A recent report from the Multilateral Sanctions Monitoring Team (MSMT) indicates that hackers from North Korea have stolen approximately $2.83 billion in cryptocurrency from January 2024 to September 2025.

This staggering amount represents nearly one-third of the nation’s total foreign income in 2024.

Bybit Hack: A Major Contributor

The MSMT, consisting of 11 countries and established in October 2024, aims to monitor North Korea’s evasion of international sanctions via cybercrimes. Their findings reveal that crypto theft surged in 2025, with hackers pilfering $1.64 billion in just the first nine months, a 50% increase compared to the previous year’s $1.19 billion.

A significant portion of this year’s total stemmed from a February breach at Bybit, attributed to the TraderTraitor group, also referred to as Jade Sleet or UNC4899. The hackers targeted SafeWallet, a wallet service used by Bybit, utilizing phishing tactics and malware to infiltrate internal systems. They concealed external transfers as internal ones, allowing theft of the cold wallet’s smart contract.

The MSMT has noted that North Korean hackers typically avoid direct assaults on exchanges, opting instead for third-party service providers. Groups like TraderTraitor, CryptoCore, and Citrine Sleet are known for creating fake developer identities and employing stolen identities to execute their plans. In one incident, the Web3 project Munchables suffered a $63 million hack, though the funds were later returned following laundering complications.

Steps in the Laundering Process

The analysis unveils a nine-step strategy for laundering stolen cryptocurrency. Initially, stolen assets are exchanged for Ethereum (ETH) on decentralized exchanges. Subsequently, mixers like Tornado Cash and Wasabi Wallet obfuscate transaction paths. The ETH is converted to Bitcoin (BTC) via bridge platforms, mixed again, stored in cold wallets, and eventually switched for Tron (TRX) before being changed into USDT. Finally, USDT is sent to OTC brokers who convert it into cash.

Chinese, Russian, and Cambodian brokers play vital roles in these transactions. In China, nationals Ye Dinrong and Tan Yongzhi of Shenzhen Chain Element Network Technology, alongside trader Wang Yicong, were reported to assist in fund movement and fake ID creation. Russian intermediaries managed to convert around $60 million from the Bybit hack through OTC brokers, while Cambodia’s Huione Pay facilitated transfers despite its license being expired.

The MSMT also pointed out that North Korean hackers have been collaborating with Russian-speaking cybercriminals since the 2010s. In 2025, associates of Moonstone Sleet rented ransomware tools from the Russian group Qilin.

In reaction, the 11 jurisdictions within the MSMT released a collective statement urging UN member countries to be aware of these cyber activities and calling for the UN Security Council to reinstate its Panel of Experts with the same capacity as before its disbandment.