North Korea Stole $2.8 Billion in Crypto to Fund Weapons Programs, Report Says
North Korea has intensified its reliance on cybercrime and the overseas remote employment of its citizens to circumvent international sanctions and finance its missile and nuclear programs. This conclusion was presented by member states of the international monitoring body MSMT in a joint report covering the period from January 2024 to September 2025.
According to the report, during this timeframe North Korean hackers stole no less than $2.8 billion in cryptocurrency. Nearly half of that amount stemmed from a single incident — the February breach of the Bybit cryptocurrency exchange, which resulted in losses of approximately $1.4 billion. Other victims included platforms based in Japan, India, the UAE, and Singapore. The stolen digital assets were laundered through exchanges and over-the-counter brokers in various countries before being converted into cash to finance the purchase of raw materials and equipment.
At the same time, Pyongyang continues to dispatch delegations of IT specialists abroad who pose as freelancers. Estimates suggest that 1,000 to 1,500 such individuals are currently working in China alone. Their mission is to generate income under false identities and funnel the proceeds back to the regime. This practice directly violates UN Security Council resolutions, which prohibit member states from employing North Korean nationals and mandate their repatriation.
North Korea also exploits Chinese financial and telecommunications infrastructure extensively. The report identified 15 Chinese banks implicated in money-laundering operations. In addition, the regime relies on a transnational web of intermediaries in China, Vietnam, Laos, the UAE, and even Argentina to facilitate cryptocurrency trades, procure equipment, and arrange fictitious employment.
Investigators note that nearly all malicious activities are coordinated by organizations already under sanctions. These entities operate through front companies and anonymous IT collectives whose primary objective is to generate revenue for the regime’s illicit weapons programs.
The proceeds from cybercrime are now estimated to exceed the revenue North Korea earned prior to the expanded sanctions of 2016–2017. Laundered cryptocurrency is used not only to sustain domestic needs but also to finance arms exports to foreign partners.
The report urges governments to tighten oversight of cryptocurrency transactions, strengthen identity verification for remote hires, freeze accounts linked to suspicious freelancers, and disrupt operations connected to North Korean intermediaries. It further stresses the necessity of repatriating all North Korean citizens who continue to work abroad in defiance of existing UN resolutions.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
