North Korea has stolen billions in crypto, but its ability to ‘fight back’ is growing: Chainalysis

North Korea has stolen $2.84 billion worth of cryptocurrencies since January 2024, according to a new report from the Multilateral Sanctions Monitoring Team.

The MSMT, responsible for monitoring the violation of UN sanctions against the Democratic People’s Republic of Korea, also found that the DPRK stole “at least” $1.65 billion between January and September this year.

Much of this was the result of February’s Bybit hack, but the MSMT – which lists the US, Japan, Germany, France, Canada, Australia and other Western countries as participating states – also reports that North Korea has expanded its use of remote IT work.

The international deployment of IT personnel violates UN Security Council Resolutions 2375 and 2397, which prohibit the employment of North Korean workers. However, this has not stopped the Democratic People’s Republic of Korea from participating in the labor markets of at least eight countries.

These include China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria and Tanzania, with the report detailing how between 1,000 and 1,500 North Korean workers were based in China, and how Pyongyang planned to send as many as 40,000 workers to Russia.

The growing ‘fight back’

But while the MSMT concludes that North Korea’s cyber force is “a full-spectrum, national program that operates in a sophisticated manner and approximates the cyber programs of China and Russia,” the contributions to the report also testify that Western agencies and companies are increasingly adapting to the problem.

“While North Korea-linked hackers pose a significant threat, the ability of law enforcement, national security agencies and the private sector to identify and fight back against associated risks is growing,” said Andrew Fierman, Head of National Security Intelligence at Chainalysis.

Speak with DeclutterFierman gave an example from August, when the US Office of Foreign Assets Control (OFAC) imposed sanctions on a fraudulent network of IT workers linked to the DPRK.

He explained: “These actors were designated for their involvement in programs that divert DPRK IT employee revenues in support of the DPRK’s weapons of mass destruction and ballistic missile programs.”

Fierman also noted how tens of millions of dollars in cryptocurrency were recovered from February’s Bybit hack, while Declutter reported in June how some of the money had been traced to a Greek crypto exchange.

“The private sector is more effectively identifying threats to IT workers in the DPRK, as most recently demonstrated by Kraken’s efforts in May 2025,” Fierman added. In August, Binance’s chief security officer said Declutter that the exchange ignores resumes of North Korean attackers who want to be hired by the company on a daily basis.

Crypto and North Korea’s weapons program

The ability to identify and thwart North Korean activities is of significant importance because, as the report and Fierman make clear, the resources generated by the DPRK’s activities are generally diverted to the country’s weapons program.

“The MSMT report details how these funds are used to purchase everything from armored vehicles to portable air defense missile systems,” Fierman said. “Meanwhile, the DPRK’s cyber espionage operations target critical industries including semiconductors, uranium processing and missile technology, creating a dangerous feedback loop between their financial crimes and military capabilities.”

In light of such threats, Fierman has recommended greater collaboration between public and private entities, something of which the MSMT report is a product, given the involvement of Chainalysis, Google Cloud’s Mandiant, DTEX, Palo Alto Networks, Upwork and Sekoia.io.

He said: “Data sharing initiatives, government advisories, real-time security solutions, advanced tracing tools and targeted training can enable stakeholders to quickly identify and neutralize malicious actors while building the resilience needed to protect crypto assets.”

Using blockchain intelligence and traditional cybersecurity measures, affected parties can identify and freeze stolen funds before they are laundered, while also mapping North Korea’s financial networks.

Based on this, Fierman and Chainalysis recommend that organizations “implement comprehensive blockchain monitoring, develop enhanced due diligence for hiring IT contractors, deploy advanced threat detection systems, conduct regular security audits, and establish clear protocols for large transactions.”