North Korea stole $2.84b in crypto over 21 months, allied monitoring team reports

The United States and ten allied nations have released a report detailing how North Korean cyber actors stole at least $2.84 billion in cryptocurrency over 21 months while deploying thousands of IT workers to at least eight countries in systematic violations of UN Security Council resolutions.

The Multilateral Sanctions Monitoring Team (‘MSMT’), which reports on UN sanctions violations by Pyongyang, said North Korean cyber actors stole at least $1.19 billion in cryptocurrency in 2024 and at least $1.65 billion from January to September 2025, owing predominantly to the theft of $1.4 billion from cryptocurrency exchange Bybit in February.

‘Under North Korean leader Kim Jong Un, the DPRK cyber force has expanded into a full-scope, national program operating at a sophistication approaching the cyber programs of those in China and Russia,’ the report assessed. ‘The DPRK employs its cyber capabilities to circumvent UN sanctions and generate revenue for the DPRK’s priorities, including the unlawful development of its WMD and ballistic missile programs.’

The publication, the second by the MSMT following a May report on unlawful military cooperation between North Korea and Russia, details deep connections between UN-designated North Korean entities and malicious cyber activities including cryptocurrency theft, fraudulent IT work and cyber espionage.

‘The DPRK relies upon networks of North Korean nationals abroad and foreign-based facilitators, including in China, Russia, Argentina, Cambodia, Vietnam, and the United Arab Emirates, to launder stolen digital assets into fiat currency for procurement activities and for funding its unlawful WMD and ballistic missile programs,’ the report said. ‘DPRK cyber actors use a diverse array of cryptocurrency services registered in UN Member State jurisdictions around the world to launder stolen cryptocurrency before ultimately attempting to convert it into fiat currency.’

During the reporting period from January 2024 to September 2025, North Korea deployed IT worker delegations to at least eight countries – China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria and Tanzania – according to the report. The overwhelming majority of North Korean IT workers – between 1,000 to 1,500 – were based in China, though the report found North Korea planned to dispatch a new deployment of 40,000 labourers to Russia, including several delegations of IT workers.

North Korean IT workers relied on foreign facilitators in Japan, Ukraine, the United Arab Emirates and the United States to secure employment, provide support and remit earnings back to North Korean actors, the report stated. 

UN Security Council Resolutions prohibit all member states from providing North Korean nationals with work authorisations and in December 2019 required that countries repatriate those nationals earning income while living in their jurisdictions.

The report found North Korea relied heavily on access to Chinese infrastructure, financial institutions and facilitators based in China to conduct IT work and cryptocurrency laundering. At least 15 Chinese banks were used by North Korea to launder funds related to IT work or cryptocurrency heists, with North Korean actors relying heavily on over-the-counter traders in China to convert stolen cryptocurrency into fiat currency.

‘Nearly all the DPRK’s malicious cyber activity, cybercrime, laundering, and IT work is carried out under the supervision, direction, and for the benefit of entities sanctioned by the UN for their role in the DPRK’s unlawful WMD and ballistic missile programs,’ the report stated.

The MSMT was established in October 2024 to monitor North Korea sanctions implementation after Russia vetoed the renewal of the UN Security Council’s Panel of Experts, which disbanded in April 2024. 

The report includes 11 recommendations for UN member states, including raising awareness about North Korean sanctions violations, examining specific individuals and entities identified in the report, maintaining capabilities to trace cryptocurrency transactions, repatriating overseas North Korean IT workers, and exercising vigilance to protect against the risk of employing North Korean IT workers.