Cashing Out in Pyongyang: The Elaborate Web of North Korea’s State-Sponsored Crypto Thefts

After a significant hack, there’s a certain silence around the offices of cryptocurrency exchanges. Engineers are staring at wallet addresses they no longer control, and while phones continue to ring and Slack channels continue to light up, a sense of delayed grief permeates the room. That silence had become the norm by February of last year, when Bybit lost $1.5 billion in one afternoon. The money was gone before most of the staff finished their coffee.

Although the scope of the North Korean operation is truly astounding, it is not the only thing that makes it so unsettling. It’s the endurance. Hackers from Pyongyang do not destroy Windows. They are employed. They spend months writing code with their future victims, sometimes participating in video calls while posing as someone else, and sometimes even meeting in person. In one instance from earlier this year, agents stole about $280 million from the derivatives platform Drift by pretending to be traders for six months. To appear authentic, they had deposited their own funds. When the exploit appeared, all it took was opening one repository file.

It’s difficult to ignore the almost theatrical quality of this. the months-long performance of normalcy in order for the last move to be a whisper rather than a crash.

The figures themselves continue to rise. According to Chainalysis, hackers connected to the DPRK stole at least $2.02 billion in cryptocurrency in 2025, a 51% increase over the previous year and a total of about $6.75 billion. That amount now represents 76% of all money taken from cryptocurrency services in the previous year; this concentration would be unthinkable in practically any other type of criminal activity. According to investigators at companies like TRM Labs, North Korea has successfully industrialized the practice, viewing cryptocurrency theft as a reliable source of state income rather than a series of opportunistic raids.

The more difficult and likely more fascinating issue is cashing out. It is a technical exercise to steal the coins. It is quite another to turn them into something that can pay engineers in Pyongyang or purchase parts for centrifuges. A unique look at the choreography was provided by the 2020 case of Tian Yinyin and Li Jiadong, two Chinese nationals accused by the US Department of Justice. The money went through what investigators refer to as “peel chains,” which are lengthy sequences of transfers in which tiny fractions are shaved off and sent to new addresses, sometimes hundreds of times, until tracing becomes difficult work, after hackers stole about $250 million from a South Korean exchange in late 2018. By the time anything reached Tian and Li, the trail looked like sand running through a sieve.

There hasn’t been much change to that fundamental structure. Sophistication is what has evolved. Researchers now describe a 45-day laundering cycle that is more akin to a logistics operation than an evasive scramble. This cycle includes Chinese-language OTC desks, cross-chain bridges, and layered mixing protocols. Reading these reports gives the impression that the attackers are more knowledgeable about the cleanup process than the majority of those fighting it.

It remains to be seen if anything genuinely slows this down. Sanctions fall on specific people, sometimes on a group of wallets, and the task goes on. These kinds of cyber operations now fund about half of North Korea’s missile program, according to CIA estimates. It’s not a side gig. It’s a budget line.

The patience of a regime that has learned to wait is more impressive than the technical brilliance, even though it has been present over the past few years. I pretended to be a trader for six months. hundreds of transactions that are automated. The slow, methodical grind of a nation with few options and little to lose. Whether the rest of the world has caught up or will ever truly catch up is still up in the air.