North Korean hackers have stolen over $1.64 billion in 2025 alone through cyberattacks on cryptocurrency exchanges and by creating fake identities to secure remote tech jobs, funding their nuclear and missile programs.

A detailed international report highlights that these hackers employ a sophisticated nine-step money laundering process, involving asset swaps, mixing services, and moving funds through multiple wallets to obscure their origins.

The thefts have increased significantly, with a major incident in February 2025 involving the hack of the exchange Bybit by the North Korean hacking group TraderTraitor, which used phishing and malware to access wallets.

The final stage of laundering involves converting cryptocurrencies into fiat currency through OTC brokers and financial entities in countries like China, Russia, and Cambodia, with specific individuals and companies facilitating these transactions.

Efforts to monitor and curb these activities include diplomatic concerns raised with Cambodia over Huione Pay, a financial service linked to laundering activities, which continues to operate despite regulatory issues and warnings.

The MSMT, established in 2024 after Russia vetoed the UN Panel of Experts, monitors North Korea's sanctions evasion and cyber activities, urging increased international cooperation and tighter financial regulation.

The MSMT, comprising 11 countries and operating outside the UN framework, focuses on monitoring North Korea's illicit activities, including cyber and military cooperation, especially after the disbandment of the UN panel.

Major hubs for North Korean IT workers include China, which hosts the largest concentration, and Russia, where workers often enter on student visas and operate in cities like Moscow, Ussuriysk, and Vladivostok.

The MSMT attributes the surge in thefts partly to the February 2025 hack of Bybit, linked to TraderTraitor, which employed advanced techniques such as phishing and malware to access wallets.

North Korean hackers employ a detailed nine-step laundering process involving asset swaps on decentralized exchanges, mixing services like Tornado Cash, and dispersing assets across multiple wallets to conceal their activities.

Third countries including the UAE, Pakistan, Argentina, Vietnam, Ukraine, the US, and Japan have facilitated North Korean cyber activities by providing fake identities, hardware, and online resources.

The MSMT report urges UN member states to enforce sanctions, restore the UN panel of experts, and strengthen efforts to counter illicit activities that threaten international security.