International Response to North Korean Crypto Crime: How the World Is Fighting Back

• by Eamon Ledgerwood
• Oct 29, 2025
• 8 Comments

International Response to North Korean Crypto Crime: How the World Is Fighting Back

North Korea isn’t just building missiles - it’s stealing billions in cryptocurrency. Since 2017, state-backed hackers have turned digital assets into a war chest, funding weapons programs while staying hidden behind layers of code, fake identities, and global financial blind spots. The scale is staggering: over $2.17 billion stolen in the first half of 2025 alone. The February 2025 hack of ByBit, where $1.5 billion vanished in a single attack, wasn’t an anomaly - it was a new normal.

How North Korea Steals Crypto - And Why It Works

The main player behind these heists is the Lazarus Group, a cyber unit under North Korea’s Reconnaissance General Bureau. This isn’t a gang of lone hackers. It’s a disciplined, state-funded operation with access to military-grade tools and decades of experience evading sanctions. Their methods are brutal in their simplicity: exploit trust, not just code.

They target exchanges with weak multi-signature systems, like the ByBit breach, where a routine wallet transfer was hijacked. They infiltrate tech companies by hiring thousands of workers using forged documents - people who appear to be Filipino, Indian, or Eastern European engineers, but are actually North Korean operatives. These employees gain access to sensitive defense contracts, steal blueprints, and quietly funnel money back home through crypto transactions disguised as freelance payments.

They’ve mastered money laundering too. Instead of moving stolen Bitcoin directly, they use decentralized exchanges, cross-chain swaps, and privacy coins like Monero. They mix funds across dozens of wallets, then convert them into NFTs or stablecoins before pulling them into traditional finance. It’s not just theft - it’s financial camouflage.

The Collapse of the UN and the Birth of the MSMT

For years, the UN Panel of Experts tracked North Korea’s sanctions violations. But in May 2024, the panel was dissolved after China and Russia blocked its renewal. Suddenly, the world lost its only formal, global watchdog on DPRK crypto crime.

In its place, 11 nations - the United States, Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea, and the United Kingdom - formed the Multilateral Sanctions Monitoring Team (MSMT) in October 2024. This wasn’t a replacement. It was a reboot.

Unlike the UN, which needed consensus to act, the MSMT operates like a military task force: fast, coordinated, and unapologetically focused. They share real-time blockchain data, coordinate asset freezes, and jointly issue public alerts. Their October 2025 report confirmed they’ve tracked over $2 billion in DPRK-linked thefts in just nine months - and that’s only what they’ve found.

The MSMT doesn’t have police powers. But it has something more powerful: credibility. When Chainalysis, Elliptic, and TRM Labs - the top blockchain analytics firms - confirm a wallet belongs to Lazarus, the MSMT can pressure exchanges and banks to act. That’s how $237 million from the LND.fi hack was frozen in 72 hours.

How Blockchain Forensics Is Turning the Tide

You can’t chase ghosts with handcuffs. You need a map. That’s where blockchain forensics comes in.

Companies like Chainalysis and Elliptic don’t just track transactions. They map patterns. They know how Lazarus clusters wallets. They recognize the telltale signs of a North Korean laundering cycle: small deposits from multiple exchanges, followed by rapid transfers through privacy protocols, then a slow drip into fiat via over-the-counter brokers.

The U.S. Department of Justice has started using this data to file civil forfeiture cases - not criminal charges, but court orders to seize assets. In June 2025, they took $7.7 million in crypto and NFTs tied to a North Korean laundering network. It’s not a prison sentence, but it’s a financial chokehold.

Training is now a priority. The MSMT has certified 487 analysts worldwide in DPRK-specific tracing techniques. These analysts spend six to eight months learning how to spot the subtle fingerprints of North Korean operations - like how they reuse the same wallet addresses across different attacks, or how they time transactions to avoid exchange monitoring windows.

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) even published a public “Red Flags for DPRK Cyber Activity” guide in September 2025. It lists 14 specific wallet patterns and transaction behaviors that financial institutions should watch for. It’s the closest thing to a cheat sheet for stopping North Korean crypto theft.

Where the System Still Breaks Down

Despite progress, the international response has serious gaps.

Smaller exchanges - especially those outside the MSMT’s orbit - struggle to afford the $45,000 annual subscription for advanced blockchain analytics tools. A Crypto Compliance Consortium survey found it costs $1.2 million per platform annually to fully comply with MSMT standards. Many can’t pay. So they don’t. And North Korea knows it.

Then there’s jurisdiction. A hacker in Pyongyang steals from a U.S. exchange, moves funds through a Singapore-based DeFi protocol, and cashes out via a bank in the UAE. Who investigates? Who freezes what? The MSMT can coordinate, but it can’t compel. Countries like Russia, Iran, and Venezuela - which have deepened ties with North Korea - offer safe havens. In fact, MSMT reports show DPRK now uses Russian crypto exchanges as key laundering nodes.

Reddit threads from exchange security teams are full of frustration. One post from October 2025, with over 1,200 upvotes, reads: “We flagged a $500K transfer tied to Lazarus. Took six weeks to get a response from our national FIU. By then, the money was in Monero.”

Even when funds are frozen, recovery is rare. Only about 12.3% of seized DPRK-linked assets are ever returned to victims. Why? Because the trail goes cold fast. Wallets are abandoned. Addresses are deleted. The money becomes invisible.

The New Front: AI, DeFi, and NFTs

North Korea isn’t standing still. Their attacks are getting smarter.

In mid-2025, hackers used generative AI to create fake LinkedIn profiles, Zoom calls, and even voice recordings of CEOs to trick employees into approving fraudulent transactions. Three major tech firms were breached this way - none had malware. Just a convincing lie.

They’ve also shifted focus. In 2024, 70% of DPRK crypto thefts targeted centralized exchanges. By mid-2025, that number dropped to 41%. The rest? Decentralized finance (DeFi) protocols and NFT marketplaces. Why? Fewer regulations. Less oversight. More liquidity.

The MSMT has responded by launching a new Cryptocurrency Intelligence Fusion Cell in early 2026 - modeled after counterterrorism units. It will bring together blockchain analysts, intelligence officers, and financial regulators from all 11 member nations under one digital roof. Initial funding: $85 million.

Meanwhile, global spending on blockchain security has jumped 63% in 2025, hitting $2.8 billion. The U.S. passed Executive Order 14155 in April 2025, requiring all exchanges to flag transactions over $10,000. The EU’s MiCA II regulations, effective January 2026, will force all crypto platforms to monitor cross-border flows - something many still ignore.

What Comes Next?

The truth is, North Korea won’t stop. They’ve proven they can outmaneuver global institutions. Their cyber units are now more vital to their survival than their nuclear arsenal.

The MSMT is the best thing the world has built to fight back - but it’s not enough. It only covers 11 countries. What about the rest? What about the exchanges in Turkey, Nigeria, or Brazil that still don’t use blockchain analytics? What about the banks that still process transactions from suspicious wallets because they don’t know how to check?

The answer lies in two things: speed and scale. The MSMT’s goal is to have real-time transaction monitoring across all member nations by Q3 2026. That’s ambitious. If they pull it off, they’ll turn the tables: instead of chasing thefts after they happen, they’ll block them before the money moves.

But it won’t matter unless every exchange, every bank, every regulator around the world starts treating crypto crime like the national security threat it is. Because right now, North Korea isn’t just stealing money. They’re testing the world’s resolve. And so far, the world is still playing catch-up.