North Korea Crypto Ban vs. State Hacking: How the DPRK Steals Billions in 2026

For years, we thought of North Korea as a closed-off nation trying to sneak small amounts of money out under strict international sanctions. That image is outdated. Today, the Democratic People's Republic of Korea (DPRK) operates one of the most sophisticated and aggressive cybercrime enterprises in the world. They aren't just bypassing rules; they are rewriting them through massive digital heists.

In 2025 alone, North Korean hackers stole over $2.17 billion from cryptocurrency services. To put that in perspective, this single year’s haul exceeded the total stolen in all of 2024 combined. The defining moment was the February 2025 breach of the ByBit exchange, a major virtual asset trading platform. This attack, labeled "TraderTraitor" by the FBI, resulted in the theft of approximately $1.5 billion USD. It remains the largest cryptocurrency theft in history. When you see numbers like this, it’s not just about lost money-it’s about national security, global financial stability, and the future of how we protect our digital assets.

The TraderTraitor Attack: Breaking the Unbreakable

What makes the ByBit hack so alarming isn’t just the amount stolen-it’s how it happened. For a long time, the industry believed that "cold storage" wallets were safe. These are hardware devices kept offline, isolated from the internet, designed to be nearly impervious to remote attacks. The fact that North Korean actors breached this level of security signals a massive leap in their capabilities.

The FBI confirmed the attack occurred on February 21, 2025. The group behind it, known as TraderTraitor, didn’t use a simple virus or brute-force code break. Instead, they relied on advanced social engineering. This means they manipulated people-likely IT personnel within the company-to gain access. Once inside, they moved fast. They converted the stolen assets into Bitcoin and other cryptocurrencies, dispersing them across thousands of addresses on multiple blockchains. This dispersion makes tracking incredibly difficult because the funds are fragmented and mixed with legitimate transactions.

This method shows that North Korea has either significantly expanded its own money laundering infrastructure or, more likely, partnered with underground financial networks in countries like China. These networks have enhanced their capacity to absorb and process illicit funds quickly. The speed at which TraderTraitor actors moved suggests a well-oiled machine, not a rogue hacker group.

Beyond Direct Hacks: The Three-Pronged Strategy

Direct exchange hacks are only part of the story. North Korea employs a complex three-pronged approach to generate revenue and evade sanctions. Understanding these layers helps us see why traditional cybersecurity measures often fail.

1. Complex Money Laundering Networks: North Korea uses third countries to clean their stolen crypto. Cambodia has emerged as a primary hub due to its loosely regulated financial and gambling sectors. In May 2025, the U.S. Financial Crimes Enforcement Network (FinCEN) designated the Cambodia-based Huione Group as a primary money laundering concern. Between 2021 and 2025, approximately $37.6 million in North Korean-linked cryptocurrency was laundered through Huione. Their subsidiaries, including Huione Guarantee and Huione Crypto, provide technical tools for scams and issue stablecoins that cannot be frozen. This allows North Korea to convert illicit proceeds into seemingly legitimate assets without triggering regulatory alarms.
2. Disguised IT Workers Abroad: The United Nations estimates that North Korea generates up to $600 million annually by dispatching IT workers abroad. These individuals assume false identities, posing as nationals of China, Russia, African nations, or Southeast Asia. They use Virtual Private Networks (VPNs) and remote monitoring software to hide their true locations, appearing as remote workers based in the U.S. or Europe. They create fake profiles and portfolios to win contracts, demanding payment in cryptocurrency to avoid financial tracking. This human infiltration is often harder to detect than digital breaches.
3. State-Sponsored Cyber Units: Groups like TraderTraitor are directly tied to the state. They operate with resources and directives that private criminal gangs simply don’t have. Their goal isn’t just profit; it’s funding the regime’s nuclear and ballistic missile programs while evading international sanctions.

The International Response: Sanctions and Indictments

The U.S. government has responded with swift, coordinated enforcement actions involving multiple agencies. On the same day FinCEN targeted Huione, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the Korea Sobaeksu Trading Company and three associated individuals: Kim Se Un, Jo Kyong Hun, and Myong Chol Min.

Jo Kyong Hun was identified as a North Korea-based Sobaeksu IT team leader who worked closely with Kim Se Un on cryptocurrency issues. Director of OFAC Bradley T. Smith emphasized that the DPRK relies on front companies to procure materials and generate revenue for illegal weapons programs. Alongside Treasury actions, the Department of Justice unsealed indictments against seven DPRK nationals for criminal avoidance of sanctions, including illicit trafficking of counterfeit cigarettes. The Department of State also announced reward offers ranging from $500,000 to $7 million for information leading to their arrest.

However, political pressure continues to mount. U.S. Senators Elizabeth Warren and Jack Reed pressed Treasury and the Department of Justice regarding North Korea’s cryptocurrency theft capabilities. Following the ByBit hack, they noted that it is essential for the United States to redouble efforts to prevent these thefts. Their inquiry, with a deadline set for June 2, 2025, highlights the urgency with which Congress views this threat to national security.

Why Your Exchange Might Not Be Safe Enough

If you hold assets on an exchange, you might assume your funds are secure. But the reality is stark. Industry experts warn that staving off North Korean thefts will likely require much higher spending by cryptocurrency exchanges on cybersecurity measures. Traditional firewalls and encryption are no longer sufficient when attackers can compromise the humans managing the systems.

The FBI has actively engaged the private sector, encouraging RPC node operators, exchanges, bridges, blockchain analytics firms, and DeFi services to block transactions derived from addresses used by TraderTraitor actors. Yet, the challenge remains immense. The partnership between North Korea and local criminal ecosystems in third countries poses an increasingly serious threat. As global priorities shift, containing Pyongyang should remain at the top of the agenda. Traditional sanctions may be insufficient if the digital economy continues to offer such lucrative loopholes.

What You Can Do to Protect Yourself

As individual users, we can’t stop state-sponsored hackers. But we can reduce our exposure. Here are practical steps to consider:

• Use Self-Custody Wallets: Don’t leave large amounts of crypto on exchanges. Use hardware wallets that you control. While even these aren’t 100% immune if compromised via social engineering, you remove the risk of a centralized exchange being hacked.
• Verify Employment Sources: If you work in tech or hire freelancers, be vigilant. Verify identities thoroughly. Look for inconsistencies in backgrounds, especially if payment is requested exclusively in cryptocurrency.
• Stay Updated on Blacklisted Addresses: Follow announcements from the FBI and blockchain analytics firms. If you run a node or service, ensure you are blocking known TraderTraitor addresses.
• Diversify Holdings: Don’t keep all your assets in one place or one type of cryptocurrency. Diversification can limit losses if one platform is compromised.