While most countries fund their military through taxes, North Korea has taken a decidedly different approach—hacking its way to billions in stolen cryptocurrency. The scale is staggering. In February 2025, they swiped $1.5 billion from Bybit in a single hack. That’s nearly double the $1.34 billion they stole across 47 separate incidents in 2024. Since 2017, they’ve averaged $51 million in stolen crypto every month. Every. Single. Month. The total haul? Over $5 billion.
Their tactics aren’t exactly subtle. North Korean hackers target exchanges through phishing, compromise cold wallets, and exploit vulnerabilities in DeFi protocols. They’re particularly fond of social engineering—because why bother with complex code when you can just trick someone into giving you access?
Why hack through walls when you can just ask someone to open the door?
Their Marstech1 JavaScript implant has proven especially effective. Once they’ve got the crypto, the real work begins.
First comes the shell game. They move funds through multiple wallets rapidly, employ “peel chains” for automated transactions, and hop between different cryptocurrencies. Most eventually gets converted to Bitcoin. It’s digital laundering on steroids.
Then the advanced techniques kick in. Cryptocurrency mixers like Wasabi, no-KYC swap services, DeFi tools—all deployed to make the money trail vanish. They create hundreds of fake accounts and sometimes just let large sums sit dormant until the heat dies down.
But turning billions in crypto into usable currency? That’s their bottleneck. They rely on shady OTC brokers and underground financial networks, particularly in China, to convert digital assets to cash. This contrasts sharply with legitimate smart contracts that enable transparent and automatic execution of financial transactions in the DeFi ecosystem.
The international response has been predictable. Sanctions, alerts, task forces. The usual. Exchanges implement stricter KYC measures. Blockchain analysis firms team up with law enforcement. None of it seems to be working particularly well.
Meanwhile, North Korea funds its nuclear and missile programs with the proceeds. Economic sanctions become increasingly irrelevant. Traditional anti-money laundering? Practically useless. The crypto sector’s cybersecurity weaknesses are on full display, and nobody seems to have a solution. Their criminal cyber operations represent a significant evolution from their traditional criminal operations that included counterfeiting and narcotics trafficking before sanctions tightened. The infamous Lazarus Group has been responsible for some of the largest thefts in crypto history, including the record-breaking Bybit hack.
