UPDATE 11/4/25: The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has designated several North Korean individuals and entities involved in laundering cybercrime proceeds and IT worker funds. Notable among these designations is the Korea Mangyongdae Computer Technology Corporation, which is linked to DPRK’s IT worker operations. Additionally, OFAC included 54 digital currency addresses as identifiers associated with Cheil Credit Bank, a North Korean bank sanctioned back in 2017. These designations align with and further highlight the findings in MSMT’s October report detailed below, particularly regarding the DPRK’s expanding laundering networks and IT worker operations.
On October 22, 2025, the Multilateral Sanctions and Measures Team (MSMT) released its comprehensive “Report Covering DPRK Cyber and IT Worker Activities,” revealing insights into North Korea’s evolving cyber operations. As a key contributor to this initiative, Chainalysis provided critical blockchain intelligence that helped uncover the scale and sophistication of the DPRK’s threats.
Below are five key takeaways from the report:
1. Cryptocurrency theft has reached industrial scale
MSMT’s report highlights that DPRK has stolen an estimated $2.8 billion in cryptocurrency between January 2024 and September 2025 alone. The most dramatic example is February’s $1.5 billion Bybit exchange heist by the RGB’s “TraderTraitor” group. However, unlike typical cybercriminals who prioritize stealth movement, DPRK actors move stolen funds openly across chains, suggesting they feel increasingly untouchable in the digital space.
2. Their laundering networks are expanding
Our analysis reveals that the DPRK’s stolen funds follow increasingly diverse paths from sophisticated mixing services to a growing network of OTC brokers in multiple jurisdictions. Particularly concerning is their deepening collaboration with Russian and Cambodian money laundering networks, and their strategic use of UnionPay cards issued by Chinese banks as a fiat off-ramp, as well as utilizing Hong Kong-based intermediaries. These expanded relationships make tracing and recovery more challenging, but fortunately not impossible.
In the Chainalysis Reactor graph below, we highlight a representative sample of funds related to the DPRK’s Bybit hack that were funneled to a Hong Kong trader, who then laundered funds through various bridges and mixers. After swapping into other currencies, funds were moved directly into other bridges, mixers, and privacy protocols, including Tornado Cash. Additionally, funds were also laundered into Huione Pay, which was recently subject to FinCEN’s Special Measures.
3. Attack vectors are evolving beyond phishing
While spear phishing remains in their playbook, the DPRK has significantly upgraded their tactics. The MSMT report identifies a troubling new trend: coordinated supply chain attacks targeting third-party asset providers and funds custodians. This shift from opportunistic theft to strategic targeting of infrastructure represents a concerning evolution in their capabilities.
4. IT worker fraud has become a major revenue stream
What started as a simple employment scheme has evolved into a sophisticated global operation. Individual DPRK IT workers now earn between $3,500 and $10,000 monthly, with top performers generating up to $100,000 per month. Operating primarily from China and Russia, these workers maintain multiple false identities — sometimes up to 12 per person — and specifically target companies in strategic sectors like artificial intelligence (AI), blockchain, and defense. Additionally, it appears that the DPRK is increasingly targeting firms in Germany, Portugal, and the United Kingdom.
5. The DPRK’s endgame goes beyond financial gain
Perhaps most concerning is how these operations fit into the DPRK’s broader strategic objectives. In many cases, the stolen cryptocurrency is directly funding weapons development programs. The MSMT report details how these funds are being used to procure everything from armored vehicles to portable air-defense missile systems. Meanwhile, the DPRK’s cyber espionage operations target critical industries including semiconductors, uranium processing, and missile technology, creating a dangerous feedback loop between their financial crimes and military capabilities.
What this means for the future
The MSMT report makes one thing clear: North Korea’s cyber operations have evolved from opportunistic attacks into a sophisticated, multi-pronged strategy that combines financial crime, technological espionage, and military objectives. This convergence demands an equally sophisticated prevention strategy and response.
Blockchain intelligence is critical in disrupting these operations. When combined with traditional cybersecurity measures, blockchain analysis can help:
- identify and freeze stolen funds before they’re laundered;
- map out DPRK’s expanding financial networks;
- track procurement patterns for sanctions enforcement;
- and support attribution of new attack vectors.
Based on the MSMT findings, we recommend that organizations implement comprehensive blockchain monitoring, enhance due diligence for IT contractor hiring, deploy advanced threat detection systems, maintain regular security audits, and establish clear protocols for large transactions. For organizations looking to protect themselves against fraudulent IT workers and other DPRK-linked threats, Chainalysis Hexagate offers automated blockchain screening that can help identify and block high-risk cryptocurrency transactions before they occur. This is particularly crucial given MSMT’s findings about DPRK’s increased targeting of specific industries and regions.
At Chainalysis, we remain committed to working with MSMT and our partners to track, disrupt, and prevent these threats from evolving further.
Want to learn how Chainalysis can help protect your organization from cyber threats? Request a demo of our solutions.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.