A new report released by the Multilateral Sanctions Monitoring Team (MSMT) on October 23, 2025, reveals that hackers linked to North Korea have stolen approximately $2.84 billion in cryptocurrency between January 2024 and September 2025. That amount, according to the report, represents nearly one-third of the country’s total foreign currency revenue in 2024.
Although North Korea’s reliance on cyber theft has been well documented, the scale of the illicit revenue stream uncovered in the new report underlines how central these operations have become for funding the regime.
How the thefts were carried out and attributed
The MSMT report explains that the majority of the thefts were executed by North Korean hacking teams such as TraderTraitor and CryptoCore. Among their methods, the report highlights social engineering, cloud intrusion, and targeting of third-party providers rather than direct attacks on major exchanges. For example, one operation alone attributed to TraderTraitor reportedly yielded around $2.58 billion in stolen crypto assets from early 2024 onward.
Meanwhile, the report notes that North Korea increased its weapons exports and business dealings with another sanctioned state in 2023, which reduced the relative share of cybercrime-derived currency.
These tactics allow Pyongyang to improve its foreign currency intake while evading traditional banking and trade channels blocked by sanctions.
Why this revenue matters to the regime
The fact that cyber theft now accounts for such a large portion of North Korea’s foreign currency earnings shows a major shift in how the country sustains its economy. While exports of minerals, textiles, and illicit goods remain relevant, the report indicates that digital theft provides a high-return, lower-risk channel for bringing value into the state-controlled system.
Analysts note this income stream supports military priorities, including the regime’s nuclear and missile programs. The report states that cyberattacks targeting cryptocurrencies are “an important revenue source” for the regime.
Given the isolation of North Korea’s formal economy and its heavy sanction burden, these cyber operations fill the gap created by blocked access to global finance and trade.
As these state-linked groups increase their scope and sophistication, companies handling digital assets, wallets, and blockchain infrastructure must assume nation-state-level adversaries. Because the attackers now favour targeting third-party services, cloud providers, and application vendors rather than large exchanges directly, risk expands beyond just major platforms.
Defenders should perform rigorous vendor risk assessments, monitor wallet address flows for unusual activity, and maintain real-time alerts for credential misuse or abnormal transaction patterns. Because the stolen assets are often laundered across multiple chains and jurisdictions, tracing requires specialised blockchain analytics and cross-border coordination.
Regulators and law enforcement teams should also prioritise financial intelligence sharing and examine how proceeds of cyber theft enter cash-based systems, including over-the-counter brokers and regional exchanges. A coordinated international effort remains essential given the cross-border nature of the laundering.
The larger implications for global security
The uncovering of these thefts shows that cybercrime is now integral to how some states finance themselves. North Korea’s reliance on stolen digital currency underscores how the demarcation between criminal activity and state-driven revenue generation is increasingly blurred.
If the trend continues, other sanctioned states might expand use of cyber operations for revenue, making the digital asset ecosystem a critical front in economic warfare and sanctions evasion. Global policymakers, not just crypto firms, must recognise the strategic dimension of these threats.
The report’s timing also matters. As cryptocurrencies gain greater mainstream adoption, the regime’s ability to convert stolen assets into value increases, raising the stakes for both defenders and regulators.