How North Korea Launders Billions in Stolen Crypto

BTC $ 86,524.87 - 2.25 % ETH $ 2,182.26 - 1.37 % USDT $ 1.0000 - 0.01 % XRP $ 2.3654 - 6.05 % BNB $ 598.44 - 1.01 % SOL $ 137.30 - 5.45 % USDC $ 1.0002 + 0.02 % ADA $ 0.8227 - 4.40 % DOGE $ 0.1956 - 4.86 % TRX $ 0.2465 + 0.40 % WBTC $ 86,417.13 - 2.18 % LINK $ 15.38 - 9.35 % HBAR $ 0.2282 - 6.71 % LEO $ 9.8034 - 1.33 % AVAX $ 20.63 - 0.73 % XLM $ 0.2777 - 5.04 % SUI $ 2.5373 - 8.56 % LTC $ 104.07 - 0.21 % BCH $ 387.79 - 0.99 % SHIB $ 0.0₄1285 - 5.07 % Ad Sign Up News Back to menu News Prices Back to menu Prices Data Back to menu Data Trade Data Derivatives Order Book Data On-Chain Data API Research & Insights Data Catalogue AI & Machine Learning Indices Back to menu Indices Multi-Asset Indices Reference Rates Strategies and Services API Insights & Announcements Documentation & Governance Consensus Back to menu Consensus Sponsored Back to menu Sponsored Videos Back to menu Videos CoinDesk Daily Shorts Editor's Picks Podcasts Back to menu Podcasts CoinDesk Podcast Network Markets Daily Gen C Unchained with Laura Shin The Mining Pod Newsletters Back to menu Newsletters The Node Crypto Daybook Americas State of Crypto Crypto Long & Short Crypto for Advisors Research Back to menu Research Webinars & Events Back to menu Webinars & Events Consensus 2025 Policy & Regulation Conference Sponsored Back to menu Sponsored Thought Leadership Press Releases CoinW MEXC Phemex Advertise News Sections Back to menu News Sections Markets Finance Tech Policy Focus English Select Language English en Français fr Español es Filipino fil Italiano it Português pt-br Русский ru Українська uk News Prices Data Indices Consensus Sponsored Sign In Sign Up Policy Share Share this article Copy link X icon X (Twitter) LinkedIn Facebook Email How North Korea Launders Billions in Stolen Crypto The Hermit Kingdom, which intelligence agencies say was behind the $1.5 billion Bybit hack, faces “offramping” challenges due to the size of its hauls. By Tom Carreras | Edited by Benjamin Schiller Mar 7, 2025, 8:02 p.m. UTC Kim Jong-un, supreme leader of the Democratic People's Republic of Korea (Credit: Alexander Khitrov/Shutterstock) What to know : North Korea has stolen over $5 billion from the crypto sector since 2017. Recently, its hackers gained up to $1.5 billion from the Bybit exploit. It’s such a huge amount that it’s difficult to launder, TRM Labs’ Ari Redbord said. North Korea uses a network of money-laundering OTC brokers which is being monitored by U.S. agencies in conjunction with Japan and South Korea. How does North Korea launder its crypto loot? Each time the Hermit Kingdom successfully hacks a company or protocol — like when it pillaged $1.5 billion from crypto exchange Bybit on Feb. 21 — it faces the significant challenge of offramping its assets. STORY CONTINUES BELOW Don't miss another story. Subscribe to the State of Crypto Newsletter today . See all newsletters Sign me up By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy . It cannot simply send the funds to a major exchange like Binance or Coinbase, because such firms implement Know-Your-Customer (KYC) checks and work in conjunction with law enforcement agencies to freeze illegally-obtained funds as soon as they’re deposited on their platforms. Instead, North Korea uses a well-developed network of over-the-counter (OTC) brokers to launder the stolen funds, according to Ari Redbord, global head of policy at blockchain analytics firm TRM Labs. “They'll look to exchanges globally that don't have compliance controls in place,” Redbord, a former senior advisor to the Deputy Secretary and the Undersecretary for Terrorism and Financial Intelligence at the U.S. Treasury, told CoinDesk in an interview. “Everyone uses Chinese money laundering organizations. The cartels use them to move funds. There’s a network there that North Koreans have used for years.” “But it’s not just China. Look around the world at places where you have no regulation or a lack of money laundering controls. Russia has been like a money laundering state for a very long time. There's tons of dark net market activity and ransomware actors that are related to Russia. North Korea has also used casinos in Macau to launder fiat.” Off-ramping billions To the best of our knowledge, North Korea has never used crypto to pay for things on the international scene. Instead, it tries to convert the tokens into government-issued currencies like the Chinese renminbi or the U.S. dollar, Redbord said. But off-ramping billions in value isn’t easy. North Korea has stolen more than $5 billion since 2017, according to TRM. Broken down on a per-month basis, that means that North Korea has needed to offramp at least $51 million per month on average — which is way too much for its money laundering network’s capabilities. “You're inevitably seeing these funds sit in wallets over long periods of time. I don't think that's them setting up a strategic reserve of some kind; they’re just not being able to off-ramp the funds,” Redbord said. “In every world, North Korea wants to get those funds off-chain as fast as they can.” “It’s so much money. Think about Pablo Escobar — he had this huge problem with storing cash. He didn’t know where to put it all,” Redbord added. “That's what North Korea has with crypto right now.” In the Bybit hack’s case, the vast majority of the stolen ETH has already been bridged to Bitcoin via THORswap, a protocol that enables permissionless swaps between the Ethereum and Bitcoin networks. The haul is now being fed through mixers (protocols that allow users to obfuscate their transactions on the blockchain) like Wasabi and CryptoMixer. These platforms typically process no more than $10 million a day, meaning that North Korea faces potential bottlenecks even before trying to offramp its stolen funds through OTC brokers. “Whether these mixers can continue to absorb the amount of money at play is an open question,” TRM said in a recent report. What happens afterwards? Once funds are offramped through OTC brokers, the trail goes cold for blockchain analysis firms like TRM, but not necessarily for governmental agencies like the Federal Bureau of Investigation (FBI), Homeland Security Investigations (HSI) or IRS Criminal Investigation (IRS-CI), which each have a broad panoply of intelligence-gathering tools at their disposal. Such agencies may use human intelligence (interviews, interrogations and espionage) and signals intelligence (intercepting communications or gathering information from electronic devices) to boost their investigations. These agencies are sometimes able to retrieve stolen funds. In the case of the Colonial Pipeline ransomware attack in 2021, the Department of Justice (DOJ) was eventually able to recover almost 85% of the bitcoin (BTC) ransom paid to Russian cybercriminal group Darkside . It’s unclear how investigators obtained the hacking group’s private keys. The network of Chinese shell companies that North Korea uses to launder funds — whether from crypto or other sources — is constantly being monitored by U.S. agencies in collaboration with Japanese and South Korean authorities, Redbord said. And getting funds laundered through the Chinese banking system doesn’t necessarily mean the game is won for North Korea. Back in 2019, U.S. federal prosecutors served subpoenas to three Chinese banks in a North Korea money-laundering case. That would ordinarily be impossible because the U.S. government doesn’t have jurisdiction over the Chinese banking system, Redbord, who worked on the case, explained. But a provision under the USA PATRIOT Act enables the practice under specific circumstances. If the foreign bank does not respond, the U.S. government is allowed to cut off the bank’s correspondent banking — essentially disconnecting the foreign bank from the U.S. banking system. In that particular case, the Chinese banks eventually complied with the subpoena, Redbord said. But the strategy is hard to replicate because it requires serious political capital. “We’re talking about some of the biggest banks in the world. If you were to actually cut off correspondent banking from one of the major Chinese banks, it would not be good for the economy,” Redbord said. That’s why the Treasury Secretary and Attorney General need to sign off on this kind of strategy. “If any administration would be willing to lean in a little bit, it would probably be this one,” Redbord said. “Issuing a subpoena to a small or mid-sized Chinese bank is probably something that would be worth doing. It does send a really strong message.” North Korea Bybit Money Laundering China Feature Tom Carreras Tom writes about markets, bitcoin mining and crypto adoption in Latin America. He has a bachelor's degree in English literature from McGill University, and can usually be found in Costa Rica. He holds BTC above CoinDesk's disclosure threshold of $1,000. X icon About About Us Masthead Careers CoinDesk News Crypto API Documentation Contact Contact Us Accessibility Advertise Sitemap System Status DISCLOSURE & POLICES CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies . CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one. Ethics Privacy Terms of Use Cookie Consent Do Not Sell My Info © 2025 CoinDesk, Inc. X icon