North Korea doesn’t steal cryptocurrency for fun. It steals it to buy missiles. Since 2017, state-backed hackers have ripped off more than $3 billion in digital assets-mostly from exchanges, wallets, and DeFi protocols. And every dollar they steal has to become cash. Not Bitcoin. Not Ethereum. Real, physical money: dollars, euros, yuan. That’s where the real challenge begins.
The Theft Is Just Step One
Getting into a wallet or exchange is the easy part. The Lazarus Group, North Korea’s primary hacking unit, uses phishing, supply chain attacks, and compromised validator keys to grab crypto. The Bybit hack in February 2025 stole $1.5 billion in a single day-the biggest heist ever recorded. But once the coins are in their hands, the real work starts: turning digital chaos into clean, usable cash without getting caught.They don’t just withdraw to a bank. Not anymore. Blockchain analysis tools have gotten too good. Instead, they flood the system. In the Bybit attack, hackers moved stolen Ethereum across Binance Smart Chain, Solana, and Polygon within hours. They didn’t try to hide one transaction-they made 400 to 500 tiny ones every day. It’s like throwing a bucket of sand into a river and hoping no one notices which grains are yours.
The Three-Stage Conversion Pipeline
North Korea’s cash-out process has become a well-oiled machine with four clear stages:- Steal - Usually via phishing or exploiting weak security in crypto platforms. 68% of attacks follow this pattern.
- Move - Stolen coins get shuffled across at least three different blockchains. Cross-chain bridges like Ren Bridge and Avalanche Bridge are used to break the trail. In 2024 alone, $1.2 billion in North Korean-linked crypto passed through these bridges.
- Convert - Almost all of it ends up as Bitcoin. Why? Because Bitcoin is the most liquid, hardest to trace, and easiest to move across borders without scrutiny. 82% of stolen assets are converted to BTC before the final step.
- Cash Out - This is the bottleneck. Only 3-5% of global exchanges allow large withdrawals without strict ID checks. So North Korea doesn’t use exchanges. They use people.
The Human Network: IT Workers as Money Mules
North Korea has deployed over 10,000 IT workers abroad. They’re not hackers. They’re accountants with laptops. Many live in China, Russia, and Southeast Asia under fake identities-often pretending to be from India or Vietnam. They get hired by crypto exchanges, fintech firms, or freelance platforms. Once inside, they create backdoors.In 2024, CSIS documented 27 cases where North Korean employees at Chinese exchanges bypassed 72-hour fraud detection systems by triggering withdrawals in just 12 hours. They used VPNs to make it look like they were working from the U.S. or Germany. Their job? Connect stolen crypto wallets directly to local bank accounts. No questions asked.
Some work as freelancers. They sign up for crypto payment gigs-writing code, designing websites, doing customer support. They get paid in crypto. Then they cash out through local, unregulated exchanges. One worker in Cambodia can turn $200,000 in Bitcoin into cash in a single day. No KYC. No paper trail.
Cambodia: The Cash-Out Capital
The most important hub isn’t in China. It’s in Sihanoukville, Cambodia. The country has no real crypto regulations. No oversight. No reporting. That’s why the Huione Group became North Korea’s favorite partner. FinCEN officially labeled Huione a money laundering concern in May 2025 after tracing $37.6 million in stolen crypto through its network between 2021 and 2025.Huione doesn’t just exchange crypto. It issues its own stablecoins-non-freezable, untraceable, and fully backed by illicit funds. These coins are sold on dark web marketplaces or traded in local crypto cafes. Each of the 14 known North Korean-run crypto cafes in Sihanoukville processes between $500,000 and $2 million per month in cash transactions. No ID. No receipts. No records.
Macau’s casinos are another key node. Many accept crypto deposits with only 5% identity verification-compared to 95% in regulated markets. Stolen coins get swapped for chips. Chips get cashed out as clean money. No blockchain can follow that.
Why Bitcoin? Why Not Monero?
You’d think North Korea would use privacy coins like Monero. But they don’t. Why? Because Monero is too niche. There aren’t enough buyers. Exchanges don’t list it. OTC desks won’t touch it. Bitcoin? It’s everywhere. You can sell $10 million in BTC to a private buyer in a hotel room in Bangkok and walk away with suitcase full of cash. That’s why 82% of stolen crypto ends up as BTC.Even Tornado Cash, the old-school mixer that once processed $1.2 billion in North Korean funds, was shut down in 2022. Since then, North Korea ditched mixing tools entirely. Now they rely on speed, volume, and human networks-not software obfuscation.
The Crackdown Is Coming
Governments are fighting back. The Crypto-Asset Reporting Framework, launched in late 2024, forces over 100 countries to share customer data across exchanges. In Q1 2025, North Korea’s successful cash-outs dropped 22% compared to the previous quarter. Treasury Secretary Janet Yellen said the window for crypto laundering is closing fast.But North Korea isn’t giving up. They’re building new tools. A March 2025 CSIS report revealed they’re testing “stablecoin arbitrage laundering”-stealing USDC, moving it between regional exchanges where prices differ, then cashing out as clean fiat. They’ve recruited 37 former crypto devs to build custom cross-chain protocols that could move half a billion dollars without leaving a trace.
Still, the odds are shifting. In 2020, North Korea converted 65% of stolen crypto to fiat within 90 days. Today, it’s 92%. But that’s not because they’re getting smarter. It’s because the system is still broken. Exchanges still allow anonymous withdrawals. Governments still don’t share data fast enough. And human agents still operate in the shadows.
The Real Threat Isn’t the Tech-It’s the People
The most dangerous part of this operation isn’t the blockchain. It’s the thousands of North Korean workers sitting in apartments in Phnom Penh, Shenyang, and Vladivostok, typing away on laptops, turning digital theft into real-world power. They’re not soldiers. They’re engineers. They’re coders. They’re paid in crypto, but their loyalty is to the regime.Each $10,000 they cash out buys a missile part. Each $1 million funds a submarine program. Each $100 million helps North Korea defy sanctions and keep building weapons.
Blockchain technology was supposed to make finance transparent. Instead, it became the perfect tool for a regime that thrives in darkness. The tools to track them exist. The data is there. But the political will to shut it all down? That’s still missing.
How much crypto has North Korea stolen?
Between 2017 and 2025, North Korean hacking groups stole over $3 billion in cryptocurrency, according to TRM Labs and Chainalysis. The largest single theft was the $1.5 billion Bybit hack in February 2025.
What’s the main method North Korea uses to cash out crypto?
They use a four-step process: steal, move across multiple blockchains, convert to Bitcoin, then cash out through unregulated third parties-especially in Cambodia and China. Human agents working inside exchanges are key to bypassing KYC rules.
Why does North Korea prefer Bitcoin over privacy coins?
Bitcoin has far more liquidity and global acceptance. Privacy coins like Monero are harder to sell in large amounts because few exchanges support them. Bitcoin can be traded privately through OTC desks or cash-based networks with no questions asked.
Is Cambodia the only place they cash out?
No, but it’s the most important. Cambodia’s Huione Group and crypto cafes in Sihanoukville handle the bulk of cash-outs. China and Macau casinos are secondary hubs. Russia and Southeast Asia also host smaller networks.
Can blockchain analysis stop North Korea?
It can track transactions, but it can’t stop the cash-out. Blockchain forensics have improved 40% since 2022, but North Korea’s adaptation speed has increased by 65%. The real weakness is the final fiat conversion-where human networks and weak regulations let them slip through.
What’s the future of North Korea’s crypto cash-out operations?
They’re moving toward stablecoin arbitrage and custom cross-chain protocols to avoid detection. But with global reporting rules tightening, success rates are projected to drop to 40% by 2027. Still, they’ll keep adapting as long as there’s a loophole.
What Happens Next?
If you think this is just a crypto problem, you’re wrong. This is a national security issue. Every dollar North Korea turns from Bitcoin into cash helps fund a nuclear warhead. The world has the tools to stop it-better data sharing, tighter exchange rules, real enforcement in Cambodia and China. But so far, the response has been slow, fragmented, and reactive.Until governments treat crypto laundering like the arms smuggling it is, North Korea will keep stealing, moving, and cashing out. And the people paying the price won’t be the hackers. They’ll be the ones living under the threat those weapons create.
Dave Ellender
January 23, 2026 AT 11:05Mathew Finch
January 24, 2026 AT 03:04Jessica Boling
January 25, 2026 AT 17:36Andy Marsland
January 26, 2026 AT 14:00