. The money never touches a traditional bank. It’s clean by design.
But the clock is ticking. Treasury Secretary Janet Yellen warned in May 2025 that North Korea’s success rate could drop to 40% by 2027. Why? Because more than 100 countries are now sharing beneficiary data. Exchanges are forced to report. And every time a North Korean agent tries to cash out, they’re more likely to be flagged.
Still, the regime won’t quit. As Dr. Kim Heung Kwang, a former North Korean computer scientist who defected, put it: “They’ll keep adapting until cryptocurrency itself becomes regulated-or disappears.”
How much cryptocurrency has North Korea stolen?
Between 2017 and 2025, North Korean hacking groups have stolen over $3 billion in cryptocurrency, according to TRM Labs and Chainalysis. The February 2025 Bybit hack alone accounted for $1.5 billion-the largest single theft in history.
What’s the main currency North Korea converts stolen crypto into?
Bitcoin is the preferred intermediary. It’s the most liquid, easiest to sell in bulk, and hardest to trace. Around 82% of stolen crypto is converted into Bitcoin before being turned into cash.
Where does North Korea cash out stolen crypto?
Cambodia, especially Sihanoukville, is the primary hub, with 14 known crypto cafes operating as of March 2025. China and Macau also serve as key conversion points, using lax banking rules and gambling platforms to turn digital assets into cash.
How do North Korean IT workers help with cash-outs?
Thousands of North Korean IT workers are placed in fintech firms across Asia and Russia under fake identities. Once hired, they create backdoors that allow instant transfers from crypto wallets to bank accounts, bypassing fraud detection systems that normally take 72 hours.
Why can’t blockchain analysis stop them?
North Korea doesn’t rely on hiding one transaction-they flood the system with hundreds daily across multiple blockchains. They also use DeFi platforms with no KYC, convert funds into Bitcoin, and split withdrawals into small amounts under reporting thresholds. This makes detection extremely difficult, even with advanced tools.
Is North Korea’s crypto cash-out operation declining?
There’s a slight decline-Q1 2025 saw a 22% drop in successful cash-outs compared to Q4 2024 due to global reporting rules. But success rates remain high at 92%, and North Korea is adapting with new tools like custom cross-chain protocols and stablecoin arbitrage, meaning the threat is evolving, not fading.
Pradip Solanki
March 25, 2026 AT 12:54Let’s be real here - the entire narrative is a distraction. Blockchain analysis isn’t failing because North Korea is smart, it’s failing because regulators are lazy and exchanges are profit-driven. They don’t want to kill the goose that lays the golden eggs. DeFi is the wild west because VCs are too busy pitching NFTs to care about laundering flows. The real issue? Capital flight via stablecoins isn’t a North Korean problem - it’s a systemic failure of global financial oversight.
They’re not ‘adapting faster’ - they’re exploiting a vacuum. And we’re all pretending this is a cybercrime issue when it’s fundamentally a regulatory arbitrage play. Fix the loopholes, not the hackers.
Alice Clancy
March 27, 2026 AT 07:31China and Cambodia are the real villains here. Why are we still letting these regimes get away with this? The U.S. should sanction every damn port, casino, and crypto cafe in Southeast Asia. No more ‘diplomatic engagement.’ Just bomb the servers and freeze every asset linked to a DPRK IP. We’ve got the tech. We’ve got the will. We just need the guts.
And stop calling it ‘laundering.’ This is economic warfare. And we’re losing. 💥
aravindsai pandla
March 29, 2026 AT 06:10There’s an important detail missing from most analyses: the role of legitimate fintech infrastructure being co-opted. North Korea doesn’t need to build its own blockchain - it just needs to infiltrate one. The real vulnerability isn’t in the crypto, it’s in the human layer - the employees with fake IDs working remotely in Bangalore, Hanoi, or Minsk.
Every time a startup hires a ‘remote dev from Ukraine’ without proper vetting, they’re potentially enabling a state-sponsored laundering pipeline. KYC isn’t enough. We need behavioral biometrics, device fingerprinting, and mandatory cross-border background checks for any employee handling financial systems. It’s not paranoia - it’s due diligence.
Cordany Harper
March 29, 2026 AT 17:03Big picture: North Korea’s crypto operation is basically a 24/7 corporate R&D lab for financial evasion. They’re not just stealing - they’re innovating. And honestly? Some of their techniques are kind of brilliant. Splitting transactions under $10k across 500 chains? That’s not hacking - that’s logistics genius.
But here’s the thing: they’re not the only ones doing this. Private actors, hedge funds, even some governments are using similar tactics. The difference? They’re not trying to fund nukes. They’re just trying to avoid taxes.
We’re all playing the same game. North Korea just has a bigger budget and fewer scruples.
DarShawn Owens
March 30, 2026 AT 04:15Man, this is wild to think about - thousands of people working remotely, probably thinking they’re just coding for a startup, not realizing they’re helping fund a dictatorship. It’s like a modern-day Trojan horse, but instead of a wooden horse, it’s a LinkedIn profile and a VPN.
It makes me wonder how many of us have unknowingly contributed to this system. I’ve hired freelancers from abroad before. Never thought to ask where they really were. Scary stuff.
Zion Banks
March 30, 2026 AT 18:36THIS ISN’T ABOUT CRYPTO. THIS IS ABOUT THE NEW COLD WAR. NORTH KOREA ISN’T STEALING BITCOIN - THEY’RE TESTING A WEAPON. THE FACT THAT THE U.S. TREASURY ADMITS IT’S A ‘LOSING RACE’ MEANS WE’RE ALREADY IN DEFENSE MODE. THEY’RE USING BLOCKCHAIN TO BYPASS SANCTIONS BECAUSE THEY KNOW OUR SYSTEM IS BROKEN.
AND THE WORST PART? THEY’RE TRAINING OTHER DICTATORSHIPS. IRAN IS ALREADY COPYING THEM. VENEZUELA’S CRYPTO CAFFES ARE OPENING NEXT YEAR.
WE NEED A MILITARY RESPONSE. NOT SANCTIONS. NOT TALKS. A CYBER STRIKE ON SIHANOUKVILLE. BLOW THE SERVERS. ERASE THE DATA. LET THEM FEEL WHAT IT’S LIKE TO BE CUT OFF.
THIS IS WAR. AND WE’RE STILL PLAYING CHECKERS.
manoj kumar
April 1, 2026 AT 18:20Everyone’s acting like this is some new frontier but it’s just the same old scam - fake identities, shell companies, dirty money. We’ve seen this with gold smuggling, offshore banking, even hawala networks. Crypto just made it faster. The real story? The world’s still run by corrupt officials who don’t care if the money’s digital or paper - as long as their cut’s clean.
And don’t get me started on those ‘crypto cafes’ in Cambodia. You think the local police aren’t in on it? Please. They’re probably getting paid in USDC.
JOHN NGEH
April 2, 2026 AT 18:26It’s kind of fascinating how this shows the limits of decentralization. Blockchain was supposed to make things transparent, but North Korea turned it into the ultimate opacity engine. They’re not hiding - they’re overwhelming. It’s like trying to find one drop of ink in a swimming pool full of ink.
I wonder if the answer isn’t more blockchain, but better human oversight. Maybe we need blockchain + human auditors + whistleblower incentives. Tech alone won’t save us.
Jenni Moss
April 3, 2026 AT 09:58Wow. This is so intense. I didn’t realize how deep this went. It’s like a spy movie but real. And the part about IT workers using fake passports? That’s heartbreaking. Imagine being someone who just wants to work remotely and ending up as a pawn in this. We need to protect those people too - not just stop the regime.
Maybe we should create a global registry for crypto workers? Like a verified background check for devs? Just a thought 💛
vu phung
April 5, 2026 AT 09:13Stablecoin arbitrage as a laundering tool? That’s next-level. You don’t need to convert to BTC anymore - just exploit price differentials between decentralized exchanges in unregulated jurisdictions. The profit margin is tiny per trade, but scale it to millions of swaps per day? That’s compound laundering.
And the real kicker? It’s not even illegal. It’s just… financial engineering with a side of regime funding. We need to reclassify stablecoin liquidity pools as high-risk financial instruments. No more ‘DeFi = free zone’.
Kayla Thompson
April 5, 2026 AT 09:19Oh please. Everyone’s acting like North Korea invented money laundering. They’re just the latest in a 500-year line of authoritarian regimes that turned tech into a weapon. The Dutch East India Company laundered through shell traders. The Vatican laundered through Swiss banks. Now it’s crypto. Same game, new board.
The real problem? We keep pretending this is a technical issue. It’s not. It’s political. And until we admit that, we’ll keep chasing ghosts while the regime builds its own blockchain empire.