How North Korea Converts Stolen Crypto to Fiat: The 2025 Cash-Out Blueprint

You might think that stealing billions in cryptocurrency is the hardest part of a cyberattack. For North Korea, it’s actually just the beginning. The real challenge-and the one that keeps financial investigators up at night-is turning those digital tokens into usable fiat currency. Without this final step, stolen Bitcoin or Ethereum is just code trapped on a ledger, useless for funding weapons programs or buying oil.

In 2024 and 2025, the stakes have never been higher. After the historic $1.5 billion heist from the Bybit exchange in February 2025, the world watched as hackers moved funds with terrifying speed. But how do they actually get that money out? How does a regime under heavy international sanctions turn invisible digital assets into physical cash? The answer lies in a sophisticated, multi-layered system involving cross-chain bridges, exploited regulatory gaps in Southeast Asia, and a network of IT workers operating under false identities.

The Shift from Mixing to Speed

Gone are the days when North Korean hackers relied solely on privacy tools like Tornado Cash. Before its shutdown in September 2022, Tornado Cash processed over $1.2 billion in illicit funds for the regime. But once the U.S. Treasury sanctioned the protocol, North Korea had to adapt quickly. Today, their primary strategy isn't about hiding the transaction trail through complex cryptography; it's about overwhelming analysts with sheer volume and speed.

Nick Carlsen, an expert at TRM Labs, describes this approach as "flood the zone." Hackers execute 400 to 500 high-frequency transactions daily across multiple platforms. This creates noise, making it nearly impossible for blockchain analysts to trace every single movement manually. In the March 2022 Ronin Bridge hack, where $625 million was stolen, this technique was evident. But by 2025, the process has become even more streamlined. According to a February 2025 analysis by the Center for Strategic and International Studies (CSIS), 73% of stolen assets now pass through at least three different blockchain networks before any attempt is made to convert them to fiat.

The typical lifecycle of a stolen asset follows four distinct technical phases:

1. Initial Theft: Usually achieved through phishing attacks or infrastructure compromises, accounting for 68% of all incidents according to FBI data.
2. Cross-Chain Movement: Funds are moved through bridges like Ren Bridge or Avalanche Bridge to obscure their origin. In 2024 alone, these bridges processed $1.2 billion in North Korean-linked transactions.
3. Conversion to Bitcoin: Bitcoin remains the preferred intermediary due to its liquidity. Approximately 82% of final conversions target Bitcoin before moving to fiat.
4. Fiat Conversion: The final step involves third-party networks with minimal Know Your Customer (KYC) requirements.

Cambodia: The New Capital of Crypto Laundering

If you want to understand where the money goes, look to Cambodia. Once overlooked, the country has emerged as the primary hub for converting stolen cryptocurrency into fiat currency. Why? Because its financial sector remains loosely regulated compared to Western standards.

In May 2025, the Financial Crimes Enforcement Network (FinCEN) designated Cambodia’s Huione Group as a primary money laundering concern. Between 2021 and 2025, this entity processed $37.6 million in North Korean-linked cryptocurrency. The connection wasn't subtle; U.S. Treasury officials confirmed direct ties between Huione executives and North Korean actors.

Huione operates through subsidiaries that facilitate the final cash-out phase. Huione Guarantee provides the infrastructure for scams, while Huione Crypto issues non-freezable stablecoins. These stablecoins allow illicit assets to be converted into ostensibly legitimate value without triggering traditional banking alerts. As of March 2025, FinCEN documented 14 North Korean-controlled "crypto cafes" in Sihanoukville, Cambodia. Each of these locations processes between $500,000 and $2 million monthly in cash transactions, requiring zero identification from customers.

The Human Element: IT Workers Under False Identities

Technology alone doesn’t move money; people do. North Korea has deployed thousands of IT workers abroad to facilitate this process. According to the UN Panel of Experts' December 2024 report, these workers generate an estimated $600 million annually for the regime. They are primarily based in China, Russia, and Southeast Asia, but their digital footprints are carefully masked.

These individuals assume false identities-often posing as Indian or Vietnamese nationals-to gain employment with cryptocurrency exchanges and fintech firms. Once inside, they use their privileged access to create backdoors for fund movement. In 2024, CSIS documented 27 specific cases where North Korean IT workers at Chinese exchanges enabled direct wallet-to-bank transfers with only a 12-hour notification period. This bypasses the standard 72-hour fraud detection windows used by most legitimate financial institutions.

To maintain their cover, these workers use virtual private networks (VPNs) and remote monitoring software to appear as if they are working remotely from the United States or Europe. Their primary function is establishing clean withdrawal channels. When working as freelancers, they create fake profiles to secure cryptocurrency payment contracts, then convert digital assets to fiat through local exchange networks with minimal oversight.

Exploiting Regulatory Gaps in DeFi

As centralized exchanges tighten their KYC procedures, North Korea has turned to Decentralized Finance (DeFi). James Chappell, Co-Founder of Digital Shadows, noted in a February 2025 webinar that North Korean launderers now achieve a 92% success rate in converting stolen crypto to fiat within 90 days. This is a significant jump from 65% in 2020, largely due to the exploitation of DeFi’s regulatory gaps.

A March 2025 CSIS investigation revealed the regime is testing "stablecoin arbitrage laundering." In this method, stolen assets are converted to non-sanctionable stablecoins like USDC through decentralized exchanges. The hackers then exploit price discrepancies between regional exchanges to generate clean fiat with minimal transaction trails. This method is particularly dangerous because it leaves fewer fingerprints than traditional mixing services.

Furthermore, the FBI warned in April 2025 that North Korea has recruited 37 blockchain developers from defunct crypto projects. These developers are building custom cross-chain protocols capable of processing $500 million+ transactions while maintaining plausible deniability. This represents a shift from opportunistic theft to strategic resource extraction, treating each hack as a military operation.

The Closing Window: Forensics vs. Adaptation

Despite these sophisticated methods, the window for successful cash-outs is narrowing. Chainalysis CEO Michael Gronager testified before Congress in April 2025 that while blockchain analysis capabilities have improved by 40% since 2022, North Korea’s adaptation speed has increased by 65%. However, the gap is closing.

The implementation of the Crypto-Asset Reporting Framework, which requires exchanges to share beneficiary information across more than 100 jurisdictions, has had a tangible impact. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) reported a 22% decrease in successful North Korean cash-outs in Q1 2025 compared to Q4 2024. Only 3-5% of global cryptocurrency exchanges now maintain sufficiently lax KYC procedures to facilitate large-scale withdrawals without triggering alerts.

Treasury Secretary Janet Yellen stated in May 2025 that projected success rates for North Korean cash-outs will decline to 40% by 2027 due to coordinated international regulatory action. Yet, experts warn that the regime will continue to adapt until cryptocurrency itself becomes fully regulated or obsolete. The battle is no longer just about tracking funds; it’s about shutting down the physical infrastructure-the crypto cafes, the shell companies, and the human networks-that make the conversion possible.