On February 15, 2025, the Lazarus Group broke Bybit, and North Korea’s crypto operations reached unprecedented heights. The largest cryptocurrency theft in history is attributed to them — they stole approximately $1.5 billion worth in Ethereum tokens.

Key-Takeaways:

• In February 2025, North Korea’s Lazarus Group stole $1.5 billion in Ethereum from Bybit. They moved $400 million in the laundering operation, carried out in a matter of minutes via THORchain and Wasabi.
• Crypto attacks have supplied North Korea’s weapons developments. Despite that and continuing U.S. and South Korea cooperation, informal frameworks and regulatory deregulation mean that North Korea may resort to exploiting financial crime gaps.

Unprecedented Laundering Velocity

In the case of the Bybit hack, North Korea’s crypto laundering operation was very efficient. In less than 48 hours, hackers pulled off at least $160 million worth of illicit transactions.

By February 23, TRM put the amount of laundered money over $200 million. By February 26, the amount had increased by more than $400 million.

The first laundering phase was complete by March 3. Some of the ETH that was stolen was moved to new addresses, and once again most of it was then converted to Bitcoin via THORchain.

The North Korea’s crypto laundering scheme was quick, and it relied on DeFi tools. Stolen assets were obtained by hackers hiding the assets’ origins in decentralized exchanges (DEXs) and cross-chain bridges.

From February 24 to March 2, THORChain posted record volumes for transactions. The stolen Ethereum was then funneled through this decentralized cross-chain liquidity protocol that attackers used.

North Korea’s second phase of crypto laundering has begun. Bitcoin deposits are flowing in the beginning into mixers like Wasabi and CryptoMixer. 

According to the TRM experts, those mixers usually process a few million to $10 million daily. Such amounts can be transferred into hands by Bybit launderers in hours. Mixers are traceable with tools specialized for investigators. But those in the public’s tools have challenges and false leads to pursue.

The attacks by North Korea’s crypto have gone much further than using them as a political tool. Now they concentrate on financial gain.  In the wake of the 2016 UN sanctions, North Korea has run its cyber operations. 

After 2018, cryptocurrency became a prime target. Crypto theft is now a major source of revenue for the regime today. It helps North Korea survive western sanctions.

North Korea has lost $1.34 billion from crypto thefts in 2024. The attacks were financially motivated, which was a record year.

Between 2017 and 2023, UN experts say that North Korea stole some $3 billion worth of cryptocurrency. The vast majority of these funds likely would have been for weapons development. It also includes nuclear and submarine investments. Cyber theft is still very much a part of the regime’s strategy.

North Korea also now poses a threat of ransomware-as-a-service (RaaS) and initial access brokering. The tactics are more than what has been considered traditional attacks.  

North Korea’s crypto hackers used Qilin ransomware, as Microsoft reported. This indicates how reliant they are on advanced cyber tools.  

Generative AI is being used by hackers to improve their attacks as well. Even the Reconnaissance General Bureau linked group “Jumpy Pisces” is on the side of Play ransomware, suspected of being Russian.

International Response Challenges

For those same reasons, North Korea has targeted South Korea and the U.S. with its crypto attacks. They have turned up defense cooperation in the cyber realm.  

As part of this, they meet on ransomware, money laundering, and IT fraud. Such actions have resulted in an account takedown and joint sanctions. Eventually, some stolen assets have been partially found. North Korea’s illicit revenue generation fight continues.

However, the framework, which is a response to North Korea’s crypto threats, is still primarily based around trust between national leaders and diplomatic agreements and not an institutional mechanism. The continuity and effectiveness of bilateral cooperation relies much on political transitions to happen within either one country.

There are recent U.S. regulatory changes that inspired crypto oversight concerns. The developers of Tornado Cash were released from sanctions, and some money laundering cases were dropped as well.

And this is a trend of deregulation that could have negative consequences for financial crime safeguards. These gaps could be exploited by the North Korean operatives to conceal identities and traffic funds.

Also, North Korea’s crypto operations have incredibly clear strategic military interests tied directly to nuclear weapons development, not just criminal activities. To effectively counteract these threats, it is necessary to have the cooperation institutionalized by being reflexive to political transitions and backed by concrete and actionable guidelines.

Strengthened cooperation needs to be in place to counter North Korea’s crypto threats. These platforms should be brought under the formalization of cyber consultation.  

The U.S.-ROK Senior Steering Group is ad hoc. Working-level channels also lack regularization. Since September 2024, the U.S.-ROK Cyber Threat Working Group has not been in an active phase. Maintaining cybersecurity efforts is highly reliant on having regular meetings.

Conclusion

North Korea’s crypto tactics extend beyond information sharing; therefore, high-risk incidents require joint response guidelines. North Korea’s activities should be criminalized through joint indictments, public attribution, sanctions, and coordinated actions with global exchanges to break up laundering, freeze stolen funds and other assets.