Summary
North Korea has amassed $2.84 billion in stolen cryptocurrencies since early 2024, employing thousands of IT workers covertly. While the regime refines its hacking capabilities, experts from Chainalysis observe a significant improvement in the response capacity of Western nations and cryptocurrency companies.
Key Points:
- •North Korea has stolen $2.84 billion in cryptocurrencies since January 2024, with $1.65 billion stolen between January and September 2025 alone.
- •Pyongyang deploys an estimated 1,000 to 1,500 IT workers in China and plans to send up to 40,000 to Russia.
- •In August, US authorities sanctioned a network of North Korean IT workers, signifying a crucial shift in combating this threat.
- •Tens of millions of dollars from the Bybit hack have been recovered, demonstrating the increasing efficacy of tracking tools.
The Accelerating Crypto Cyber War
The Multilateral Sanctions Monitoring Team (MSMT) has issued a stark warning, revealing the immense scale of North Korea's cybercriminal operations: nearly three billion dollars stolen in less than two years. The significant Bybit hack in February contributed a substantial amount to this colossal sum.
More concerning is the evolution of Pyongyang's strategy. The regime has moved beyond sporadic cyberattacks to implement a comprehensive "full-spectrum national program," now positioning itself as a formidable competitor to the cyber capabilities of China and Russia. This advancement highlights an alarming professionalization of North Korean operations.
The offensive has also introduced a new tactic: infiltrated IT workers. In direct contravention of UN Security Council resolutions 2375 and 2397, the DPRK has deployed thousands of operatives across eight different countries.
These clandestine developers are primarily located in Asia, including China, Laos, and Cambodia, but also operate in Africa and Russia. The earnings generated by these workers are systematically funneled back to the regime to finance its weapons development programs.
"The MSMT report details how these funds are used to acquire all sorts of equipment, from armored vehicles to portable anti-aircraft missile systems," stated Andrew Fierman, head of intelligence at Chainalysis, in an interview with Decrypt. This creates a dangerous cycle where stolen cryptocurrencies are used to purchase weapons, thereby strengthening the North Korean threat.
The Counter-Offensive Takes Shape
In response to this multifaceted threat, Western actors are actively engaged. Andrew Fierman observed "a capacity of law enforcement, national security agencies, and the private sector to identify associated risks and respond." Tangible examples of this growing resistance are becoming more frequent.
Last August, the US Office of Foreign Assets Control (OFAC) took significant action by sanctioning an entire network of IT workers associated with Pyongyang. This move represents a pivotal moment, as Washington is no longer solely pursuing hackers but is also dismantling their logistical support structures.
Concurrently, tens of millions of dollars stolen in the Bybit hack have been successfully traced and recovered, with some of the funds leading back to a Greek exchange platform.
Cryptocurrency companies are also enhancing their defensive measures. Kraken, for instance, developed protocols to detect North Korean IT workers as early as May 2025.
Binance has taken this a step further; its head of security revealed that the platform rejects CVs from North Korean agents attempting to infiltrate on a daily basis. This constant vigilance positions the cryptocurrency industry as a primary line of defense.
The key to success lies in fostering collaboration between public and private entities. The MSMT report serves as a prime example of this synergy, integrating contributions from Western governments and specialized companies such as Chainalysis, Google Cloud, and Palo Alto Networks. This combined approach, leveraging blockchain intelligence and traditional cybersecurity, enables the identification and freezing of stolen funds before they can be laundered.
The conflict between Pyongyang and the West in the cryptocurrency cyberspace is intensifying, but the balance of power is shifting. While North Koreans continue to refine their techniques, defensive measures are evolving and strengthening at a comparable pace. The implications extend beyond the mere protection of digital assets; it is crucial to prevent cryptocurrencies from financing the development of North Korea's next generation of weaponry.