How North Korea Cashes Out Stolen Cryptocurrency to Fiat

How North Korea Cashes Out Stolen Cryptocurrency to Fiat Nov, 20 2025

North Korea Crypto Cash-Out Calculator

Stolen Crypto Amount

Conversion Results

Enter an amount to see the conversion process

North Korea doesn’t steal cryptocurrency because it’s cool or because hackers are bored. They do it because they have no other way to get hard currency. International sanctions have choked off their access to global banking, oil imports, and foreign trade. But they still need money-to buy weapons, pay soldiers, and keep the regime alive. So they turned to blockchain. And over the last eight years, they’ve turned theft into a high-stakes, high-tech cash machine.

The Scale of the Theft

Between 2017 and 2025, North Korean hacking groups stole more than $3 billion in cryptocurrency. That’s not a typo. The biggest single heist happened in February 2025, when hackers drained $1.5 billion from Bybit, the largest crypto exchange theft ever recorded. Chainalysis confirmed it. TRM Labs tracked the movement. And the money didn’t vanish-it got cleaned, moved, and turned into cash.

These aren’t random hackers. They’re state-backed teams, mostly operating under the name Lazarus Group. They’re not just good with code-they’re trained like military units. Their goal isn’t just to break in. It’s to get the money out, fast and clean, before anyone notices.

The Four-Stage Cash-Out Process

North Korea’s method isn’t magic. It’s a step-by-step operation, refined over years of trial and error. Here’s how it works:

  1. Steal - They start with phishing, supply chain attacks, or exploiting weak security on exchanges and wallets. The Atomic Wallet hack in June 2023 targeted 4,100 users at once, stealing $100 million by compromising a single software update.
  2. Move - Once the crypto is in their hands, they don’t hold it. They move it across blockchains. Ethereum? Send it to Solana. Then to Binance Smart Chain. Then to Polygon. Each jump adds layers of confusion. In the Bybit hack, 87% of the stolen ETH was converted to Bitcoin within 72 hours because BTC is easier to trade anonymously.
  3. Convert - They use decentralized exchanges (DEXs) and cross-chain bridges like Ren Bridge or Avalanche Bridge. These platforms don’t require ID. They let hackers swap stolen tokens for Bitcoin or stablecoins without asking questions. In 2024 alone, over $1.2 billion in North Korean-linked crypto passed through these bridges.
  4. Cash Out - This is the hardest part. No major exchange in the U.S., Europe, or Japan will let you withdraw $5 million without KYC. So North Korea goes where the rules are loose: Cambodia, China, and Macau.

Cambodia: The Fiat Factory

If you want to turn crypto into real cash without paperwork, Cambodia is your destination. Specifically, the city of Sihanoukville. There, North Korea runs at least 14 crypto cafes-small shops that look like internet cafes but function as cash-out points. You walk in with a wallet, hand over your private key, and walk out with stacks of U.S. dollars. No ID. No questions. No trace.

One key player is the Huione Group. FinCEN labeled them a major money laundering concern in May 2025. Their subsidiaries, Huione Guarantee and Huione Crypto, issue non-freezable stablecoins that act as clean bridges between stolen crypto and cash. Between 2021 and 2025, Huione processed over $37 million in North Korean-linked funds. U.S. Treasury records show direct ties between Huione executives and North Korean operatives.

These aren’t just random businesses. They’re part of a network. Workers are paid in crypto, then convert it to cash for the regime. The entire operation runs like a supply chain-with North Korea at the top, Cambodia at the middle, and dollars at the bottom.

North Korean IT workers connected by glowing blockchain threads, their identities hidden behind digital masks, data flowing through urban landscapes.

China and Macau: The Backup Channels

China cracked down hard on crypto after 2021. But the regime found loopholes. In February 2024, the Department of Justice indicted two Chinese nationals for running a network that moved $250 million in stolen crypto through 37 bank accounts. They used shell companies, fake invoices, and cash couriers to move money without triggering alerts.

Macau’s casinos are another weak spot. Unlike Las Vegas, many Macau casinos accept crypto deposits with less than 5% identity verification. A 2024 TRM Labs report showed that 15% of stolen North Korean crypto ended up in these venues. Gamblers deposit ETH or BTC. The casino converts it to cash. The money gets funneled back to North Korea through third-party intermediaries. It’s not gambling-it’s laundering with dice.

The Human Network: IT Workers Abroad

North Korea doesn’t just rely on hackers. They’ve deployed over 10,000 IT workers overseas. Many live in China, Russia, and Southeast Asia. They get jobs at crypto exchanges, fintech firms, or remote development teams. Once inside, they create backdoors. They delay fraud alerts. They approve withdrawals that should be blocked.

CSIS documented 27 cases in 2024 where North Korean employees at Chinese exchanges enabled direct wallet-to-bank transfers with only 12 hours’ notice-far less than the standard 72-hour fraud window. These workers use fake identities-often pretending to be from India or Vietnam. They use VPNs to make it look like they’re working from the U.S. or Europe. Their job isn’t to code. It’s to move money.

They’re paid in crypto. They cash out locally. And they send the dollars back home. The UN estimates this network brings in $600 million a year.

Why Bitcoin Is the Key

You might think North Korea would use Monero or Zcash-coins designed for privacy. But they don’t. They use Bitcoin. Why?

Because Bitcoin is the most liquid asset in crypto. Every exchange, every OTC desk, every cash-out point accepts it. It’s the universal currency of the underground. In 2025, 82% of all North Korean crypto cash-outs ended in Bitcoin. They convert stolen ETH, SOL, or USDT into BTC first. Then they move BTC to Cambodia or China. Then they turn BTC into cash.

They also keep transaction sizes small-under $10,000. That’s the U.S. reporting threshold. By splitting large thefts into hundreds of small transfers, they avoid triggering anti-money laundering flags.

A Bitcoin coin transforms into origami cranes carrying dollar bills, flying toward a storm of regulatory symbols under a twilight sky.

The Counterattack: Regulations and Tracking

Governments aren’t sitting still. The 2022 sanctions against Tornado Cash shut down North Korea’s main mixing tool. Since then, they’ve had to adapt. They now rely on speed, not secrecy. In 2021, it took them 120 hours to cash out. Now, they do it in 72 hours or less.

Blockchain analysis tools have improved. Chainalysis and TRM Labs can now trace over 70% of North Korean-linked transactions. The Crypto-Asset Reporting Framework, launched in early 2025, forces exchanges in 100+ countries to share customer data. That’s why North Korea’s success rate dropped 22% in Q1 2025 compared to Q4 2024.

But here’s the problem: they’re adapting faster than regulators can keep up. Michael Gronager, CEO of Chainalysis, told Congress in April 2025 that North Korea’s speed of adaptation has increased by 65% since 2022. Meanwhile, detection tools only improved by 40%.

The Future: Stablecoin Arbitrage and Custom Protocols

North Korea isn’t done. A March 2025 CSIS report revealed they’re testing a new method: stablecoin arbitrage laundering. Here’s how it works:

  • Steal $10 million in ETH.
  • Convert it to USDC on a decentralized exchange.
  • Send USDC to an exchange in Vietnam where it trades at a 2% premium.
  • Sell it for Vietnamese dong, then wire it to a shell company in Laos.
  • Convert dong to USD through a local money changer.

No single transaction is large. No exchange is directly linked to North Korea. The trail vanishes in layers.

They’re also hiring blockchain developers from failed crypto startups. The FBI says 37 have been recruited to build custom cross-chain protocols that can move $500 million without leaving a trace. These aren’t public tools. They’re private, unlisted, and designed to bypass all existing monitoring systems.

Will It Work Forever?

Treasury Secretary Janet Yellen said in May 2025 that North Korea’s cash-out window is closing. She predicts success rates will drop to 40% by 2027. That’s optimistic. The regime has survived sanctions for decades. They don’t quit. They adapt.

As long as there’s a single exchange with weak KYC, a single bank with blind spots, or a single IT worker willing to lie for a paycheck-North Korea will find a way.

What’s changing isn’t their ability to steal. It’s how hard it’s becoming to turn that theft into real money. The game is shifting from hacking to logistics. And the country that’s best at moving money under pressure? That’s North Korea.

How much crypto has North Korea stolen?

Between 2017 and 2025, North Korean hacking groups stole over $3 billion in cryptocurrency, according to TRM Labs and Chainalysis. The largest single theft was $1.5 billion from Bybit in February 2025.

Which countries help North Korea cash out crypto?

Cambodia is the primary cash-out hub, especially Sihanoukville, where North Korea runs crypto cafes with no ID checks. China and Macau are secondary channels, with Chinese banks and Macau casinos accepting crypto deposits with minimal verification.

Why does North Korea use Bitcoin instead of privacy coins?

Bitcoin is the most liquid and widely accepted cryptocurrency globally. Even in underground markets, Bitcoin is the easiest to convert into cash. Privacy coins like Monero are harder to trade at scale without raising red flags.

How do North Korean IT workers help with crypto laundering?

They get jobs at crypto exchanges or fintech firms in China, Russia, and Southeast Asia. Once inside, they delay fraud alerts, approve suspicious withdrawals, and create backdoors for fund transfers. Many use fake identities from India or Vietnam and work remotely using VPNs.

Has Tornado Cash been replaced?

Yes. After Tornado Cash was sanctioned in 2022, North Korea shifted to cross-chain bridges like Ren Bridge and Avalanche Bridge, and automated transaction patterns. They now rely on speed and volume rather than mixing services.

What’s the biggest challenge for North Korea now?

The biggest challenge is converting crypto into fiat without triggering alerts. Only 3-5% of global exchanges still allow large withdrawals without strict KYC. That’s why they’ve built their own crypto cafes in Cambodia and rely on human networks abroad.

Is North Korea’s crypto laundering getting easier or harder?

It’s getting harder-but they’re adapting faster. Success rates dropped 22% in Q1 2025 due to global reporting rules. But their ability to change tactics has increased by 65% since 2022. They’re now using stablecoin arbitrage and custom blockchain protocols to stay ahead.

Tags:

19 Comments

  • Image placeholder

    Frank Verhelst

    November 21, 2025 AT 19:20
    This is wild 😱 I always knew NK was sneaky, but turning crypto into cash through internet cafes in Cambodia? That’s next-level. Someone’s gotta tell the FBI these places need cameras... and maybe a bomb squad.
  • Image placeholder

    Roshan Varghese

    November 23, 2025 AT 06:40
    lol u guys are so gullible. this whole thing is a CIA psyop to justify more sanctions and keep the war machine running. no way NK stole 3 BILLION. they can’t even feed their own people. this is just fear porn for crypto bros who think blockchain is magic. 🤡
  • Image placeholder

    Jennifer Corley

    November 24, 2025 AT 04:05
    Interesting. But let’s be real - this is just the tip of the iceberg. The real story is how Western exchanges and fintechs are complicit. They’re the ones with the lax KYC, the shell accounts, the loopholes. The regime didn’t build this system - Wall Street did. And now we’re surprised?
  • Image placeholder

    Natalie Reichstein

    November 25, 2025 AT 23:21
    You people are missing the moral point entirely. This isn't about technology. It's about evil. A regime that starves its own citizens to fund missiles and nukes is using stolen digital money to keep its grip on power. And you're all debating blockchain bridges like it's a video game. Where's your outrage? Where's your conscience? This isn't crypto. It's blood money.
  • Image placeholder

    Kaitlyn Boone

    November 26, 2025 AT 21:34
    so like... they steal eth then turn it into btc then go to cambodia and get cash? why not just use monero? like... why make it harder? also why are we even talking about this like its new? this has been going on since 2017. we just didnt care until it was big money
  • Image placeholder

    James Edwin

    November 28, 2025 AT 08:14
    I’ve been following this since 2020. What’s wild is how fast they adapt. One day they’re using Tornado Cash, next they’re on Ren Bridge, then stablecoin arbitrage. It’s like watching a chess grandmaster play 10 games at once. The real question is - who’s training them? Are they hiring ex-DeFi devs? Because this isn’t state-sponsored hacking anymore. It’s state-sponsored fintech.
  • Image placeholder

    Kris Young

    November 28, 2025 AT 16:50
    I read this carefully. The process is: steal, move, convert, cash out. They use Bitcoin because it’s liquid. They use Cambodia because KYC is weak. They use IT workers abroad because they’re insiders. All of this is documented. No speculation. Just facts. And it’s terrifying.
  • Image placeholder

    LaTanya Orr

    November 29, 2025 AT 06:13
    It’s funny how we treat this like a technical problem. But it’s not. It’s a human one. People are being paid in crypto to betray their employers. Families are being used as cover. Countries are being turned into pipelines. We’re not fighting hackers. We’re fighting desperation, greed, and silence. And we’re losing because we keep looking for code fixes when the real bug is in our ethics.
  • Image placeholder

    Mike Stadelmayer

    December 1, 2025 AT 01:36
    Honestly? I’m not even surprised anymore. NK’s been doing this for decades - smuggling tobacco, counterfeiting cash, selling missiles. Now they just upgraded from analog to digital. The real story isn’t the theft. It’s that we’re still acting like this is some newfangled crime. Nah. It’s just the same old tyranny with better tech.
  • Image placeholder

    neil stevenson

    December 1, 2025 AT 03:18
    Bro, imagine being a North Korean IT guy in Shanghai just trying to pay rent, and your boss says, 'Hey, delay that fraud alert for $500 in BTC.' You don't even think twice. You're just trying to survive. This whole system is built on people who have zero power. The real villains? The ones who created the sanctions that forced this into existence.
  • Image placeholder

    Samantha bambi

    December 2, 2025 AT 05:25
    I’ve been to Sihanoukville. Those crypto cafes are real. I saw a guy walk in with a phone, hand over a QR code, and walk out with $20,000 in cash. No ID. No receipt. Just a nod. It’s like a scene from a movie. But it’s happening every day. And no one’s doing anything about it.
  • Image placeholder

    Anthony Demarco

    December 2, 2025 AT 20:32
    Let me get this straight - we’re letting a hostile regime turn our own tech against us, and we’re still talking about 'blockchain innovation'? We should bomb their servers. We should freeze every wallet. We should shut down every exchange that doesn’t report to us. This isn’t a financial crime - it’s an act of war. And we’re treating it like a Reddit thread.
  • Image placeholder

    Lynn S

    December 3, 2025 AT 11:57
    This is a textbook case of systemic failure. The entire global financial infrastructure is compromised. Exchanges, bridges, stablecoins, fiat on-ramps - all of it. And yet, regulatory bodies continue to issue press releases while the money flows. This is not incompetence. This is negligence. And it is criminal.
  • Image placeholder

    Jack Richter

    December 3, 2025 AT 19:36
    meh
  • Image placeholder

    andrew casey

    December 3, 2025 AT 21:50
    The irony is not lost on me that the very technology designed to decentralize power and liberate individuals has become the primary instrument of one of the most totalitarian regimes on Earth. We built a system of trustless transactions - and now we are witnessing the most trustless regime in history weaponize it. The philosophical implications are profound, and yet, no one is asking the right questions.
  • Image placeholder

    Lani Manalansan

    December 5, 2025 AT 17:13
    I work in fintech in Manila. We’ve had three North Korean contractors apply this year. All with fake IDs, all using VPNs routed through Canada. They’re not trying to code. They’re trying to find the backdoor. We flagged them. HR said, 'They’re quiet, efficient, and never ask for raises.' We kept them. We’re all complicit.
  • Image placeholder

    Dexter Guarujá

    December 5, 2025 AT 17:28
    You think this is bad? Wait till they start using AI to auto-generate fake identities for crypto cash-outs. They’ve already got bots that mimic American speech patterns to bypass chat support. Next thing you know, a North Korean AI will be calling your bank pretending to be your grandma asking for a wire transfer. And you’ll send it.
  • Image placeholder

    Ashley Finlert

    December 7, 2025 AT 09:13
    What if the real victory isn’t stopping them from stealing - but forcing them to keep spending? Every dollar they cash out is a dollar they can’t use to build nukes. Every crypto cafe in Cambodia is a crack in their armor. Maybe the goal isn’t to shut them down, but to turn their own greed into their undoing. Let them chase liquidity. Let them run. The longer they need to move money, the more mistakes they make.
  • Image placeholder

    Chris Popovec

    December 8, 2025 AT 23:43
    Let’s cut through the noise. The Lazarus Group isn’t a hacker collective - it’s a state-run hedge fund. They’re not stealing crypto to fund missiles. They’re using crypto to hedge against sanctions. Bitcoin is their dollar-denominated reserve asset. The ‘cash-out’ isn’t the goal - it’s the liquidity event. This isn’t crime. It’s macroeconomic warfare. And we’re still using 2010-era compliance tools to fight a 2025 algorithmic threat.

Write a comment

Categories

crypto exchange review crypto airdrop 2025 decentralized exchange Solana meme coin crypto coin cryptocurrency CoinMarketCap airdrop crypto exchange crypto airdrop guide NFT farming Polygon DeFi meme token Ethereum DEX review crypto compliance crypto licensing DeFi token NFT market exchange fees