Chinese, Russian, and Cambodian intermediaries reportedly played key roles in moving and cashing the stolen funds.
A new report by the Multilateral Sanctions Monitoring Team (MSMT) shows that North Korean hackers stole $2.83 billion in cryptocurrency between January 2024 and September 2025.
This figure accounts for nearly one-third of the country’s total foreign currency income in 2024.
Bybit Exploit Was the Largest Contributor
The MSMT, a coalition of 11 countries formed in October 2024, was created to track how North Korea evades international sanctions through cybercrime. Its latest findings reveal that the scale of crypto theft rose in 2025, with hackers stealing $1.64 billion in the first nine months alone, marking a 50% increase from the $1.19 billion stolen last year.
Most of this year’s total came from a February attack on Bybit, which was linked to the TraderTraitor group, also known as Jade Sleet or UNC4899. The hackers targeted SafeWallet, a multi-signature wallet provider for Bybit, using phishing emails and malware to gain access to internal systems. They then disguised external transfers to appear as internal ones, allowing them to take control of the cold wallet’s smart contract and move the funds undetected.
According to the MSMT, North Korean hackers often avoid attacking exchanges directly, instead targeting third-party service providers. Groups such as TraderTraitor, CryptoCore, and Citrine Sleet have used fake developer profiles, stolen identities, and detailed knowledge of software supply chains to carry out their attacks. In one notable case, the Web3 project Munchables lost $63 million in a hack, although the funds were later returned after they reportedly faced problems during laundering.
How the Laundering Works
The analysis reveals a nine-step process used to clean and convert stolen crypto into cash. Hackers begin by swapping stolen assets for Ethereum (ETH) on decentralized exchanges, then use mixing services such as Tornado Cash and Wasabi Wallet to hide transaction trails. The ETH is then converted to Bitcoin (BTC) through bridge platforms, mixed again, stored in cold wallets, and then traded for Tron (TRX) before being converted to USDT. The final step involves sending USDT to over-the-counter brokers who exchange it for cash.
Brokers and companies in China, Russia, and Cambodia were identified as key players in this process. In China, nationals Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology, along with trader Wang Yicong, helped move funds and create fake IDs. Russian intermediaries converted about $60 million from the Bybit hack through OTC brokers, while Cambodia’s Huione Pay was used to transfer stolen funds despite its license not being renewed by the central bank.
You may also like:
The MSMT also said that North Korean hackers have worked with Russian-speaking cybercriminals since the 2010s. In 2025, actors linked to Moonstone Sleet leased ransomware tools from the Russia-based group Qilin.
In response, the 11 jurisdictions making up the MSMT issued a joint statement urging UN member countries to raise awareness on these cyber activities and called on the UN Security Council to restore its Panel of Experts “in the same strength and structure it had prior to its disbandment.”
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
