North Korea has stolen $2.84 billion in cryptocurrency since January 2024, according to a new report from the Multilateral Sanctions Monitoring Team (MSMT). The MSMT is responsible for monitoring violations of UN sanctions against the Democratic People’s Republic of Korea (DPRK). Their latest findings reveal that the DPRK stole “at least” $1.65 billion between January and September this year.
Much of these funds were acquired through the February Bybit hack. However, the MSMT—which includes participating states such as the U.S., Japan, Germany, France, Canada, Australia, and other Western nations—also reports that North Korea has been expanding its use of remote IT work.
### North Korea’s Violation of UN Sanctions Through IT Labor
The deployment of North Korean IT workers internationally violates UN Security Council Resolutions 2375 and 2397, which prohibit the employment of DPRK workers abroad. Despite this, the DPRK continues to participate in the labor markets of at least eight countries. These include China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria, and Tanzania.
The report details that between 1,000 and 1,500 DPRK workers were based in China, while Pyongyang planned to send as many as 40,000 workers to Russia.
### The Growing “Fight Back” Against North Korean Cyber Threats
While the MSMT concludes that North Korea’s cyber force operates as “a full-spectrum, national program” with sophistication approaching that of China and Russia, contributors to the report also highlight increasing efforts by Western agencies and firms to combat these threats.
“While North Korea-linked hackers represent a significant threat, law enforcement, national security agencies, and private sectors’ ability to identify associated risks and fight back is growing,” said Andrew Fierman, Head of National Security Intelligence at Chainalysis.
Fierman provided an example from August, when the U.S. Office of Foreign Assets Control (OFAC) sanctioned a fraudulent IT worker network linked to the DPRK. These actors were designated for their involvement in schemes funneling DPRK IT worker-derived revenue to support the country’s weapons of mass destruction and ballistic missile programs.
Additionally, tens of millions of dollars worth of cryptocurrency have been recovered from the February Bybit hack. In June, Decrypt reported that some of these funds were traced to a Greek crypto exchange.
“The private sector is more effectively identifying DPRK IT worker threats, as recently evidenced by Kraken’s efforts in May 2025,” Fierman added.
In August, Binance’s Chief Security Officer told Decrypt that the exchange discards resumes from North Korean attackers looking to get hired at the firm on a daily basis.
### Crypto and North Korea’s Weapons Program
Identifying and thwarting North Korean activities is critical because the funds generated by these operations are generally funneled into the country’s weapons programs.
“The MSMT report details how these funds are used to procure everything from armored vehicles to portable air-defense missile systems,” Fierman explained. “Meanwhile, the DPRK’s cyber espionage operations target critical industries including semiconductors, uranium processing, and missile technology, creating a dangerous feedback loop between their financial crimes and military capabilities.”
### Recommendations and Future Measures
In response to these threats, Fierman recommends increased collaboration between public and private sectors. The MSMT report itself is a product of such cooperation, involving organizations like Chainalysis, Google Cloud’s Mandiant, DTEX, Palo Alto Networks, Upwork, and Sekoia.io.
He emphasized, “Data-sharing initiatives, government advisories, real-time security solutions, advanced tracing tools, and targeted training can empower stakeholders to quickly identify and neutralize malicious actors while building the resilience needed to safeguard crypto assets.”
By leveraging blockchain intelligence alongside traditional cybersecurity methods, involved parties can identify and freeze stolen funds before they are laundered, while mapping North Korea’s financial networks.
Based on these findings, Fierman and Chainalysis recommend organizations to:
– Implement comprehensive blockchain monitoring
– Develop enhanced due diligence for IT contractor hiring
– Deploy advanced threat detection systems
– Maintain regular security audits
– Establish clear protocols for large transactions
These steps will be vital in combating North Korea’s expanding cyber and financial threat, protecting both the crypto ecosystem and global security interests.
https://decrypt.co/346010/north-korea-stolen-billions-crypto-ability-fight-back-growing-chainalysis