north korea Linked hacker groups have stolen a total of $2.83 billion worth of cryptocurrencies since the beginning of 2024. A lot National Sanctions Monitoring Team(MSMT) last to the report According to data, in the first nine months of this year alone, $1.64 billion worth of crypto money was stolen and seized through attacks. The amount corresponds to approximately one-third of the country’s foreign exchange revenues in 2024.
Bybit Attack Became the Biggest Source of Cryptocurrency Loss
Formed by 11 countries in October 2024 MSMTwas established to monitor how North Korea was circumventing sanctions through cybercrime. According to the latest report of the institution, in 2025 cryptocurrency theft increased by 50 percent compared to the previous year. The biggest loss was in February Bybit It came from the attack targeting the stock exchange. Hackers affiliated with the TraderTraitor (aka Jade Sleet or UNC4899) group Bybit’s multi-signature wallet provider SafeWalleHe infiltrated t and took over the cold wallet smart contract through transactions that appeared to be internal transfers.
The report stated that hackers generally target third-party service providers, not exchanges directly. TraderTraitor, CryptoCore And Citrine Sleep It was stated that groups such as these deepened their attacks with fake developer profiles, identity theft and supply chain information. The $63 million loss of the Web3 project Munchables was also cited as an example of these methods. Although the funds were later returned, the difficulties experienced in the laundering process attracted attention.
Complex Laundering Network and Global Collaborations
According to MSMT’s analysis, stolen assets are converted into cash through a nine-step process. In the first step cryptocurrencyon decentralized exchanges Ethereum 
$4,003.69(ETH), then traces are erased through crypto mixing services such as Tornado Cash and Wasabi Wallet. Ethereum later Bitcoin 
$112,712.16It is converted to (BTC) and mixed again by passing through the bridge platforms. BTC transferred to cold wallets, tron via (TRX) USDTand in the final stage, it is sent to over-the-counter (OTC) intermediaries and converted into cash.
Chinese, Russia And Cambodia It has been determined that people and companies based in Turkey play a key role in this chain. It was determined that Shenzhen Chain Element Network Technology employees Ye Dinrong and Tan Yongzhi, as well as trader Wang Yicong, created fake identities and accounts. It was reported that Russian intermediaries laundered $60 million obtained in the Bybit attack, and Huione Pay in Cambodia was used in transfers even though its license was not renewed.
MSMT noted that Pyongyang-linked groups have been collaborating with Russian-speaking cybercriminals since the 2010s, and that Moonstone Sleet rented ransomware from the Russia-based Qilin group in 2025. While the institution invited all UN countries to raise awareness against cyber threats, it also called on the Security Council to reactivate the terminated Panel of Experts.
