A North Korea flag flutters next to concertina wire at the North Korean embassy in Kuala Lumpur
Reuters

North Korea is believed to have siphoned off roughly $2.84 billion (approximately £2.12 billion) in cryptocurrency since early 2024, with Chinese intermediaries playing a central role in disguising and liquidating the stolen funds, according to a new report. The findings underline the growing scale of Pyongyang's cyber operations, which have become a crucial source of foreign currency for the regime.

Large-Scale Crypto Theft Revealed

The Multilateral Sanctions Monitoring Team (MSMT), a coalition of 11 countries including South Korea, the United States, and Japan, released its second report on North Korea's cyber activities this week. The document describes an extensive network of hackers and overseas IT workers responsible for breaching major cryptocurrency exchanges. These attacks generated hundreds of millions of dollars that were later used to support the country's weapons and research programmes.

Of the total amount stolen, approximately $1.19 billion (£900 million) was taken in 2024, representing roughly one-third of North Korea's foreign currency earnings that year. Meanwhile, the remaining $1.65 billion (£1.23 billion) was seized between January and September 2025. The affected exchanges included Bybit in the United Arab Emirates, DMM Bitcoin in Japan, WazirX in India, and Singapore-based BingX and Phemex. After the thefts, the funds were then channelled through brokers and shell companies across Asia before being converted into cash.

China's Networks Under Scrutiny

Investigators found that North Korea relied heavily on networks in China, Russia, Hong Kong, and Cambodia to launder its profits. Chinese nationals allegedly provided forged identification documents and access to payment systems, which allowed North Korean operatives to withdraw funds undetected.

The report stated that Pyongyang's cyber units also utilised China's financial system, including UnionPay credit cards and commercial banks, to facilitate international money transfers. In Cambodia, Huione Group and its payment platform, Huione Pay, were identified as key channels for cash-outs and cryptocurrency laundering.

In 2024, three member states of the MSMT raised concerns with the Cambodian government about Huione Pay's links to sanctioned North Korean entities. The US Treasury Department later imposed sanctions on Huione Group for laundering funds from online scams and state-backed cybercrimes.

Overseas IT Workers Continue to Fund Regime

The report also highlighted how North Korea's overseas IT workforce continues to earn significant income for the regime despite UN sanctions banning such employment. These workers generated between $350 million and $800 million (£225 million to £600 million) in 2024, with approximately half of their earnings reportedly being sent back to Pyongyang.

An estimated 1,000 to 2,000 North Korean tech professionals are believed to be working abroad across at least eight nations, according to the report. The largest groups are based in China and Russia, while smaller numbers work in Laos, Cambodia, and several African countries, including Nigeria and Tanzania. Many secure contracts with companies in the United States and Europe by using false identities and remote access. Their projects often involve AI, blockchain and web development.

The MSMT said these IT workers report to organisations linked to the Reconnaissance General Bureau and the Ministry of Defence. Their income remains a significant source of funding for North Korea's military and weapons development efforts.

International Efforts to Tighten Sanctions

The MSMT was formed in 2024 following Russia's decision to block the renewal of the UN Panel of Experts, which had previously overseen sanctions enforcement against North Korea. The team now serves as a joint mechanism for monitoring Pyongyang's sanctions evasion and cyber activity.

Its latest findings have prompted calls for tighter coordination among international financial regulators to curb illicit transactions and improve cybersecurity. The report also urged governments to increase surveillance of foreign IT contracts that could benefit North Korean entities.

Writer's pick