North Korean hackers: the complete dossier, description of methods and chronology of cryptocurrency thefts

The Multilateral Sanctions Monitoring Team (MSMT) recently published a report entitled “The DPRK’s Violation and Evasion of UN Sanctions through Cyber and Information Technology Worker Activities.” The report provides a systematic overview of how the Democratic People’s Republic of Korea (DPRK) uses cyber capabilities, IT workers, and cryptocurrency operations to circumvent UN sanctions, steal sensitive technology, and obtain financial resources. GetBlock AML Research has published an excerpt of the report’s main points to help readers quickly understand the evolution of North Korea’s cyber threat tactics and trends, thereby raising awareness and protection against complex cyber risks.

MSMT was established to monitor and report on activities that violate or circumvent the sanctions measures outlined in relevant United Nations Security Council (UNSC) resolutions. Its member states include Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea, the United Kingdom, and the United States. The group’s goal is to promote full implementation of UN sanctions against the Democratic People’s Republic of Korea (DPRK) by publishing data based on thorough investigations of sanctions violations and evasion attempts.

According to the report, between 2024 and 2025, North Korea systematically violated several UN Security Council resolutions at the state level. This manifested itself in large-scale cyberattacks, cryptocurrency theft, and cross-border money laundering, as well as the global deployment of IT workers to circumvent sanctions and finance programs for the development of weapons of mass destruction and ballistic missiles.

The DPRK’s cyber capabilities are increasingly approaching the level of cyber superpowers: in 2024 alone, at least $1,19 billion in cryptocurrencies was stolen, and in the first nine months of 2025, another $1,65 billion. In some cases, the stolen funds were laundered through crypto services registered in several countries, as well as through numerous OTC traders. The report also confirms that the DPRK has sent IT workers to at least eight countries, relying on foreign intermediaries and financial institutions to manage funds and conceal identities. They continuously extract sensitive technology through malware, supply chain attacks, and social engineering.

Overall, almost all such activities are controlled by state structures already under UN sanctions and are carried out through foreign front companies and IT workers deployed abroad, with the global sanctions circumvention network steadily expanding.

The US has imposed sanctions against accomplices of hackers from the DPRK. Who is affected

Eight individuals and two companies are subject to the new restrictive measures. Among them are individuals who worked in the US jurisdiction

Читать дальше

North Korea’s cyber program

According to the MSMT report, North Korea’s capabilities in the cyber sphere have improved significantly in recent years in terms of organizational structure, technical skills, and cross-border activity. Their maturity is comparable to that of cyber powers. A significant portion of operations is carried out by various APT groups that conduct remote intrusions, system disruptions, intelligence gathering, and revenue-generating operations.

These groups are growing in scale, with new research centers, liaison offices, and operational units emerging, demonstrating the systematic expansion of North Korea’s cyber apparatus. Although the technical qualifications and tasks of different units vary, cooperation between cyberattackers and foreign IT workers is becoming increasingly close, with clear overlaps in tool development, technology exchange, and financing schemes.

The report describes the basic organizational structure of North Korea’s cyber capabilities, which can be summarized in the following diagram:

Organizational structure of North Korean cybercriminals

Overall, North Korea’s cyber operations function through a multi-layered structure within the country and beyond, enabling the coordinated execution of a variety of activities, from malicious operations and IT outsourcing for revenue generation to cross-border money laundering.

Cryptocurrency theft

Since 2017, amid economic pressure and intensifying international sanctions, cybercriminals from the DPRK have begun to use cryptocurrency theft as a source of income. At that time, the crypto industry was growing fast but wasn’t really regulated or protected, which made it a prime target. According to analysis by MSMT member countries, as well as Mandiant and Chainalysis, North Korea stole at least $1,19 billion in 2024, which is a 50% increase from the previous year. From January to September 2025, the amount had already reached $1,645 billion, bringing the total from January 2024 to September 2025 to at least $2,8 billion.

Amount of funds stolen by North Korean hackers since 2024

Major incidents include the hacking of the Bybit crypto exchange (Dubai) by the TraderTraitor hacker group in February 2025, which resulted in the theft of nearly $1,5 billion — the largest theft of crypto assets in history. The Japanese exchange DMM Bitcoin and the Indian exchange WazirX were also seriously affected, with some of them forced to temporarily suspend operations. According to estimates by MSMT member countries, revenues from crypto thefts in 2024 accounted for approximately one-third of North Korea’s total currency income. The report lists the following incidents involving North Korea:

Chronology of cryptocurrency thefts in 2024

Chronology of cryptocurrency thefts in 2025

These cases demonstrate that North Korea’s cyberattacks are not only financially motivated but also expand their impact through supply chain attacks and third-party service hacks, causing asset leakage and disrupting organizations’ operations.

The Year of the DPRK: everything you need to know about North Korean hacker groups

North Korean hackers are currently the main threat to the cryptocurrency market, as they have managed to automate and streamline the theft of digital assets

Читать дальше

Participating groups and structures

According to the report, several DPRK APT groups and IT workers were involved in the cryptocurrency thefts, including:

TraderTraitor (also known as Jade Sleet, UNC4899)

The most technically advanced DPRK group, using social engineering and supply chain attacks for large-scale thefts. From January 2024 to September 2025, they stole approximately $2,58 billion in cryptocurrencies. Key incidents include hacks of DMM Bitcoin, WazirX, and Bybit. Their attacks often use compromises of third-party custodial services to obtain exchange credentials, allowing them to bypass MFA and transaction limits.

CryptoCore (also as Sapphire Sleet, Alluring Pisces)

Operates similarly to TraderTraitor. From January 2024 to May 2025, it stole at least $33,5 million. Their targets are employees of crypto companies in more than ten countries. They often use spear-phishing, posing as recruiters offering job vacancies, as well as malicious NPM packages embedded in “test assignments.”

Known email addresses and domains of the CryptoCore group

Citrine Sleet (also known as AppleJeus, Gleaming Pisces)

Active in spreading malware, exploiting vulnerabilities, and social engineering. It gained particular notoriety in the early 2020s with its AppleJeus campaigns. A notable incident in 2024 was the theft of $50 million from Radiant Capital.

IT workers in North Korea

According to available data, they were also involved in cryptocurrency thefts, including incidents involving Munchables ($62,5 million, later returned), OnyxDAO ($3,8 million), Exclusible Penthouse ($827 000), and BTCTurk in 2024.

Attack methods and tactics

APT groups and DPRK IT workers use highly organized and diverse methods:

Social engineering and spear-phishing

One typical example is the Contagious Interview campaign, first discovered by Palo Alto Networks in 2023. The attackers posed as employers, invited victims to interviews, and forced them to install a software package that deployed the BeaverTail and InvisibleFerret malware.

In 2025, the campaign evolved into ClickFake Interview, expanding its targets to non-technical roles. Victims were redirected to fake “interview” websites where they were persuaded to run commands or software containing malicious code.

Blackmail and sale of stolen data

From January 2024 to May 2025, the Moonstone Sleet and Andariel groups carried out extortion attacks, including the use of ransomware, the sale of stolen data, and access to darknet markets.

Collaboration with foreign cybercriminals

According to open sources, North Korea collaborates with foreign criminal groups, including the use of Qilin ransomware.

Use of AI tools

North Korean groups use Large language models (LLMs) to improve the quality of phishing, create malware, and automate attacks.

New accomplices of North Korean IT specialists have been revealed. There is a Russian among them

US authorities have imposed sanctions on a Russian citizen who helped North Korean IT specialists launder cryptocurrency for further transfer to the North Korean authorities

Читать дальше

North Korea’s cryptocurrency laundering operations

Stealing crypto is only the first step. Next, the funds must be laundered to conceal their origin before being cashed out through a network of OTC brokers in third countries. Typical tools include mixers, bridges, DEX exchanges, aggregators, and P2P platforms.

A typical laundering process:

• Swap: conversion of stolen tokens into ETH, BTC, DAI, or USDT.
• Mix: use of Wasabi Wallet, Tornado Cash, JoinMarket, and Railgun.
• Bridge: transfer of funds via bridges and P2P traders.
• Store: storage of BTC in “non-custodial” wallets.
• Mix Again: re-mixing.
• Bridge: exchange BTC → TRX.
• Swap: swap TRX → USDT.
• Convert: transfer USDT to OTC brokers.
• Remit: receipt of fiat.

Conversion to cash

Foreign partners, OTC brokers, and a network of intermediaries are used for cashing out.

Links to the foreign financial system

According to MSMT member countries, the DPRK’s First Credit Bank used an American financial company to convert funds from USD to yuan and also holds reserves in dozens of crypto wallets.

Foreign networks of intermediaries

The DPRK often uses third-party money launderers, including platforms such as Huione Pay.

Cryptocurrency as a means of payment

Since 2023, the DPRK has been expanding the use of USDT for the purchase of equipment and materials.

How to launder $1,5 billion worth of crypto in 5 easy steps. Lazarus Group case

Crypto exchange Bybit managed to block only $42,8 million. This is less than 3% of the total value of stolen assets

Читать дальше

IT workers in North Korea: overview and strategic role

According to the report, IT workers are the highest-paid workforce in North Korea. They are required to pay a significant portion of their income to the state and affiliated structures. In 2024, the total income from their activities was estimated at $350–800 million.

Each team is headed by a manager who sets a minimum target of $10 000 per month per employee. The average salary of North Korean IT workers abroad is about $10 000 per month.

Target industries and geography

Main targets: AI, blockchain, web development, defense industry, government agencies, research institutes.

Geography (2024–2025):

• China: 1000–1500
• North Korea: 450–1200
• Russia: 150–300
• Laos: 20–40
• Equatorial Guinea: 5–15
• Guinea: 5–10
• Nigeria: <10
• Tanzania: <10
• Cambodia: unknown

Tactics, techniques, and procedures

Phase 1: Identity creation

• fake or stolen documents,
• AI-generated faces,
• virtual numbers,
• KYC spoofing,
• VPNs,
• remote account control.

AI-generated faces

Phase 2: Job search

• direct responses to companies,
• freelance platforms,
• communication via LinkedIn, Discord.

Phase 3: Obtaining funds

• PayPal, Payoneer, Wise,
• cryptocurrency with subsequent laundering,
• purchase of PYUSD through intermediaries,
• registration of companies in the US.

Malicious cyber activity by North Korea

Attacks on South Korean infrastructure

The Temp.Hermit and Kimsuky groups exploited software vulnerabilities and supply chain attacks to gain access and steal data, including attack campaigns via industry organization websites.

Defense industry targets

The TraderTraitor and Andariel groups stole weapon blueprints, R&D data, and materials on DJI drones.

Conclusion

According to the MSMT report, threats from North Korea have become systemic: attacks now include comprehensive integration of supply chain infection, infiltration of IT workers, fund theft, and cross-border money laundering. The risks are not only related to technical vulnerabilities, but also to vulnerabilities in processes, personnel, and infrastructure.