North Korean crypto operations are entering a new phase.

Pyongyang’s state-backed hackers are scaling up their use of cryptocurrency to bypass United Nations sanctions, funnelling stolen funds through brokers and shell companies across Russia, Hong Kong, and Cambodia.

That’s according to a new report published on October 22 by South Korea, Japan, the US, and the EU, which reveals how North Korean cyber teams are refining their digital playbook, conducting multimillion-dollar heists and laundering the proceeds via a sophisticated network of crypto intermediaries.

The new findings underscore how crypto theft and laundering have become central to Pyongyang’s sanctions evasion strategy, providing the regime with hard currency despite layers of international restrictions.

Investigators warn that North Korea’s tactics are evolving faster than enforcement efforts, threatening to undermine the integrity of the global crypto ecosystem.

Top hacks linked to North Korea’s cyber units

The document cites coordinated investigations by the FBI, the US State Department, and crypto tracing firm Chainalysis linking the Bybit, DMM Bitcoin, and WazirX hacks to North Korea’s TraderTraitor group.

The Bybit hack alone in February siphoned $1.5 billion worth of assets, while the DMM Bitcoin theft in 2024 cost another $308 million.

North Korean attackers increasingly target software supply chains and third-party providers rather than exchanges themselves, “demonstrating patience, effective social engineering, and a strong understanding of software infrastructure,” the report said.

In one case, hackers infiltrated the Telegram channels of cryptocurrency employees using fake OKX staff profiles before deploying malware-laden spreadsheets

Global laundering networks

The report highlights how North Korean operatives have laundered more than $160 million in stolen crypto through a web of intermediaries since 2020.

Russian brokers cashed out at least $60 million in stolen assets, while a Hong Kong partner helped convert over $100 million linked to the Bybit hack.

Additional laundering routes extended through Cambodian channels, using local nationals and crypto wallets to move funds offshore.

The US Financial Crimes Enforcement Network has since blacklisted Huione Pay, a Cambodian payments subsidiary accused of helping launder $37.6 million in cryptocurrency stolen from exchanges including DMM Bitcoin, Atomic Wallet, and Coinspaid.

Blockchain analytics firm Elliptic has said the regime’s total crypto haul has now topped $6 billion, marking what experts describe as one of the most sustained and profitable cybercrime campaigns in history.

Crypto at the heart of sanctions evasion

North Korean IT operatives — many working remotely under false identities — are increasingly paid via crypto in Ethereum and USDC ($1.00), the joint report said.

They then funnel the income through front companies and crypto platforms like Payoneer to disguise the origin.

Pyongyang’s cyber apparatus “remains a critical source of hard currency” for its weapons and military programmes, the report reads. Authorities warn that new crypto-based laundering routes are evolving faster than enforcement measures can keep pace.

The report urges governments to expand blockchain tracing cooperation, sanction crypto intermediaries more aggressively, and create a framework for tracking income earned through IT freelancing platforms.

Lance Datskoluo is DL News’ Europe-based markets correspondent. Got a tip? Email at lance@dlnews.com.