In brief
- A report from the U.S. and other Western nations has found that North Korea is becoming more systematic and sophisticated in its crypto-hacking activities.
- Yet one contributor to the report, Chainalysis, indicates that Western agencies and firms are increasingly adapting to the growing threat.
- North Korea’s hacking activities have been supplemented in recent months by an IT worker program, which has expanded into China and is expanding into Russia.
North Korea has stolen $2.84 billion in crypto since January 2024, according to a new report from the Multilateral Sanctions Monitoring Team.
Responsible for monitoring the violation of UN sanctions against the Democratic People's Republic of Korea, the MSMT also found that the DPRK stole “at least” $1.65 billion between January and September of this year.
Much of this was the fruit of February’s Bybit hack, yet the MSMT—which lists the U.S., Japan, Germany, France, Canada, Australia and other Western nations as participating states—also reports that North Korea has been expanding its use of remote IT work.
The deployment of IT workers internationally is in violation of UN Security Council Resolutions 2375 and 2397, which forbids the employment of North Korea workers, yet this hasn’t stopped the DPRK from participating in the labour markets of at least eight countries.
These include China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria and Tanzania, with the report detailing how between 1,000 to 1,500 DPRK workers were based in China, and how Pyongyang planned to send as many as 40,000 workers to Russia.
The growing “fight back”
But while the MSMT concludes that North Korea’s cyber force is “a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia,” contributors to its report also testify that Western agencies and firms are increasingly adapting to the problem.
“While North Korea-linked hackers represent a significant threat, law enforcement, national security agencies and private sectors’ ability to identify associated risks and fight back is growing,” said Andrew Fierman, the Head of National Security Intelligence at Chainalysis.
Speaking to Decrypt, Fierman gave an example from August, when the U.S. Office of Foreign Assets Control (OFAC) sanctioned a fraudulent IT worker network linked to the DPRK.
He explained, “These actors were designated for their involvement in schemes that funnel DPRK IT worker-derived revenue to support DPRK weapons of mass destruction and ballistic missile programs.”
Fierman also noted how tens of millions of dollars worth of cryptocurrency has been recovered from February’s Bybit hack, while Decrypt reported in June how a portion of the funds had been traced to a Greek crypto-exchange.
“The private sector is more effectively identifying the DPRK IT worker threats, as recently evidenced by Kraken’s efforts in May 2025,” Fierman added. In August, Binance’s chief security officer told Decrypt that the exchange discards resumes from North Korean attackers looking to get hired at the firm on a daily basis.
Crypto and North Korea’s weapons program
The ability to identify and thwart North Korean activities is of considerable importance, since as the report and Fierman make clear, the funds generated by the DPRK’s activities are generally siphoned to its weapons program.
“The MSMT report details how these funds are being used to procure everything from armored vehicles to portable air-defense missile systems,” Fierman said. “Meanwhile, the DPRK’s cyber espionage operations target critical industries including semiconductors, uranium processing, and missile technology, creating a dangerous feedback loop between their financial crimes and military capabilities.”
In the face of such threats, Fierman recommended increased collaboration between public and private entities, something which the MSMT’s report is the product of, given the involvement of Chainalysis, Google Cloud’s Mandiant, DTEX, Palo Alto Networks, Upwork and Sekoia.io.
He said, “Data-sharing initiatives, government advisories, real-time security solutions, advanced tracing tools, and targeted training can empower stakeholders to quickly identify and neutralize malicious actors while building the resilience needed to safeguard crypto assets.”
By making use of blockchain intelligence and traditional cybersecurity measures, affected parties will be able to identify and freeze stolen funds before they’re laundering, while also mapping North Korea’s financial networks.
Based on this, Fierman and Chainalysis recommend that organizations “implement comprehensive blockchain monitoring, develop enhanced due diligence for IT contractor hiring, deploy advanced threat detection systems, maintain regular security audits, and establish clear protocols for large transactions.”