How North Korea Cashes Out Stolen Cryptocurrency to Fiat

How North Korea Cashes Out Stolen Cryptocurrency to Fiat

North Korea doesn’t need to rob banks. It hacks crypto exchanges instead. And it’s getting better at it every year.

In February 2025, hackers linked to the North Korean regime stole $1.5 billion from Bybit - the largest single cryptocurrency heist in history. The money didn’t vanish. It didn’t disappear into the blockchain. It turned into cash. Real, spendable, untraceable cash. And that’s the real problem.

This isn’t a one-off. Since 2017, North Korean state-backed hackers have stolen over $3 billion in crypto. They’ve turned $2.1 billion of it into fiat currency. That money buys missiles, submarines, and nuclear warheads. It funds a regime under some of the strictest sanctions in the world. And they’re doing it by turning crypto’s biggest strengths - speed, anonymity, and global access - into weapons against global finance.

The Four-Step Cash-Out Machine

North Korea doesn’t just withdraw stolen crypto to a bank. That’s too easy. Too traceable. Instead, they run a four-stage laundering operation that looks like a well-oiled military campaign.

Stage 1: The Heist - Most attacks start with phishing, fake software updates, or compromised developer accounts. In the 2023 Atomic Wallet hack, hackers slipped malware into a popular wallet app. Once installed, it stole private keys from 4,100 users. No brute force. No cracking. Just social engineering. It’s cheaper, faster, and harder to stop.

Stage 2: Cross-Chain Chaos - Right after the theft, the stolen assets get moved across multiple blockchains. Ethereum? Done. Now it’s on Binance Smart Chain. Then Solana. Then Avalanche. Each transfer adds layers of confusion. Between 2021 and 2025, North Korean-linked groups moved over $1.2 billion through cross-chain bridges like Ren Bridge and Avalanche Bridge. These bridges let users swap assets between networks - but they’re poorly regulated. That’s the loophole.

Stage 3: The Bitcoin Pivot - Over 80% of stolen crypto ends up as Bitcoin. Why? Because Bitcoin is the most liquid, the most accepted, and the hardest to trace at scale. Once assets are converted to BTC, they’re easier to move through over-the-counter (OTC) desks and crypto ATMs without triggering alerts. In the Bybit hack, 87% of the stolen Ethereum was turned into Bitcoin within 72 hours. Speed matters. The faster they convert, the less time analysts have to freeze accounts.

Stage 4: The Fiat Flip - This is where it gets real. Bitcoin doesn’t pay for missiles. Dollars do. So the final step is converting Bitcoin into cash. And for that, North Korea relies on a handful of weak spots in the global financial system.

Cambodia: The Cash-Out Capital

If you want to turn crypto into cash without questions, go to Cambodia.

Since 2021, the U.S. Treasury has identified Cambodia’s Huione Group as the primary laundering hub for North Korean crypto. Huione operates under the guise of a legitimate financial services company. But its subsidiaries - Huione Guarantee and Huione Crypto - are fronts. They issue non-freezable stablecoins that look like real money but can’t be blocked by sanctions. These stablecoins are then traded for cash in Sihanoukville, where North Korea runs at least 14 crypto cafes.

These cafes don’t need IDs. They don’t ask questions. They take Bitcoin, give you cash. One cafe processes up to $2 million a month. And they’re not alone. Macau’s casinos accept crypto deposits with only 5% KYC checks - compared to 95% in regulated markets. That’s a 19x difference. North Korea exploits that gap.

The Human Network: IT Workers as Money Mules

North Korea doesn’t just rely on tech. It relies on people.

Thousands of North Korean IT workers are stationed in China, Russia, and Southeast Asia. They don’t work as hackers. They work as software engineers, customer support reps, and blockchain developers - at real companies. They use fake Vietnamese, Indian, or U.S. identities. Their job? Build backdoors.

According to CSIS, 27 cases in 2024 showed North Korean employees at Chinese exchanges setting up direct wallet-to-bank transfers with only 12-hour notice before funds left the system. Standard fraud detection takes 72 hours. That’s a 48-hour window to move millions before anyone notices.

Some work as freelancers. They sign up for crypto payment gigs on platforms like Upwork or Fiverr. They complete fake projects. Then they cash out the crypto through local exchanges with no ID checks. They’re not stealing - they’re being paid. And the money? It flows back to Pyongyang.

Why Tornado Cash Died - And What Replaced It

Five years ago, North Korea used Tornado Cash to mix stolen crypto. It was the go-to tool. Until the U.S. sanctioned it in August 2022. The tool froze. The funds were blocked. And North Korea had to adapt.

They didn’t build a better mixer. They built a faster system.

Now, they use what experts call “flood the zone.” Instead of one big messy transaction, they run 400-500 small, high-frequency transfers every day. Each one is under $10,000 - the reporting threshold in most countries. No single transaction looks suspicious. But together, they move hundreds of millions.

They’ve also shifted to decentralized finance (DeFi) protocols. By swapping stolen ETH for USDC on Uniswap, then moving it to a regional exchange that doesn’t ask for ID, they turn crypto into cash without ever touching a centralized exchange. It’s not perfect. But it’s working.

The Crackdown - And Why It’s Not Enough

The world knows what’s happening. The U.S., EU, and UN have slapped sanctions on dozens of wallets, exchanges, and individuals linked to North Korea. The Crypto-Asset Reporting Framework now forces exchanges in over 100 countries to share customer data. In Q1 2025, North Korea’s cash-out success rate dropped 22% compared to the last quarter of 2024.

But here’s the catch: their speed has increased by 65% since 2022. Their success rate in converting crypto to fiat within 90 days jumped from 65% to 92%. They’re adapting faster than regulators can react.

Chainalysis CEO Michael Gronager told Congress in April 2025: “We’re tracking more activity than ever - but we’re catching less.”

Why? Because the tools they’re using now - cross-chain bridges, DeFi protocols, fake IT workers - aren’t controlled by any single government. They’re global. Decentralized. And legal in many places.

The Future: Stablecoin Arbitrage and Custom Protocols

North Korea isn’t slowing down. It’s upgrading.

According to a March 2025 CSIS report, the regime is testing “stablecoin arbitrage laundering.” Here’s how it works: steal ETH → convert to USDC on a decentralized exchange → send it to a low-regulation exchange in Southeast Asia → sell USDC for local currency at a premium → profit. The price difference between markets is small, but when you’re moving $50 million, it adds up.

They’ve also recruited 37 blockchain developers from failed crypto startups to build custom cross-chain protocols. These aren’t public tools. They’re private, encrypted, and designed to hide transaction trails. One prototype could process $500 million without leaving a trace.

But the clock is ticking. Treasury Secretary Janet Yellen said in May 2025 that North Korea’s cash-out success rate could drop to 40% by 2027 - if global cooperation holds.

That’s a big “if.”

What’s Next?

North Korea’s crypto cash-out system is a perfect storm of tech, geography, and human deception. It’s not going away. It’s evolving.

Right now, the best defense is speed, coordination, and closing the weakest links: unregulated exchanges, fake identities, and cash-heavy crypto cafes. But as long as there’s a country that doesn’t ask for ID, or a developer willing to lie about where they’re from, North Korea will keep turning stolen crypto into weapons.

The question isn’t whether they can do it. They already are.

The question is: how long will the world let them?