North Korea isn’t just building missiles-it’s stealing billions in cryptocurrency. Since 2017, its cyber units have pulled off heists on a scale no other nation has matched. The Lazarus Group, a state-backed hacking team tied to North Korea’s Reconnaissance General Bureau, doesn’t break into banks. It breaks into blockchains. And the world is finally waking up.
How Much Money Are They Stealing?
In the first half of 2025 alone, North Korean hackers stole over $2.17 billion in cryptocurrency, according to Chainalysis. That’s more than the entire GDP of some small countries. The biggest single heist? A $1.5 billion attack on ByBit in February 2025-the largest crypto theft in history. It wasn’t a lucky break. It was a well-planned operation targeting a flawed multi-signature system during a routine wallet transfer.
These aren’t random attacks. They’re part of a systematic strategy to bypass international sanctions. North Korea can’t easily buy weapons or fuel through normal banking channels. So it turns to crypto. And it’s working. By 2025, North Korea accounted for nearly 39% of all state-sponsored crypto thefts worldwide. That’s up from 35% in 2024. Their operations now target not just exchanges, but DeFi protocols, NFT marketplaces, and even crypto-focused startups.
Who’s Fighting Back?
In May 2024, the United Nations Panel of Experts on North Korea dissolved. Many feared sanctions enforcement would collapse. Instead, 11 nations stepped in. The United States, Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea, and the United Kingdom formed the Multilateral Sanctions Monitoring Team (MSMT) in October 2024.
This isn’t another slow-moving UN committee. It’s a fast, focused coalition with real teeth. The MSMT shares intelligence daily, tracks laundering patterns, and coordinates asset freezes across borders. They’ve already documented over $6 billion in stolen crypto tied to North Korea since tracking began. Their October 2025 report called the regime’s operations “a sophisticated global criminal enterprise”-a rare level of blunt language from a diplomatic body.
How Do They Track the Stolen Money?
It’s not magic. It’s math. Blockchain analytics firms like Chainalysis, Elliptic, and TRM Labs trace every transaction. Every wallet address. Every cross-chain swap. Every time stolen funds move from Bitcoin to Ethereum to Monero.
North Korea tries to hide its tracks using privacy coins, decentralized exchanges, and AI-powered social engineering. But their patterns are predictable. They reuse wallet clusters. They funnel money through the same laundering nodes. They hire fake IT workers in the U.S. and Europe to build backdoors while siphoning cash.
The U.S. Department of Justice has filed 17 civil forfeiture cases since January 2025, targeting over $214 million in crypto, NFTs, and digital assets. In one case, they froze $237 million from the LND.fi hack in just 72 hours. That’s the fastest major recovery ever recorded.
Why Is It So Hard to Stop Them?
Because the rules are broken.
North Korea doesn’t play by international norms. It doesn’t care about sanctions. It doesn’t fear prosecution. It operates from Pyongyang, with no extradition treaties, no diplomatic accountability. Even when the MSMT identifies stolen funds, recovery rates are abysmal-only about 12.3% of seized assets are ever recovered.
Smaller exchanges struggle to keep up. Compliance costs for a mid-sized platform can hit $1.2 million a year. Many can’t afford the $45,000 annual subscription for Chainalysis’ DPRK-specific tools. So they skip checks. And that’s exactly what North Korea wants.
Reddit threads from exchange security teams are full of frustration. One user wrote: “We get MSMT alerts. We freeze the wallet. Then we wait six months for a response from a foreign agency that doesn’t even have crypto laws yet.”
What’s Changing in 2026?
The response is evolving. In early 2026, the MSMT is launching a Cryptocurrency Intelligence Fusion Cell-a 24/7 command center modeled after counterterrorism units. It’s backed by $85 million from member nations.
Regulations are catching up, too. The U.S. enacted Executive Order 14155 in April 2025, forcing all exchanges to flag transactions over $10,000 linked to known DPRK addresses. The EU’s MiCA II rules go live on January 1, 2026, requiring all crypto platforms to monitor cross-border flows in real time.
But the biggest shift? North Korea is using AI. Not just to hack-but to deceive. In mid-2025, AI-generated voice and text scams tricked three U.S. tech firms into hiring North Korean operatives posing as developers. Those employees then accessed sensitive defense data while funneling crypto profits home.
What Can You Do?
If you run an exchange, use MSMT’s Red Flags list from the U.S. Treasury’s OFAC. Watch for:
- Transactions from known DPRK-linked addresses
- Large, rapid cross-chain swaps
- Wallets with no history but sudden high-volume transfers
- Users with fake IDs from Eastern Europe or Southeast Asia
If you’re a regular user? Don’t use unregulated platforms. Avoid shady DeFi protocols with no audits. And if you see something odd-report it. The MSMT relies on tips from the private sector.
Will This Work?
It’s not perfect. Russia’s growing alliance with North Korea creates blind spots. Countries like Iran and Venezuela still offer safe havens. And as long as crypto remains anonymous in some corners, the thefts will keep coming.
But the tide is turning. For the first time, the world is acting as one. Not because of the UN. But because the money’s too big, the threat too real. North Korea thought crypto was its loophole. Now, it’s becoming its trap.
How much money has North Korea stolen through crypto hacks?
Since tracking began, North Korea-linked cybercriminals have stolen over $6 billion in cryptocurrency. In the first half of 2025 alone, they stole $2.17 billion, according to Chainalysis. The largest single heist was $1.5 billion from ByBit in February 2025.
Who is the Lazarus Group?
The Lazarus Group is a state-sponsored hacking team operated by North Korea’s Reconnaissance General Bureau. It’s responsible for nearly all major crypto thefts linked to the regime, including the ByBit, LND.fi, and WOO X breaches. The group uses advanced malware, social engineering, and AI to target exchanges, DeFi platforms, and even private companies.
What is the MSMT and how does it work?
The Multilateral Sanctions Monitoring Team (MSMT) is a coalition of 11 nations-including the U.S., Australia, Japan, South Korea, and New Zealand-that formed in October 2024 to replace the UN Panel of Experts. It shares real-time intelligence, tracks stolen crypto flows, and coordinates asset freezes. Unlike the UN, it acts quickly and doesn’t require consensus from all 193 member states.
Can blockchain analytics really trace North Korean crypto?
Yes. Firms like Chainalysis and Elliptic use transaction tracing, wallet clustering, and laundering pattern analysis to identify DPRK-linked addresses. Even when funds move across blockchains or use privacy tools, their behavioral patterns-like repeated use of specific mixing services or wallet addresses-leave digital fingerprints.
Why is North Korea using AI in its crypto attacks?
AI helps North Korea bypass human security checks. It generates fake resumes to hire IT workers overseas, creates convincing phishing emails, and even mimics customer support voices to trick exchange staff. Between July and September 2025, AI-driven scams successfully infiltrated three major U.S. tech firms, giving hackers access to internal systems and sensitive data.
Are smaller crypto exchanges at risk?
Absolutely. Smaller platforms often lack the budget for advanced blockchain analytics tools, which cost up to $45,000 per year. Many skip compliance checks to save money, making them easy targets. In 2025, exchanges like Seedify and WOO X were hit because they didn’t have proper KYC or transaction monitoring in place.
What’s the recovery rate for stolen crypto?
Only about 12.3% of stolen funds tied to North Korea are ever recovered. Even when assets are frozen, laundering techniques-like chain-hopping, privacy coins, and decentralized bridges-make it nearly impossible to trace the money back to its final destination.
How is Russia involved in North Korea’s crypto crimes?
Russia has become a key enabler. It provides safe harbor for North Korean hackers, offers access to its financial systems, and may even assist in laundering stolen crypto. The MSMT’s May 2025 report confirmed deepening military and cyber cooperation between the two nations, creating major gaps in global enforcement efforts.
Ramona Langthaler
January 27, 2026 AT 08:35Sunil Srivastva
January 28, 2026 AT 06:05Devyn Ranere-Carleton
January 29, 2026 AT 16:35Kevin Thomas
January 31, 2026 AT 03:04Robert Mills
January 31, 2026 AT 03:35Jerry Ogah
February 1, 2026 AT 07:33Andrea Demontis
February 2, 2026 AT 00:39Joseph Pietrasik
February 2, 2026 AT 16:37