October 23, 2025
SEOUL – North Korea has stolen about $2.84 billion worth of cryptocurrency from January 2024 to September 2025, laundering and cashing out the stolen assets with extensive involvement of Chinese nationals and financial networks, according to a report.
The Multilateral Sanctions Monitoring Team — which consists of 11 countries, including South Korea, the United States and Japan— on Wednesday released its second edition of the topic-specific report on North Korea’s illicit and malicious cyber activities.
Of the total stolen cryptocurrency, $1.19 billion was taken in 2024, tantamount to roughly one-third of North Korea’s total foreign currency earnings that year. The remaining $1.65 billion was siphoned off between January and September 2025, according to the report.
North Korean cyber groups and IT workers carried out the crypto thefts by breaking into major cryptocurrency exchanges. These included Bybit in the United Arab Emirates, DMM Bitcoin in Japan, WazirX in India, and BingX and Phemex in Singapore.
The report underscored that North Korea laundered the stolen cryptocurrency to evade tracking and converted it into cash through overseas brokers.
Overseas networks in China, Russia, Hong Kong and Cambodia, among others, were involved in facilitating North Korea’s laundering of the stolen cryptocurrency.
Chinese nationals and China’s financial system were heavily involved in the cash-out process, the report found.
Chinese nationals have assisted North Korean cyber groups by providing forged identification documents and supporting their cryptocurrency theft and laundering operations.
North Korean cyber units have also used China’s financial system, including UnionPay credit cards and commercial banks, to launder and convert the stolen cryptocurrency into cash.
The report found that North Korean cyber groups used Cambodian financial platforms, including Huione Group and its Huione Pay, to launder and cash out stolen cryptocurrency.
In 2024, three MSMT participating countries raised the issue of Huione Pay’s support for UN-sanctioned North Korean entities, including the Reconnaissance General Bureau, to the Cambodian government.
This October, the US Treasury Department imposed sanctions on Huione Group for laundering proceeds from virtual currency scams and heists on behalf of malicious cyber actors.
North Korea’s overseas IT workers continue to generate hundreds of millions of dollars in revenue despite UNSC resolutions banning the employment of North Koreans abroad, according to the report.
The workers are estimated to have earned between $350 million and $800 million in 2024 alone.
Belonging to subordinate entities under UN-sanctioned bodies such as the Reconnaissance General Bureau, the Ministry of Atomic Energy Industry, the Ministry of Defense and the Munitions Industry Department, North Korean IT workers have remitted roughly half of their income to the Kim Jong-un regime, the report found.
They have secured contracts in the US and Europe — including Germany, Portugal and the United Kingdom — with companies in sectors such as AI, blockchain, web development, defense technology and government-affiliated firms.
The report also found that profits generated by North Korean IT workers stationed overseas have increased even as the number of host countries has declined.
Around 1,000 to 2,000 North Korean IT workers are stationed in at least eight countries — primarily China and Russia, as well as Laos and Cambodia in Southeast Asia — with additional clusters in Africa, including Equatorial Guinea, Guinea, Nigeria and Tanzania.
Some IT workers are also presumed to reside in Uganda, according to the report.
China and Russia have emerged as key hubs for North Korean IT workers, with an estimated 1,000 to 1,500 operating in China — the largest concentration globally.
In Russia, North Korean workers mainly enter on student visas, and between 350 and 1,800 IT workers could be employed across Moscow, Ussuriysk and Vladivostok in 2025.
In Laos, IT workers are affiliated with entities such as Chonsurim Trading Company — sanctioned by the US Treasury Department — and the state-run Second Academy of Natural Sciences, which is responsible for the research and development of North Korea’s advanced weapons systems.
The IT workers secure remote contracts with companies in the US and Europe by using forged identities while residing in Laos.
The report also noted cases where facilitators in third countries have helped North Korean IT workers by providing fake identities, online accounts, hardware and other essential resources for their operations and money laundering. These third countries include China, Russia, the UAE, Pakistan, Argentina, Vietnam, Ukraine, the US and Japan.
The MSMT was launched at Seoul’s initiative about seven months after Russia, exercising its veto as a permanent member of the UN Security Council in March 2024, blocked the renewal of the 1718 Committee Panel of Experts’ mandate overseeing the enforcement of UN sanctions on North Korea.
dagyumji@heraldcorp.com