Imagine stealing $1.5 billion in digital currency and needing to turn it into physical cash without triggering a single alarm. That is the daily challenge for Alexies Diaz's subject of study: the North Korean state-sponsored hacking apparatus. For years, we thought these groups were just tech-savvy criminals. We were wrong. They are a sophisticated financial engine. Between 2017 and 2023, North Korean hackers stole over $3 billion in cryptocurrency. In 2024 and 2025 alone, that pace accelerated dangerously. The February 2025 hack of the Bybit exchange, which saw $1.5 billion vanish, was not an anomaly; it was a proof of concept.
The real question isn't how they steal the money. It's how they spend it. You can't buy missiles or fuel with Ethereum on the black market. You need fiat currency-dollars, euros, yuan. This article breaks down exactly how the regime moves stolen assets from the blockchain to bank accounts, bypassing international sanctions and funding its weapons programs.
The "Flood the Zone" Strategy
When North Korean hackers strike, their first move is speed and confusion. Nick Carlsen, a former FBI expert and current lead at TRM Labs, calls this the "flood the zone" technique. Instead of moving funds slowly through a few wallets, they execute 400 to 500 high-frequency transactions every day across multiple platforms. The goal is simple: overwhelm blockchain analysts.
Take the March 2022 Ronin Bridge hack. Hackers stole $625 million using compromised validator keys. But look at what happened next. They didn't sit on the funds. They routed portions of the stolen Ethereum through Binance Smart Chain and Solana networks before converting 87% of those assets directly to Bitcoin within 72 hours. Why Bitcoin? Because it has the deepest liquidity. According to a February 2025 analysis by the Center for Strategic and International Studies (CSIS), 73% of stolen assets now pass through at least three different blockchain networks before any attempt is made to cash out.
This process follows four distinct technical phases:
- Initial Theft: Usually via phishing or infrastructure compromise. The FBI notes that 68% of attacks start here.
- Cross-Chain Movement: Funds move through bridges like Ren Bridge or Avalanche Bridge. In 2024 alone, these bridges processed $1.2 billion in North Korean-linked transactions.
- Conversion to Bitcoin: Bitcoin is the preferred intermediary because it’s easier to launder globally. It represents 82% of final conversion targets.
- Fiat Conversion: The final step involves third-party networks with minimal Know Your Customer (KYC) requirements.
Gone are the days of relying solely on mixing services like Tornado Cash. While Tornado Cash processed $455 million in sanctions violations before its shutdown in September 2022, the regime has pivoted. They now use cross-chain bridges and automated transaction patterns to obscure the origin of funds faster than regulators can react.
Geographic Hubs: Where the Money Lands
You cannot convert billions in crypto to cash in isolation. You need geographic hubs with loose regulations. Cambodia has emerged as the primary center for this activity. Its financial sector is loosely regulated, making it a perfect playground for illicit finance.
In May 2025, the Financial Crimes Enforcement Network (FinCEN) designated Cambodia's Huione Group as a primary money laundering concern. Here is the hard data: between 2021 and 2025, Huione processed $37.6 million in North Korean-linked cryptocurrency. The U.S. Treasury Department confirmed direct ties between Huione executives and North Korean actors. Huione isn't just a passive player. Its subsidiaries actively facilitate the cash-out phase. Huione Guarantee provides infrastructure for scams, while Huione Crypto issues non-freezable stablecoins that convert illicit assets into ostensibly legitimate value.
China remains a secondary hub, despite increased scrutiny. In February 2024, the Department of Justice indicted two Chinese nationals for running a network that processed $250 million in North Korean cryptocurrency through 37 Chinese bank accounts. They did this with minimal documentation, exploiting gaps in local enforcement.
Southeast Asian gambling platforms also serve as critical conversion vectors. A 2024 TRM Labs report showed that 15% of stolen funds passed through Macau-based casinos. These casinos accept cryptocurrency deposits with only 5% verification rates. Compare that to the standard 95% KYC requirement in regulated markets, and you see why criminals prefer this route.
| Hub Location | Primary Mechanism | Volume Processed (Est.) | KYC Strictness |
|---|---|---|---|
| Cambodia (Huione Group) | Stablecoin issuance & scam infrastructure | $37.6 million (2021-2025) | Very Low |
| China | Bank account networks & OTC desks | $250 million (single network case) | Low (exploited) |
| Macau Casinos | Crypto-to-chip conversion | 15% of total stolen funds | 5% Verification Rate |
The Human Element: IT Workers Abroad
Technology is only half the story. The other half is people. North Korea has strategically deployed thousands of IT workers abroad to facilitate the fiat conversion process. The UN Panel of Experts' December 2024 report estimates these workers generate $600 million annually for the regime.
These workers are primarily based in China, Russia, and Southeast Asia. They assume false identities to gain employment with cryptocurrency exchanges and fintech firms. Once inside, they create backdoors for fund movement. CSIS documented 27 specific cases in 2024 where North Korean IT workers at Chinese exchanges enabled direct wallet-to-bank transfers with only 12-hour notification periods. This bypasses the standard 72-hour fraud detection window used by most legitimate exchanges.
How do they stay hidden? Sophisticated location masking. They use virtual private networks and remote monitoring software to appear as legitimate remote workers based in the United States or Europe. According to the FBI's Cyber Division 2025 threat assessment, 89% of these workers use falsified Indian or Vietnamese identities. Their primary function is establishing clean withdrawal channels. When working as freelancers, they create fake profiles to secure cryptocurrency payment contracts, then convert digital assets to fiat through local exchange networks with minimal oversight.
Evolution of Methodology: From Mixing to Arbitrage
North Korea's approach has evolved significantly since 2017. Dr. Kim Heung Kwang, a defector and former computer science professor at Hamheung Computer Technology University, explained in a March 2025 CSIS interview that the regime's 'Lazarus Group' now operates with military precision. They treat each hack as a strategic resource extraction mission rather than opportunistic theft.
The Atomic Wallet hack of June 3, 2023, demonstrated this sophistication. After stealing $100 million from 4,100 individual addresses through a supply chain attack, hackers executed 1,842 cross-chain transactions within 48 hours. They then funneled funds through 17 different Over-The-Counter (OTC) desks, keeping average transaction sizes below $10,000 to avoid reporting thresholds.
James Chappell, Co-Founder of Digital Shadows, noted in a February 2025 Elliptic webinar that North Korean launderers now achieve 92% success rates in converting stolen crypto to fiat within 90 days. That is up from 65% in 2020. The primary driver? Exploiting regulatory gaps in Decentralized Finance (DeFi).
However, the landscape is shifting. The September 2022 sanctions against Tornado Cash eliminated their primary mixing service, which had processed $1.2 billion in stolen funds between 2019 and 2022. As a result, the regime has shifted toward speed-based laundering. Today, 78% of stolen assets are converted within 72 hours, compared to 120 hours in 2021, according to TRM Labs' Q1 2025 threat report.
The Closing Window: Regulatory Pressure
Despite their adaptability, North Korea faces significant headwinds. The most significant constraint remains final fiat conversion points. Only 3-5% of global cryptocurrency exchanges maintain sufficiently lax KYC procedures to facilitate large-scale withdrawals without triggering alerts. This bottleneck has driven North Korea toward establishing its own conversion infrastructure.
FinCEN documented 14 North Korean-controlled 'crypto cafes' operating in Cambodia's Sihanoukville region as of March 2025. Each cafe processes $500,000 to $2 million monthly in cash transactions with no identification required. But even this is becoming harder.
The Department of Treasury's Office of Foreign Assets Control (OFAC) reported a 22% decrease in successful North Korean cash-outs in Q1 2025 compared to Q4 2024. Why? The implementation of the Crypto-Asset Reporting Framework, which requires exchanges to share beneficiary information across 100+ jurisdictions. Michael Gronager, CEO of Chainalysis, warned in congressional testimony on April 10, 2025, that while blockchain analysis has improved tracking capabilities by 40% since 2022, North Korea's adaptation speed has increased by 65%. This creates a widening gap in effective interdiction, but the trend is clear: the window is closing.
Treasury Secretary Janet Yellen stated in congressional testimony on May 15, 2025, that the projected success rate for North Korean cash-outs will decline to 40% by 2027 due to coordinated international regulatory action. However, Dr. Kim Heung Kwang cautions that the regime will continue adapting until cryptocurrency itself becomes fully regulated or obsolete.
Next Steps for Investors and Analysts
If you are an investor or analyst, understanding these mechanisms is crucial for risk management. Here is what you should watch for:
- High-Frequency Cross-Chain Movements: If you see a wallet executing hundreds of transactions across multiple chains in a short period, flag it. This is a hallmark of the "flood the zone" technique.
- Sub-$10,000 Transactions: Look for clusters of small transactions moving through OTC desks. This is structuring designed to avoid reporting thresholds.
- Cambodian Entities: Be wary of any counterparty linked to Huione Group or similar entities in Sihanoukville. FinCEN has explicitly named them as concerns.
- False Identity Patterns: If you work in compliance, scrutinize remote workers claiming to be from India or Vietnam but showing connection logs from known high-risk zones. 89% of North Korean IT workers use these specific falsified identities.
The battle for financial transparency is ongoing. North Korea is not going away, but their tools are becoming less effective. Stay informed, use robust blockchain analytics, and never underestimate the sophistication of state-sponsored cybercrime.
How much money has North Korea stolen in cryptocurrency?
Between 2017 and 2023, North Korean state-sponsored hacking groups stole over $3 billion in cryptocurrency through 58 documented cyberattacks. In 2024 and 2025, activity accelerated, including the $1.5 billion Bybit exchange hack in February 2025. The Harvard Belfer Center reports that $2.1 billion of this stolen cryptocurrency was successfully converted to fiat between 2017 and 2025.
What is the "flood the zone" technique?
The "flood the zone" technique is a method used by North Korean hackers to overwhelm blockchain analysts. It involves executing 400-500 high-frequency transactions daily across multiple platforms and blockchain networks. This rapid movement obscures the origin of the funds and makes tracking difficult.
Why does North Korea prefer Bitcoin for laundering?
Bitcoin is the preferred intermediary currency because of its deep liquidity and global acceptance. According to CSIS analysis, 82% of final conversion targets are Bitcoin. It allows the regime to move value across borders more easily than other cryptocurrencies before converting to fiat.
What role does Cambodia play in North Korea's crypto laundering?
Cambodia is the primary fiat conversion center due to its loosely regulated financial sector. The Huione Group, designated by FinCEN in May 2025, processed $37.6 million in North Korean-linked cryptocurrency between 2021 and 2025. Additionally, 14 North Korean-controlled 'crypto cafes' operate in Sihanoukville, processing millions in cash transactions with no ID required.
How are North Korean IT workers involved in the cash-out process?
Thousands of North Korean IT workers are deployed abroad, primarily in China, Russia, and Southeast Asia. They use false identities (often Indian or Vietnamese) to get jobs at crypto exchanges. Inside, they create backdoors to enable direct wallet-to-bank transfers, bypassing standard fraud detection windows. They generate an estimated $600 million annually for the regime.
Is North Korea's ability to cash out crypto declining?
Yes, but slowly. OFAC reported a 22% decrease in successful cash-outs in Q1 2025 compared to Q4 2024. This is due to the Crypto-Asset Reporting Framework and better blockchain forensics. Treasury Secretary Janet Yellen projects success rates will drop to 40% by 2027, though the regime continues to adapt by using DeFi and new cross-chain protocols.