How North Korea Cashes Out Stolen Cryptocurrency to Fiat

North Korea doesn’t steal cryptocurrency because it’s cool or because hackers are bored. They do it because they have no other way to get hard currency. International sanctions have choked off their access to global banking, oil imports, and foreign trade. But they still need money-to buy weapons, pay soldiers, and keep the regime alive. So they turned to blockchain. And over the last eight years, they’ve turned theft into a high-stakes, high-tech cash machine.

The Scale of the Theft

Between 2017 and 2025, North Korean hacking groups stole more than $3 billion in cryptocurrency. That’s not a typo. The biggest single heist happened in February 2025, when hackers drained $1.5 billion from Bybit, the largest crypto exchange theft ever recorded. Chainalysis confirmed it. TRM Labs tracked the movement. And the money didn’t vanish-it got cleaned, moved, and turned into cash.

These aren’t random hackers. They’re state-backed teams, mostly operating under the name Lazarus Group. They’re not just good with code-they’re trained like military units. Their goal isn’t just to break in. It’s to get the money out, fast and clean, before anyone notices.

The Four-Stage Cash-Out Process

North Korea’s method isn’t magic. It’s a step-by-step operation, refined over years of trial and error. Here’s how it works:

1. Steal - They start with phishing, supply chain attacks, or exploiting weak security on exchanges and wallets. The Atomic Wallet hack in June 2023 targeted 4,100 users at once, stealing $100 million by compromising a single software update.
2. Move - Once the crypto is in their hands, they don’t hold it. They move it across blockchains. Ethereum? Send it to Solana. Then to Binance Smart Chain. Then to Polygon. Each jump adds layers of confusion. In the Bybit hack, 87% of the stolen ETH was converted to Bitcoin within 72 hours because BTC is easier to trade anonymously.
3. Convert - They use decentralized exchanges (DEXs) and cross-chain bridges like Ren Bridge or Avalanche Bridge. These platforms don’t require ID. They let hackers swap stolen tokens for Bitcoin or stablecoins without asking questions. In 2024 alone, over $1.2 billion in North Korean-linked crypto passed through these bridges.
4. Cash Out - This is the hardest part. No major exchange in the U.S., Europe, or Japan will let you withdraw $5 million without KYC. So North Korea goes where the rules are loose: Cambodia, China, and Macau.

Cambodia: The Fiat Factory

If you want to turn crypto into real cash without paperwork, Cambodia is your destination. Specifically, the city of Sihanoukville. There, North Korea runs at least 14 crypto cafes-small shops that look like internet cafes but function as cash-out points. You walk in with a wallet, hand over your private key, and walk out with stacks of U.S. dollars. No ID. No questions. No trace.

One key player is the Huione Group. FinCEN labeled them a major money laundering concern in May 2025. Their subsidiaries, Huione Guarantee and Huione Crypto, issue non-freezable stablecoins that act as clean bridges between stolen crypto and cash. Between 2021 and 2025, Huione processed over $37 million in North Korean-linked funds. U.S. Treasury records show direct ties between Huione executives and North Korean operatives.

These aren’t just random businesses. They’re part of a network. Workers are paid in crypto, then convert it to cash for the regime. The entire operation runs like a supply chain-with North Korea at the top, Cambodia at the middle, and dollars at the bottom.

China and Macau: The Backup Channels

China cracked down hard on crypto after 2021. But the regime found loopholes. In February 2024, the Department of Justice indicted two Chinese nationals for running a network that moved $250 million in stolen crypto through 37 bank accounts. They used shell companies, fake invoices, and cash couriers to move money without triggering alerts.

Macau’s casinos are another weak spot. Unlike Las Vegas, many Macau casinos accept crypto deposits with less than 5% identity verification. A 2024 TRM Labs report showed that 15% of stolen North Korean crypto ended up in these venues. Gamblers deposit ETH or BTC. The casino converts it to cash. The money gets funneled back to North Korea through third-party intermediaries. It’s not gambling-it’s laundering with dice.

The Human Network: IT Workers Abroad

North Korea doesn’t just rely on hackers. They’ve deployed over 10,000 IT workers overseas. Many live in China, Russia, and Southeast Asia. They get jobs at crypto exchanges, fintech firms, or remote development teams. Once inside, they create backdoors. They delay fraud alerts. They approve withdrawals that should be blocked.

CSIS documented 27 cases in 2024 where North Korean employees at Chinese exchanges enabled direct wallet-to-bank transfers with only 12 hours’ notice-far less than the standard 72-hour fraud window. These workers use fake identities-often pretending to be from India or Vietnam. They use VPNs to make it look like they’re working from the U.S. or Europe. Their job isn’t to code. It’s to move money.

They’re paid in crypto. They cash out locally. And they send the dollars back home. The UN estimates this network brings in $600 million a year.

Why Bitcoin Is the Key

You might think North Korea would use Monero or Zcash-coins designed for privacy. But they don’t. They use Bitcoin. Why?

Because Bitcoin is the most liquid asset in crypto. Every exchange, every OTC desk, every cash-out point accepts it. It’s the universal currency of the underground. In 2025, 82% of all North Korean crypto cash-outs ended in Bitcoin. They convert stolen ETH, SOL, or USDT into BTC first. Then they move BTC to Cambodia or China. Then they turn BTC into cash.

They also keep transaction sizes small-under $10,000. That’s the U.S. reporting threshold. By splitting large thefts into hundreds of small transfers, they avoid triggering anti-money laundering flags.

The Counterattack: Regulations and Tracking

Governments aren’t sitting still. The 2022 sanctions against Tornado Cash shut down North Korea’s main mixing tool. Since then, they’ve had to adapt. They now rely on speed, not secrecy. In 2021, it took them 120 hours to cash out. Now, they do it in 72 hours or less.

Blockchain analysis tools have improved. Chainalysis and TRM Labs can now trace over 70% of North Korean-linked transactions. The Crypto-Asset Reporting Framework, launched in early 2025, forces exchanges in 100+ countries to share customer data. That’s why North Korea’s success rate dropped 22% in Q1 2025 compared to Q4 2024.

But here’s the problem: they’re adapting faster than regulators can keep up. Michael Gronager, CEO of Chainalysis, told Congress in April 2025 that North Korea’s speed of adaptation has increased by 65% since 2022. Meanwhile, detection tools only improved by 40%.

The Future: Stablecoin Arbitrage and Custom Protocols

North Korea isn’t done. A March 2025 CSIS report revealed they’re testing a new method: stablecoin arbitrage laundering. Here’s how it works:

• Steal $10 million in ETH.
• Convert it to USDC on a decentralized exchange.
• Send USDC to an exchange in Vietnam where it trades at a 2% premium.
• Sell it for Vietnamese dong, then wire it to a shell company in Laos.
• Convert dong to USD through a local money changer.

No single transaction is large. No exchange is directly linked to North Korea. The trail vanishes in layers.

They’re also hiring blockchain developers from failed crypto startups. The FBI says 37 have been recruited to build custom cross-chain protocols that can move $500 million without leaving a trace. These aren’t public tools. They’re private, unlisted, and designed to bypass all existing monitoring systems.

Will It Work Forever?

Treasury Secretary Janet Yellen said in May 2025 that North Korea’s cash-out window is closing. She predicts success rates will drop to 40% by 2027. That’s optimistic. The regime has survived sanctions for decades. They don’t quit. They adapt.

As long as there’s a single exchange with weak KYC, a single bank with blind spots, or a single IT worker willing to lie for a paycheck-North Korea will find a way.

What’s changing isn’t their ability to steal. It’s how hard it’s becoming to turn that theft into real money. The game is shifting from hacking to logistics. And the country that’s best at moving money under pressure? That’s North Korea.