The sums hacked from crypto platforms by the Democratic People’s Republic of Korea (DPRK) are huge: The former UN Panel Experts on DPRK (the Panel) noted in March 2024 that DPRK stole an estimated $3 billion in 58 cyberattacks between 2017 and 2023. Figure 1 suggests that DPRK was responsible for 61% of total crypto stolen worldwide in 2024 ($1.34 billion stolen) and 16% of hacking events (47 incidents). In February 2025, the Lazarus Group stole approximately $1.5 billion of crypto from Bybit (the world’s second-largest cryptocurrency exchange, based in Dubai).[1]

The Panel considered that DPRK’s cyber-attacks on financial institutions and cryptocurrency exchanges were an evasion of financial sanctions. Furthermore, DPRK’s use of stolen proceeds is a violation of Security Council sanctions where designated individuals or entities are involved.[2]

Figure 1. DPRK Hacking Activity 2016 – November 30, 2024. (Source: Chainalysis)

Following a cyber heist, DPRK actors must launder proceeds to avoid tracing and freezing by law-enforcement authorities. Laundering usually involves moving stolen crypto through combinations of mixers, cross-chain bridges, swaps, and decentralized exchanges. This paper does not further consider laundering techniques, but looks at how, once laundered, stolen cryptocurrency may be converted to cash (loosely termed “cashing out” or “liquidation”). Cashing out may not take place immediately: For example, according to a blockchain analytics company in 2022 DPRK had a stockpile of unlaundered cryptocurrency holdings worth $170 million, dating back to 2017.

For most UN Member States, two of the elements of this three-stage process (cyber-attacks and laundering) are likely to be largely invisible: many states have limited cybersecurity infrastructure and expertise and inadequate legislation to identify and respond, and most probably lack resources to employ blockchain analytics companies to do so. But if cashing out involves individuals or organizations in their jurisdictions, states may be able to take action.

Published Cases of Cashing Out

Cashing out can take many forms. It can involve networks of “over-the-counter” (OTC) brokers and facilitators, including in third countries such as China, Russia, Argentina, Cambodia, Vietnam, and the United Arab Emirates. According to a blockchain analytics company, “Chinese laundering networks (from crypto brokers to complicit banks) are the linchpin that enables Pyongyang to transform hacked crypto into tangible resources,” and key facilitators, based in Chinese territory, that exploit so-called underground banking networks. The US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) considers that “the DPRK uses and maintains a network of financial representatives, primarily in the PRC, who operate as agents for DPRK financial institutions.” Although much cashing out takes place in China, it also takes place in other countries. The following is a summary of published information on such cases, selected because detail is available to enable Member States to search for similar typologies, activities of individuals, and types of entities in their own jurisdictions.

Cambodia

Cashing out activities in Cambodia center on the Huione Group, a Cambodia-based financial services conglomerate, comprising a network of businesses connected with the insurance, airline, and real estate sectors across Southeast Asia. According to FinCEN in May 2025, Huione Group has been involved over many years in laundering proceeds from cybercrimes, receiving at least USD 37.6 million worth of digital assets following DPRK-attributed heists. Of specific interest is a payment services subsidiary, Huione Pay PLC with which, between 2022 and 2024, a DPRK national closely connected with the RGB worked to transfer digital assets and fiat currency.

Separately a Cambodia-based representative of the Saeng Pil Trading Company, a DPRK weapons trading entity subordinate to the RGB, controlled accounts that contained partial proceeds of a hack conducted by the Lazarus Group in March 2022. It is unclear whether these accounts were a staging-post in the laundering process or were used for cashing out stolen crypto.

Argentina

Some of the stolen proceeds of a DPRK-related hack in June 2022 were transferred to a cryptocurrency wallet based in Argentina managed by a Russian national.  He had set up a network of exchanges and individuals in Russia and Argentina to convert proceeds of hacks by DPRK and other criminals to clean crypto and fiat currency. Law enforcement seized $121,327 in cryptocurrencies in decentralized wallets and $15 million in cash from him. He apparently used a Telegram messaging application bot to exchange rubles, USDT (tether stablecoin), euros, and dollars for Argentine pesos (see Figure 2).

Figure 2. Diagram illustrating the laundering of funds from DPRK actors and other cybercriminals by the Russian citizen in Argentina.

Russia

DPRK entities have been using Russian services for money laundering since 2021, and stolen cryptocurrency from the 2022 DPRK hack were not only transferred to the Russian national in Argentina but $21.9 million were also transferred to a Russia-based exchange known for processing illicit transactions (Figure 3). A blockchain analytics company considered this a significant escalation in the partnership between Russia and DPRK cyber-actors although no information is available on any cashing out of the stolen cryptocurrency.

Figure 3. Diagram illustrating some of the movement of stolen Harmony funds to a Russia-based exchange. (Source: Chainalysis)

United Arab Emirates (UAE)

Sim Hyon Sop (Sim), a Dubai-based representative of DPRK’s First Trade Bank (FTB, DPRK’s primary foreign-exchange bank, UN-designation KPe.047) was indicted by United States authorities in March 2023 for facilitating illicit trafficking of tobacco products to fund DPRK’s WMD programs.

In December 2024, United States authorities took action against a UAE-based network run by Sim comprising two Chinese nationals, Lu Huaying, Zhang Jian and a company, Green Alpine Trading, LLC. The three were designated for allegedly facilitating money laundering and cryptocurrency conversion services to transfer proceeds of hacks to DPRK. In 2022 and 2023 Lu laundered several millions of dollars of Sim’s money through a combination of cryptocurrency cash-outs and money mules, and Zhang facilitated the exchange of fiat currency.

China

Sim was designated by United States authorities in April 2023, at which point he was described as a Korea Kwangson Banking Corporation (KKBC, UN-designated, KPe.025) Deputy Representative who had recently moved to Dandong, China.[3] He was charged again in April 2023 with conspiring with three OTC traders, Wu Huihui, a Chinese national living in Jinan, Shandong, China; Cheng Hung Man and a Hong Kong British National (Overseas) living in Hong Kong and an unknown user who used the online name “live:jammychen0150” (Chen). The network laundered stolen funds from virtual currency exchange hacks and paid in US dollars for goods purchased from Hong Kong front companies on behalf of DPRK. A portion of proceeds of hacks of virtual asset services providers since 2017 was sent to a virtual currency address used by Sim and his OTC network to pay for goods:

1G3Qj4Y4trA8S64zHFsaD5GtiSwX19qwFv.

Wu and Cheng were reported to be actively converting DPRK-stolen cryptocurrency to fiat currency as late as October 2023. Sim was involved in processing illicit proceeds of DPRK IT workers, as well as DPRK cyber-hacks worth millions of dollars.

Singapore

A Singapore Digital Payment Token Service Provider (a type of Virtual Asset Service Provider), DPTSP X, was involved in transfers of cryptocurrency potentially linked to the Lazarus Group (Figure 4). DPTSP X received Bitcoins from two of a corporate customer’s four wallets, converted these to Tether stablecoin tokens and transferred them to the customer’s other two wallets. DPTSP X was then alerted that one of the customer’s wallets was linked to the Lazarus Group at which point it suspended the customer’s accounts and froze all funds.

As noted above, DPRK actors are known to convert stolen cryptocurrency to USDT and transfer these to an OTC broker, usually in China. Singapore is a financial and fintech hub and DPTSP X may have been exploited for laundering proceeds of DPRK cyber-hacks, possibly followed by cashing out in Singapore.

Other Possible Areas of Cashing Out?

Between 2019 and 2021, financial institutions in Nigeria submitted 30 Proliferation Financing-related Suspicious Activity Reports, of which, about 91% related to transactions conducted on a virtual assets platform. Whether any were linked to DPRK has not been made public, but it would seem likely. The DPRK Embassy in Abuja is one of only five DPRK Embassies in Africa and known to be involved in financial transfers: In 2022 a DPRK Embassy official and another DPRK national travelled to Niger from where they brought back hundreds of thousands of US dollars in cash.

Figure 4. DPTSP X maintained four wallets on behalf of a corporate customer. (Source: Monetary Authority of Singapore)

Cashing Out Trends

Cashing out practices evolve in response to law-enforcement successes in identifying and freezing stolen assets. In 2017, for example, instead of using centralized exchanges likely to cooperate with law-enforcement authorities, DPRK hackers used Peer to Peer (P2P) exchanges run by trusted individuals with large amounts of funds, possibly less likely to require users to register or to provide information to authorities. As of 2022, proceeds from DPRK hacks were being deposited in accounts at Eastern Europe or Asia-based centralized exchanges, mostly non-compliant with law enforcement requests.

In a 2025 report DPRK hackers relied increasingly on networks of Chinese and other shadow-banking brokers in Southeast Asia both laundering and cashing out stolen crypto. After purchasing stolen DPRK crypto at a discount these operators would use a mix of mirror payments, goods-based settlements and informal cash networks to convert crypto to a fiat currency (primarily Chinese yuan), used to pay for goods or to make direct payments to DPRK front companies.

Will Crypto Be Used in Future to Pay Directly for DPRK’s WMD Needs?

A recent report suggests that DPRK has explored the direct use of crypto for exchange and payment of sanctioned items:

• In 2023, the 221 General Bureau (DPRK’s main exporter of ballistic missiles and equipment, formerly known as the Korean Mining Development Trading Corporation, KOMID) tried to use crypto as a form of exchange and payment;
• In 2024, officials from the 221 General Bureau retained a contract to sell portable air-defense missile systems to a buyer in Sudan for more than $10 million in USDT.
• In 2024, the DPRK Sinyang Corporation attempted to pay for Russian fuel imports using USDT.
• In 2024, a DPRK procurement agent sought to sell several tons of gold for approximately $300 million in USDT.
• In 2025, the same agent intended to use USDT to purchase an armored vehicle valued at nearly $1 million.
• In 2025, a DPRK procurement official sold military-grade satellite communications equipment to a Laos-based customer who paid partially in USDT.

With crypto, DPRK can, in principle, circumvent financial sanctions, and using stablecoins essentially guarantees the value of the transaction. It seems likely that DPRK will increasingly do this in the future to avoid the challenges of cashing out.

Iran, also under WMD-related sanctions, is reported to be offering to sell advanced weapons systems, including ballistic missiles, for digital currencies. Cooperation between Iran and DPRK on ballistic missiles goes back several decades, and presumably DPRK will emulate Iran’s practices in this respect.

Discussion

Although the cases discussed here are few in number, the details may help identify similar cases elsewhere.

Much of the detail is based on information from US authorities and blockchain analytics companies. States with close contacts with US authorities and blockchain analytics companies are more likely to be able to identify cashing out than those that do not.

Cashing out usually involves a centralized exchange or a P2P platform. States that implement Financial Action Task Force (FATF) Recommendations 15 and 16, and FATF Guidance on centralized exchanges or P2P platforms, are more likely to be able to identify possible DPRK cashing out activities than those that do not.[4] And, States that do not are more likely to be vulnerable to DPRK’s exploitation to this end.

Conclusion

Much of the cashing out of the massive sums of crypto stolen by DPRK cyber-attacks probably takes place in China and Russia, but this review of known methodologies, individuals and entities is intended to help other states identify and close down cashing out-related activity. DPRK is likely to increase efforts to use crypto as a direct form of payment, and states with evidence of the practice should circulate information widely to encourage the UN community to build defenses.