North Korean Hacker Steals $2.83 Billion in Crypto in Less Than Two Years: Report

A new report from the Multilateral Sanctions Monitoring Group (MSMT) indicates that North Korean hacker groups have stolen a total of 2.83 billion USD in crypto assets from January 2024 to September 2025.

This figure accounts for nearly one third of North Korea's total foreign currency income in 2024, reflecting Pyongyang's increasing reliance on cybercrime activities to evade international sanctions.

The Bybit attack is the largest

MSMT — a coalition of 11 countries established in October 2024 — was created to monitor how North Korea evades sanctions through cyber attacks. The latest report shows that the scale of crypto theft surged in 2025, with $1.64 billion stolen in just the first 9 months of the year, a 50% increase from $1.19 billion the previous year.

Most of this money comes from the attack on the Bybit exchange in February 2025, believed to be carried out by the TraderTraitor group ( also known as Jade Sleet or UNC4899). The hacker targeted SafeWallet, Bybit's multi-signature wallet provider, by sending phishing emails containing malware to infiltrate the internal system. They then disguised external money transfer transactions as internal transactions, took control of the smart contract of the cold wallet, and withdrew funds without detection.

According to MSMT, North Korean hacker groups often do not directly attack exchanges but focus on third-party service providers. Groups such as TraderTraitor, CryptoCore, and Citrine Sleet use fake developer profiles, stolen identities, and deep knowledge of the software supply chain to carry out attacks.

A notable case is the Web3 project Munchables, which was stolen 63 million USD, but this amount was later refunded when the hacker group encountered issues during the money laundering process.

Sophisticated money laundering process

MSMT's analysis describes a nine-step money laundering chain that North Korean hackers often use to convert stolen crypto into cash. The process starts by swapping the stolen assets for Ethereum (ETH) on decentralized exchanges, then using mixing services like Tornado Cash and Wasabi Wallet to erase transaction traces.

ETH is then converted to Bitcoin (BTC) through bridges, mixed again, stored in a cold wallet, and then converted to Tron (TRX) before being exchanged for USDT. Finally, USDT is sent to OTC brokers, who will exchange it for cash.

The report identifies individuals and businesses in China, Russia, and Cambodia that play a key role in this process.

• In China, citizens Ye Dinrong and Tan Yongzhi from Shenzhen Chain Element Network Technology, along with trader Wang Yicong, have assisted in moving funds and creating fake identities.
• In Russia, intermediaries laundered about 60 million USD from the Bybit case through the OTC network.
• In Cambodia, the Huione Pay platform (, chaired by the cousin of Prime Minister Hun Manet, has been found to aid in money transfers even though the license has expired as the central bank did not renew it.

MSMT also stated that North Korean hackers have been collaborating with Russian-speaking cybercriminals since the 2010s, and in 2025, the Moonstone Sleet group rented ransomware tools from the Russian gang Qilin.

In the face of this escalating threat, 11 member countries of the SMT have issued a joint statement calling on United Nations member states to enhance awareness of North Korea's cybercrime activities, while urging the United Nations Security Council to restore the Sanctions Monitoring Expert Committee with the same scale and authority as before it was dissolved.

Thạch Sanh