How North Korea Cashes Out Stolen Cryptocurrency to Fiat
Mar, 16 2026
North Korea doesn’t just hack cryptocurrency exchanges - it turns those hacks into cash. And not just a little cash. Over $3 billion in stolen digital assets have been converted into real-world money since 2017, with more than $1.5 billion stolen in a single attack on Bybit in February 2025. This isn’t random crime. It’s state-sponsored, highly organized, and designed to bypass sanctions that have choked off North Korea’s access to global banking. The regime doesn’t need a bank account. It needs a pipeline. And it built one.
The Theft: How They Get the Crypto
It starts with a breach. Not a flashy hacker in a hoodie, but teams of trained operatives working out of Pyongyang. These aren’t amateurs. They’re engineers, coders, and cyberwarriors trained at institutions like Hamheung Computer Technology University. Their targets? Centralized exchanges like Bybit, Binance, and KuCoin. Decentralized protocols like Ronin Bridge. Wallets like Atomic Wallet. They use phishing, supply chain attacks, and compromised validator keys to steal funds. The 2023 Atomic Wallet hack? One attack, $100 million stolen from over 4,100 wallets. The Ronin Bridge hack in 2022? $625 million, taken because hackers stole the private keys of just five validators.What’s different now? Speed. In 2020, it took North Korean hackers 120 hours to move stolen crypto. Today, they do it in under 72 hours. They call it “flood the zone.” Hundreds of transactions per day, spread across Bitcoin, Ethereum, Solana, and Binance Smart Chain. The goal isn’t to hide the money - it’s to drown blockchain analysts in noise. If you’re tracking one transaction, they’ve already moved 400 others.
The Middleman: Why Bitcoin Is the Key
North Korea doesn’t try to cash out directly in Ethereum or Dogecoin. They convert almost everything to Bitcoin. Why? Liquidity. Bitcoin is the most widely accepted crypto asset on earth. Over 82% of stolen funds end up as BTC. It’s easier to move, harder to trace in bulk, and accepted by more OTC desks and unregulated exchanges than any other coin.They don’t use Tornado Cash anymore. That mixing service got shut down in 2022 after processing $1.2 billion in North Korean-linked funds. So they moved on. Now, they use cross-chain bridges - Ren Bridge, Avalanche Bridge, Wormhole - to bounce assets between blockchains. Each jump adds a layer of confusion. One transaction goes from Ethereum to Solana. Then to BSC. Then to Bitcoin. Three networks. Five wallets. Seven transfers. All within hours. By the time analysts piece it together, the money’s already halfway to cash.
The Final Step: Where the Crypto Becomes Cash
This is where it gets real. No one’s going to walk into a Bank of America with $50 million in Bitcoin and ask for cash. So North Korea outsources the dirty work.Cambodia is the main hub. Specifically, the city of Sihanoukville. It’s a ghost town of shuttered casinos and abandoned condos - now repurposed as crypto cash-out centers. FinCEN confirmed in March 2025 that 14 North Korea-controlled “crypto cafes” operate there. No ID needed. No questions asked. You walk in with a QR code. You scan it. You get cash. $500,000 to $2 million per location, per month.
They don’t rely on just cafes. They use shell companies like Huione Group. The U.S. Treasury labeled Huione a major money laundering concern in 2025. Its subsidiaries issue non-freezable stablecoins - digital tokens that act like cash but can’t be seized. Stolen crypto becomes Huione tokens. Huione tokens become real Cambodian riel. The paper trail? Gone.
China still plays a role. In February 2024, the DOJ indicted two Chinese nationals for moving $250 million in stolen crypto through 37 bank accounts. They used fake identities, front businesses, and cash couriers. Macau’s casinos are another vector. Some accept crypto deposits with only 5% KYC checks - compared to 95% in regulated markets. That’s a backdoor.
The Human Network: IT Workers as Cash-Out Agents
North Korea doesn’t just hack from afar. It sends people.The UN estimates 20,000 North Korean IT workers are deployed abroad - mostly in China, Russia, and Southeast Asia. They work as freelance developers, customer support reps, or blockchain engineers for legitimate crypto firms. But they’re not there to build apps. They’re there to create backdoors.
CSIS documented 27 cases in 2024 where these workers, using falsified Indian or Vietnamese identities, gained access to exchange systems. Once inside, they set up automated transfers that bypass 72-hour fraud detection. A hacker in Pyongyang triggers a withdrawal. It goes through the worker’s system. It hits a bank account in Guangzhou. All in 12 hours. No alerts. No flags.
They’re paid in crypto. Then they convert it locally. One worker, earning $5,000 a month in Bitcoin, might cash out $10,000 in small increments through local exchanges. It looks like freelance income. It’s not.
The Arms Connection: Where the Money Goes
This isn’t about luxury cars or private jets. This money funds missiles, nukes, and drones.The UN Security Council estimates that cryptocurrency now provides 20-30% of North Korea’s entire foreign currency reserves. That’s $2.1 billion since 2017, directly tied to weapons programs. The $1.5 billion from the Bybit hack? Likely used to buy raw materials for uranium enrichment. The $625 million from Ronin? Possibly used to fund drone production for the war in Ukraine.
It’s the only way the regime bypasses sanctions that cap its oil imports at 500,000 barrels per year. When banks won’t touch them, crypto does. When wire transfers are blocked, crypto bridges work. And when regulators crack down, they adapt faster than anyone expects.
The Countermeasures: Are They Winning?
Governments are fighting back. The Crypto-Asset Reporting Framework now forces over 100 countries to share beneficiary data. Exchanges in the U.S., EU, and Japan now flag suspicious transfers automatically. Chainalysis and TRM Labs track patterns with AI that can spot North Korean transaction signatures with 90% accuracy.But the regime keeps changing. In 2024, they started testing “stablecoin arbitrage laundering.” Steal Ethereum. Convert it to USDC on a decentralized exchange. Move it to a regional exchange where USDC trades at a 2% premium. Cash out in local currency. The profit? Clean. The trail? Nearly invisible.
And they’re building their own tools. A March 2025 CSIS report revealed North Korea hired 37 ex-crypto developers to build custom cross-chain protocols. These aren’t public. They’re private. Designed to move $500 million without leaving a trace.
Still, there’s progress. Treasury Department data shows a 22% drop in successful cash-outs in Q1 2025 compared to Q4 2024. The window is closing. But North Korea isn’t quitting. It’s just getting smarter.
The Future: A Race Against Time
The U.S. Treasury says success rates will drop to 40% by 2027. That’s optimistic. Former North Korean defector Dr. Kim Heung Kwang says the regime will adapt until crypto is fully regulated - or until it doesn’t exist anymore.Right now, the system is a game of cat and mouse. One side builds better trackers. The other builds better disguises. The stakes? Nuclear weapons. Global stability. The outcome? Still up for grabs.
How does North Korea avoid detection when converting crypto to cash?
North Korea avoids detection by spreading stolen funds across multiple blockchains, using cross-chain bridges to obscure origins, converting assets into Bitcoin for liquidity, and cashing out through unregulated hubs like Cambodia’s crypto cafes or Chinese bank networks with weak KYC. They also use IT workers abroad to create backdoors in legitimate exchanges, enabling fast, low-visibility transfers.
What role does Bitcoin play in North Korea’s crypto cash-out strategy?
Bitcoin is the primary intermediary currency in North Korea’s cash-out pipeline. Over 82% of stolen crypto is converted into Bitcoin because it’s the most liquid, widely accepted, and hardest to trace in large volumes. Once in BTC, the funds are easier to move through OTC desks and unregulated exchanges without triggering alerts.
Why is Cambodia the main cash-out hub for North Korea?
Cambodia, especially Sihanoukville, has minimal financial regulation, no requirement for ID in crypto-to-cash transactions, and a network of North Korea-linked businesses like Huione Group that issue non-freezable stablecoins. FinCEN confirmed 14 North Korea-controlled crypto cafes there in 2025, each processing up to $2 million monthly in cash without documentation.
How do North Korean IT workers help cash out stolen crypto?
North Korean IT workers are embedded in crypto exchanges and fintech firms across China, Russia, and Southeast Asia. Using falsified identities, they gain access to internal systems and create automated withdrawal channels that bypass fraud detection. They convert stolen crypto into fiat through local exchanges, often in small amounts to avoid suspicion, and send the money back to North Korea.
Has the U.S. or UN successfully stopped North Korea’s crypto cash-outs?
No - but they’ve slowed them down. Sanctions on Tornado Cash, the Crypto-Asset Reporting Framework, and better blockchain analytics reduced successful cash-outs by 22% in Q1 2025. However, North Korea adapts faster than regulators can respond, shifting to new methods like stablecoin arbitrage and custom cross-chain protocols. Experts warn the gap between detection and evasion is widening.
Konakuze Christopher
March 16, 2026 AT 11:56Angelica Stovall
March 16, 2026 AT 17:41Henrique Lyma
March 17, 2026 AT 08:35shreya gupta
March 19, 2026 AT 00:36Manali Sovani
March 20, 2026 AT 20:06Shreya Baid
March 21, 2026 AT 10:29Derek Lynch
March 23, 2026 AT 02:30Sarah Zakareckis
March 23, 2026 AT 21:31Heather James
March 25, 2026 AT 11:44George Hutchings
March 27, 2026 AT 02:18Sahithi Reddy
March 27, 2026 AT 16:11Christopher Hoar
March 28, 2026 AT 06:40S F
March 29, 2026 AT 13:14Robert Kunze
March 30, 2026 AT 23:24Kira Dreamland
March 31, 2026 AT 03:49sai nikhil
April 2, 2026 AT 00:16