North Korean Hackers Launder $1.5 Billion Largest Crypto Heist In History

If you want to launder $1 billion in cryptocurrencies, consult a North Korean hacker.

Multiple blockchain analysis experts confirmed on March 3 that North Korean hackers had successfully dispersed most of the $1.5 billion in cryptocurrency assets they stole from Dubai-based exchange Bybit to new virtual wallets, obscuring the origin of the funds and making it harder for law enforcement to trace and recover them. Over the past few years, North Korean hackers have become more proficient at cryptocurrency theft, raising concerns that Pyongyang is increasingly able to withstand global economic pressure over its nuclear program.

Largest Crypto-Theft in History

At the end of February, Bybit announced a significant security breach that resulted in the loss of nearly $1.5 billion worth of the cryptocurrency Ether, the dominant token on the Ethereum blockchain. Experts at Chainalysis, a private blockchain intelligence firm, called this hack the largest cryptocurrency theft in history. The hackers stole more in this single heist than in 47 cryptocurrency robberies throughout 2024. Between 2017 and 2023, North Korea conducted 58 cyberattacks, primarily against cryptocurrency companies, stealing approximately $3 billion in digital currencies.

Days after the attack, the FBI attributed the operation to North Korean hackers, warning that the hackers were “rapidly” converting the stolen assets into Bitcoin and other digital currencies. In the past, North Korean hackers have laundered funds through cryptocurrency exchanges and Chinese banks, according to a federal indictment and Treasury Department sanctions against two of Pyongyang’s accomplices. In the most recent incident, after stealing the funds from Bybit, North Korean hackers used decentralized exchanges and cross-chain bridges to convert a portion of the stolen Ether into Bitcoin, according to TRM Labs, another blockchain analysis firm. While the company was able to track these first steps, each subsequent transaction shifting wallets and currencies makes the initial $1.5 billion harder to trace.

North Korean Hacking Raising Funds for the Regime

This most recent cyberattack aligns with North Korea’s track record of financially motivated cybercrimes. A UN panel of experts focused on North Korea’s nuclear program and its efforts to evade multinational sanctions warned last year that Pyongyang explicitly tasks its hackers with generating revenue for the regime. Indeed, over the past decade, North Korea has integrated financially motivated crime into its evolving offensive cyber strategy and is using cyberattacks to fund and gather information for its ballistic missile and nuclear programs. Pyongyang’s substantial cryptocurrency reserves raise additional, long-term concerns. Not only do the funds insulate the regime from the economic impacts of U.S. and UN sanctions, but they also position North Korea to take advantage of Chinese and Russian efforts to build alternative financial architectures and payment systems that do not rely on Western banks and the U.S. dollar-led financial system. Today, to launder cryptocurrency into fiat currency, North Korea still needs to disguise its behavior to interact with Western financial institutions. In the future, if North Korea can operate only using Russian and Chinese networks, the United States and its allies will lose the ability to impose financial costs on Kim Jong Un’s regime for its malign activities.

U.S. Government Can Help the Crypto Industry Protect Itself

Addressing the long-term concerns about sanctions resistance should be a priority for the administration’s effort to defend the U.S. dollar’s dominance in the international financial system. At the same time, the U.S. government can help prevent the crypto thefts that are fueling North Korea’s reserves. Cybersecurity and blockchain analysis firms are already working with Bybit to understand North Korean hacking and money laundering techniques. The U.S. government, however, has unique capabilities to distribute the findings of these investigations to sharing and analysis centers, sector coordinating councils, and other industry groups to help private companies strengthen defenses against North Korean hackers. With better information, cryptocurrency exchanges can avoid becoming the victim of Pyongyang’s attacks.

Mathew Ha is an adjunct fellow with FDD’s Center on Cyber and Technology Innovation. For more analysis from Mat and CCTI, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.