North Korea Laundered $1 Billion of Crypto in 4 Months. How Industry Leaders Can Change Crypto Freezes and Recovery

TL;DR ~We in Web3 have waited too long sitting back while criminals attack what is good. It is time for us to come together to fight against those poisoning Web3. 

Please join zeroShadow, SEAL, Bybit, WazirX, Sky Mavis, Metamask, 1inch, ENS, Cayman Islands Bureau of Financial Investigation, Cryptoforensic Investigators, and other committed industry leaders in August to discuss actionable next steps in protecting our industry (link to register)

_____

Since 2014, State-sponsored North Korean cyber actors (broadly called the “Lazarus Group”) have been tracked hacking into and stealing funds from traditional banks, cryptocurrency exchanges, and decentralized finance platforms. Importantly, proceeds from these thefts are directly linked to funding for North Korea’s nuclear programs and other warfare preparations. 

Lazarus Group includes a highly destructive subgroup dubbed "TraderTraitor." ​​They are responsible for some of the largest cryptocurrency heists in history, including the $1.5B Bybit hack in February 2025. Between February and June 2025, TraderTraitor has successfully laundered over $1B USD from this hack. This happened despite the best efforts by some in the crypto community to stop it - through efforts like a free address blacklist API, bounty program incentivizing freezes and recoveries, and 24/7 tracing by blockchain analysts. 

We are sharing this statement so that stakeholders and supporters in the crypto industry understand the challenges associated with (1) stopping North Korean cyber actors from stealing crypto; (2) hurdles in the recovery process; and (3) to commit to being part of the discussion going forward to overcome these challenges. 

Helping victims who have been (or are about to be) targeted by North Korean cyber actors requires that the private and public sectors work collaboratively, take action where appropriate, and share information. This year, global law enforcement has been strained to provide case support because of the overwhelming number of crypto crime cases, many of which require years of work to recover funds. Meanwhile, many of the crypto services used to launder stolen funds won’t cooperate with investigations into other hacked companies unless law enforcement steps in. If we fail to take action and coordinate as the crypto community, this $1-2B problem will quickly escalate into something much worse.  

Challenge 1: stopping North Koreans from victimizing companies before thefts happen

Problem: lacking pre-compromise preparation and prevention 

Law enforcement tracks North Korean malicious cyber actors, including TraderTraitor, and routinely works with cryptocurrency-industry partners to identify and notify the targets of DPRK cyberattacks before they get compromised. However, some companies do not reply to law enforcement, causing significant delays and roadblocks to stopping a theft in its tracks.

Solution: incident response plans & working with private and public sector specialists

Establishing a trusted communication channel with qualified security researchers and/or law enforcement to receive time-sensitive targeted warnings and cyber threat intelligence reports is crucial to stopping TraderTraitor actors, as they move very quickly, sometimes conducting blockchain transactions in mere minutes.

Additionally, ensuring that company executives, security personnel, legal counsel, and other employees are aware of North Korean spearphishing tactics provides a first line of defense against potential compromise. Simultaneously, implementing operational best practices, such as those outlined by SEAL Frameworks, can help contain the loss when an employee is compromised.

We suggest that incident response plans include contact information for local and federal law enforcement, as well as trusted cybersecurity researchers. 

Challenge 2: recovering stolen funds 

North Korea successfully cashes out stolen assets by exploiting the crypto ecosystem itself. For example, they utilize professional launderers and decentralized services to outsource risk. They also leverage jurisdictional and regulatory uncertainty to evade interdiction by law enforcement. Because of this, recovery efforts are often met with limited success.

Problem: Asia-based money laundering

How was $1B cashed out so quickly? For these hacks, DPRK rely on a network of launderers and Over-the-Counter (OTC)/ Peer-to-Peer (P2P) traders to clean and cash out their stolen crypto. These launderers are often Chinese, and they are cashing out using OTCs. Chinese money launderers work 24/7 to move North Korean stolen funds. Their laundering tactics involve taking control of the stolen assets early, often in ways that aren’t obvious from blockchain analysis, and then moving them through complex paths across multiple blockchains to prepare for cash-out.

The launderers have learned how to evade the most obvious freezes. They also avoid services that they think are most equipped to freeze funds. They hold the stablecoin USDT (Tether) for as little time as possible. They do not move large amounts of funds at once, splitting transactions into as little as $30K each so that a freeze is not going to be overly impactful. In fact, out of 11,633 wallets used to launder the funds from the Bybit hack, only 5% of wallets ever held $1M or more. 

Because these funds are moving—almost immediately—into the hands of mainly Chinese money launderers, the North Koreans have likely absconded with a significant portion of their stolen funds. This is because the Chinese money launderers pay the North Koreans for the value of the funds to be laundered, minus their fee, at the point of exchange, giving the North Koreans more immediate access to the funds and shifting the risk of loss to private sector and law enforcement actions on to the money launderers. This is a significant global risk because of the speed at which North Korea is able to exfiltrate stolen funds off-chain for their weapons and nuclear programs.

Problem: jurisdictional uncertainty

Many crypto companies set up their corporate infrastructures so that it is challenging to understand exactly where they are based. They register in multiple countries that have tax-lenient regulations and often avoid registering in the United States. This makes it very hard to obtain emergency contact information for companies to either notify them that they have been compromised or to request assistance in stopping money laundering on their platforms. 

Typically law enforcement can only take a case if a victim or attacker is based in their jurisdiction. Only the US has been able to carve out a law enforcement team specifically focused on DPRK hacks regardless of the victim’s location, because of the threat that North Korea poses to national security. Agencies like the FBI have become critical support to these hacks, putting forward significant resources to handle crypto cases in addition to the other 859,000+ internet fraud complaints they have received. 

Problem: our over-reliance on law enforcement

There is a persistent and harmful misconception in the crypto industry that law enforcement involvement is a prerequisite for freezing or recovering stolen assets. It’s unclear how this narrative evolved, but it diverges sharply from long-standing practices in traditional finance, where court orders are routinely used to freeze and recover assets without criminal proceedings.

While most reputable Web3 services will freeze illicit accounts when notified by trusted entities, whether from the public or private sector, a small number refuse to freeze funds under any circumstances. However, freezing only prevents further movement, and actual asset recovery is a separate process requiring criminal or civil seizure. In practice, many Web3 services either ignore civil court orders or claim they don’t meet jurisdictional requirements. Some refuse to freeze funds altogether unless compelled by law enforcement, citing fears of liability or sanctions. 

This approach contradicts decades of legal precedent and reinforces an unsustainable burden on public agencies. Sydney Johnson of Kobre & Kim explains, “For assets held in traditional financial institutions, parties do not need law enforcement to preserve assets from dissipation. Instead, they can go directly to civil courts and request an order that freezes the assets and preserves them for potential judgement or to prevent their dissipation during legal proceedings.”

The crypto ecosystem must evolve to recognize and respect civil legal processes or voluntary proceedings. Over-reliance on law enforcement not only limits recovery options for victims, it also undermines the shared goal of disrupting economic crime. 

Problem: decentralized services

Chinese money launderers rely on decentralized services like decentralized exchanges, lending protocols, and bridges. These services have varying degrees of true decentralization, and many hours are spent arguing about if they can or should do anything to intercept these funds before taking action. Even services that are truly decentralized need to consider how their protocol could be abused by bad actors and think about creative technological solutions. Services that take proactive measures are less likely to receive these illicit funds.

It is also often difficult to identify those operating these decentralized services. As a result, more than 95% of North Korean stolen funds from the Bybit hack have flowed through these services. Notably, this means that these services accrue fees on each of these money laundering-related transactions. 

Call to action:

We can no longer rely solely on law enforcement to fight this global security issue. It is time to think about what we can do on a civil and voluntary basis to create risk and friction for thieves and money launderers.  It is time for us to create stronger paths of recourse for those victimized.

"At Bybit, we believe the strength of our industry lies in our ability to unite in the face of threats. The rise of sophisticated, state-sponsored cyberattacks is a wake-up call for all of us—we can no longer operate in silos when responding to these challenges," said Ben Zhou, Co-founder and CEO of Bybit. "As a recent target of the Lazarus group, Bybit has significantly strengthened its security infrastructure. That's why we're proud to support and serve as a key member of the Coalition to Change Crypto Freezes & Recovery. Bybit is committed to help shape and lead the standards for crypto security while enabling swift, effective responses to hacks. We firmly believe in collective responsibility."

Join the discussion! - We are hosting a preliminary discussion (virtual) dedicated to solving this issue in August. We invite both members of the public and private sector to participate. Register at this link to attend. 

Questions for you to consider

To any services reading this:

• How can you work with incident response companies and other services to create a framework that allows for civil recovery?

• If law enforcement cannot obtain a warrant for frozen funds, are you going to allow DPRK and bad actors to keep using your service? 

• How are you handling the fees that are accrued through illicit transactions on your platform?

• Can we create a coalition similar to the Internet Corporation for Assigned Names and Numbers (ICANN) that regulates domains privately through mutually agreed upon terms rather than the policies mandated by governments?

  
  

To any regulators reading this:

• Can we propose regulations that put crypto institutions more in line with traditional banks when it comes to anti-money laundering obligations and protections?

• What can we do to give services the guidance and protections they need to voluntarily freeze and recover funds through law firms or indemnities?

• Is it possible to establish an organization similar to the National Cyber-Forensics & Training Alliance (NCFTA) that authorizes information sharing between private and public entities in the name of cybersecurity?

  
  

To anyone from legal or insurance backgrounds reading this, what frameworks currently exist to allow for quick freezes and recoveries across many different jurisdictions?

To any security researchers reading this, what can we do to further disrupt these money laundering organizations and prove that they are knowingly laundering for DPRK? 

To everyone in Web3, there were five different TraderTraitor hacks in 2024. So far this year we have seen one. How can we better prepare for the inevitable next hack, ensuring that affected companies have a chance to recover stolen funds while preventing North Korea from further expanding its nuclear capabilities?