How North Korea Cashes Out Stolen Cryptocurrency to Fiat

North Korea doesn’t just hack cryptocurrency exchanges - it turns those hacks into cash. And not just a little cash. Over $3 billion in stolen digital assets have been converted into real-world money since 2017, with more than $1.5 billion stolen in a single attack on Bybit in February 2025. This isn’t random crime. It’s state-sponsored, highly organized, and designed to bypass sanctions that have choked off North Korea’s access to global banking. The regime doesn’t need a bank account. It needs a pipeline. And it built one.

The Theft: How They Get the Crypto

It starts with a breach. Not a flashy hacker in a hoodie, but teams of trained operatives working out of Pyongyang. These aren’t amateurs. They’re engineers, coders, and cyberwarriors trained at institutions like Hamheung Computer Technology University. Their targets? Centralized exchanges like Bybit, Binance, and KuCoin. Decentralized protocols like Ronin Bridge. Wallets like Atomic Wallet. They use phishing, supply chain attacks, and compromised validator keys to steal funds. The 2023 Atomic Wallet hack? One attack, $100 million stolen from over 4,100 wallets. The Ronin Bridge hack in 2022? $625 million, taken because hackers stole the private keys of just five validators.

What’s different now? Speed. In 2020, it took North Korean hackers 120 hours to move stolen crypto. Today, they do it in under 72 hours. They call it “flood the zone.” Hundreds of transactions per day, spread across Bitcoin, Ethereum, Solana, and Binance Smart Chain. The goal isn’t to hide the money - it’s to drown blockchain analysts in noise. If you’re tracking one transaction, they’ve already moved 400 others.

The Middleman: Why Bitcoin Is the Key

North Korea doesn’t try to cash out directly in Ethereum or Dogecoin. They convert almost everything to Bitcoin. Why? Liquidity. Bitcoin is the most widely accepted crypto asset on earth. Over 82% of stolen funds end up as BTC. It’s easier to move, harder to trace in bulk, and accepted by more OTC desks and unregulated exchanges than any other coin.

They don’t use Tornado Cash anymore. That mixing service got shut down in 2022 after processing $1.2 billion in North Korean-linked funds. So they moved on. Now, they use cross-chain bridges - Ren Bridge, Avalanche Bridge, Wormhole - to bounce assets between blockchains. Each jump adds a layer of confusion. One transaction goes from Ethereum to Solana. Then to BSC. Then to Bitcoin. Three networks. Five wallets. Seven transfers. All within hours. By the time analysts piece it together, the money’s already halfway to cash.

The Final Step: Where the Crypto Becomes Cash

This is where it gets real. No one’s going to walk into a Bank of America with $50 million in Bitcoin and ask for cash. So North Korea outsources the dirty work.

Cambodia is the main hub. Specifically, the city of Sihanoukville. It’s a ghost town of shuttered casinos and abandoned condos - now repurposed as crypto cash-out centers. FinCEN confirmed in March 2025 that 14 North Korea-controlled “crypto cafes” operate there. No ID needed. No questions asked. You walk in with a QR code. You scan it. You get cash. $500,000 to $2 million per location, per month.

They don’t rely on just cafes. They use shell companies like Huione Group. The U.S. Treasury labeled Huione a major money laundering concern in 2025. Its subsidiaries issue non-freezable stablecoins - digital tokens that act like cash but can’t be seized. Stolen crypto becomes Huione tokens. Huione tokens become real Cambodian riel. The paper trail? Gone.

China still plays a role. In February 2024, the DOJ indicted two Chinese nationals for moving $250 million in stolen crypto through 37 bank accounts. They used fake identities, front businesses, and cash couriers. Macau’s casinos are another vector. Some accept crypto deposits with only 5% KYC checks - compared to 95% in regulated markets. That’s a backdoor.

The Human Network: IT Workers as Cash-Out Agents

North Korea doesn’t just hack from afar. It sends people.

The UN estimates 20,000 North Korean IT workers are deployed abroad - mostly in China, Russia, and Southeast Asia. They work as freelance developers, customer support reps, or blockchain engineers for legitimate crypto firms. But they’re not there to build apps. They’re there to create backdoors.

CSIS documented 27 cases in 2024 where these workers, using falsified Indian or Vietnamese identities, gained access to exchange systems. Once inside, they set up automated transfers that bypass 72-hour fraud detection. A hacker in Pyongyang triggers a withdrawal. It goes through the worker’s system. It hits a bank account in Guangzhou. All in 12 hours. No alerts. No flags.

They’re paid in crypto. Then they convert it locally. One worker, earning $5,000 a month in Bitcoin, might cash out $10,000 in small increments through local exchanges. It looks like freelance income. It’s not.

The Arms Connection: Where the Money Goes

This isn’t about luxury cars or private jets. This money funds missiles, nukes, and drones.

The UN Security Council estimates that cryptocurrency now provides 20-30% of North Korea’s entire foreign currency reserves. That’s $2.1 billion since 2017, directly tied to weapons programs. The $1.5 billion from the Bybit hack? Likely used to buy raw materials for uranium enrichment. The $625 million from Ronin? Possibly used to fund drone production for the war in Ukraine.

It’s the only way the regime bypasses sanctions that cap its oil imports at 500,000 barrels per year. When banks won’t touch them, crypto does. When wire transfers are blocked, crypto bridges work. And when regulators crack down, they adapt faster than anyone expects.

The Countermeasures: Are They Winning?

Governments are fighting back. The Crypto-Asset Reporting Framework now forces over 100 countries to share beneficiary data. Exchanges in the U.S., EU, and Japan now flag suspicious transfers automatically. Chainalysis and TRM Labs track patterns with AI that can spot North Korean transaction signatures with 90% accuracy.

But the regime keeps changing. In 2024, they started testing “stablecoin arbitrage laundering.” Steal Ethereum. Convert it to USDC on a decentralized exchange. Move it to a regional exchange where USDC trades at a 2% premium. Cash out in local currency. The profit? Clean. The trail? Nearly invisible.

And they’re building their own tools. A March 2025 CSIS report revealed North Korea hired 37 ex-crypto developers to build custom cross-chain protocols. These aren’t public. They’re private. Designed to move $500 million without leaving a trace.

Still, there’s progress. Treasury Department data shows a 22% drop in successful cash-outs in Q1 2025 compared to Q4 2024. The window is closing. But North Korea isn’t quitting. It’s just getting smarter.

The Future: A Race Against Time

The U.S. Treasury says success rates will drop to 40% by 2027. That’s optimistic. Former North Korean defector Dr. Kim Heung Kwang says the regime will adapt until crypto is fully regulated - or until it doesn’t exist anymore.

Right now, the system is a game of cat and mouse. One side builds better trackers. The other builds better disguises. The stakes? Nuclear weapons. Global stability. The outcome? Still up for grabs.