How North Korean Hackers Use Cross-Chain Laundering to Hide Stolen Crypto

Imagine a thief stealing a painting from a museum. Instead of driving away in a flashy car, they immediately swap the painting for cash at three different pawn shops, then buy gold bars, convert those into cryptocurrency on a foreign server, and finally send the digital coins through five different networks before anyone notices it’s gone. That is essentially what DPRK hackers are doing with stolen cryptocurrency.

The Democratic People's Republic of Korea (North Korea) has turned cybercrime into a state-sponsored industry. In 2025 alone, groups linked to the regime stole over $2 billion in crypto assets. The biggest single event? The February 2025 Bybit heist, which netted more than $1.5 billion-surpassing all of North Korea’s combined thefts from the entire year of 2023. But stealing the money is only half the battle. The real challenge is hiding it.

To do this, these actors have abandoned old-school mixing services and moved to a sophisticated technique called cross-chain laundering. This involves moving funds across multiple blockchain networks to break the trail of ownership. Let’s look at how they pull this off, why it matters to you, and what the industry is doing to stop them.

The Shift from Mixers to Bridges

For years, if you wanted to hide dirty crypto, you used a mixer. Services like Tornado Cash or Wasabi Wallet would take your coins, mix them with others, and spit out clean coins that couldn’t be traced back to you. It was messy, but effective.

However, around 2022 and 2023, regulators cracked down hard. The U.S. Treasury sanctioned Tornado Cash, and law enforcement agencies got better at tracking mixer inputs and outputs. Suddenly, using a mixer became a red flag. If you sent money to a sanctioned mixer, exchanges would freeze your account instantly.

So, the Lazarus Group, the primary hacking unit associated with North Korea’s Reconnaissance General Bureau, changed tactics. They stopped relying on simple mixers and started using cross-chain bridges.

A bridge allows you to move value from one blockchain (like Ethereum) to another (like Bitcoin or Tron). When you use a bridge, the original token is locked or burned, and a new token is minted on the other chain. This creates a natural break in the transaction history. To an analyst looking at just the Ethereum chain, the money disappears. To someone looking at the Bitcoin chain, it appears out of nowhere. Connecting the two requires specialized tools and significant effort.

Anatomy of a Cross-Chain Heist

Let’s break down exactly what happens after a hack occurs, using the recent Bybit incident as a case study. The process is less about stealthy whispering and more about overwhelming force.

1. The Breach: Hackers gain access to exchange hot wallets or private keys. In the case of Bybit, they drained massive amounts of Ether (ETH) and USDT.
2. Initial Conversion: They don’t keep the stolen tokens. Using decentralized exchanges (DEXs), they quickly swap ERC-20 tokens (like USDT) into native assets like Ether. This simplifies the next step.
3. Bridge Hopping: Here is where the magic happens. They use platforms like Ren Bridge or the Avalanche Bridge to move funds from Ethereum to Bitcoin, Solana, or Tron. Bitdefender reported that the Lazarus Group deposited more than 9,500 BTC through the Avalanche Bridge alone in previous operations.
4. Flood the Zone: Nick Carlsen, a North Korea expert at TRM Labs, describes this as "flooding the zone." The hackers don’t make one big transfer. They split the funds into thousands of smaller transactions across multiple chains simultaneously. This overwhelms compliance teams and blockchain analysts who are trying to track the flow in real-time.
5. Layering: Once on a new chain, the funds might be swapped again, mixed with legitimate traffic, or converted into stablecoins. Sometimes, they create new tokens issued directly by the laundering network to further confuse trackers.
6. Stationary Holding: Surprisingly, much of the converted Bitcoin remains stationary after the initial chaos. This suggests the hackers aren’t rushing to cash out immediately. They are likely waiting for market conditions to improve or preparing for large-scale over-the-counter (OTC) liquidations later.

Why Cross-Chain? The Technical Advantage

You might wonder why not just stick to one blockchain? The answer lies in data fragmentation.

Most blockchain analytics firms specialize in specific networks. A firm might be excellent at tracing Bitcoin but have limited coverage on obscure Layer-2 solutions or newer altcoins. By jumping chains, DPRK hackers exploit these gaps.

Consider the journey of a stolen dollar:

• Starts on Ethereum (highly monitored).
• Moves via bridge to Solana (different monitoring tools required).
• Swapped to Tron (popular for stablecoins, high volume makes tracing harder).
• Finally converted to Bitcoin (the preferred store of value for long-term holding).

Each hop requires a different set of forensic tools. By the time an analyst connects the dots, weeks may have passed, and the funds have been layered through additional transactions.

Furthermore, some bridges operate with varying degrees of transparency. While many are open-source, others use wrapped tokens that don’t always maintain a perfect 1:1 traceable link without deep technical investigation. This adds friction to the pursuit.

The Human Element: Social Engineering on the Rise

While the technology behind cross-chain laundering is complex, the method of entry is becoming surprisingly human. In 2025, there was a notable shift in targeting strategy.

Previously, hackers focused almost exclusively on centralized exchanges (CEXs) because they held large pools of liquidity. However, as exchanges improved their security infrastructure, the Lazarus Group began targeting individuals-specifically high-net-worth crypto holders and company executives.

Elliptic noted that "the weak point in cryptocurrency security is now human, not technological." Hackers are using phishing emails, fake job offers, and compromised social media accounts to steal private keys directly from victims. Once they have the key, they don’t need to hack a firewall; they just need to execute the cross-chain transfer sequence described above.

This is dangerous because individual wallets lack the robust multi-signature requirements and cold storage protocols that major exchanges use. A successful social engineering attack gives the hacker immediate control over the funds, allowing them to initiate the cross-chain laundering process within minutes.

The Arms Race: Analytics vs. Obfuscation

It’s not a one-sided fight. The blockchain intelligence community has responded with increasingly sophisticated tools.

In 2019, TRM Labs introduced cross-chain analytics to their flagship tool, TRM Forensics. By 2022, they launched TRM Phoenix, designed specifically to automatically trace funds across blockchains through bridges. These tools use machine learning to identify patterns typical of DPRK activity, such as specific timing sequences, common bridge usage, and known wallet clusters.

Law enforcement is also stepping up. In August 2023, the FBI urged cryptocurrency exchanges to halt transactions from wallets associated with the Lazarus Group. They provided lists of known Bitcoin addresses connected to the hackers. This collaborative approach aims to choke off the exit ramps where laundered crypto is eventually converted into fiat currency.

However, the scale of the problem is growing faster than the defenses. With over $2 billion stolen in 2025, the sheer volume of transactions makes manual review impossible. Automated detection systems are essential, but they must constantly adapt to new bridges and new obfuscation techniques.

Geopolitical Implications: Funding Weapons Programs

This isn’t just about financial crime; it’s about global security. According to a 2024 UN report, member states claim that the DPRK’s weapons program is largely funded by its cyber operations. A senior Biden administration official stated in 2024 that approximately 50% of North Korea’s foreign-currency earnings came from cybercrime.

Every dollar laundered through cross-chain bridges potentially contributes to nuclear proliferation and ballistic missile development. This elevates the issue from a cybersecurity concern to a matter of international stability. The Wilson Center emphasized that this type of theft constitutes a global security threat, linking cryptocurrency theft directly to weapons financing.

The progression is clear:

• 2023: $660.5 million stolen across 20 incidents.
• 2024: $1.34 billion stolen across 47 incidents.
• 2025: Over $2 billion stolen, including the record-breaking Bybit heist.

This exponential growth shows that cross-chain laundering is working well enough for the regime to double down on it. As long as the profits outweigh the risks of seizure, the attacks will continue and likely escalate.

What Can You Do?

If you are a retail investor, your risk of being targeted by state-sponsored hackers is low. However, understanding these trends helps you stay safe.

• Use Hardware Wallets: Keep your private keys offline. This protects you against the social engineering attacks that are becoming more common.
• Beware of Phishing: Never click links in unsolicited emails or messages claiming to be from exchanges or support teams. Verify URLs manually.
• Enable Multi-Factor Authentication (MFA): Use hardware keys (like YubiKey) rather than SMS-based 2FA, which can be SIM-swapped.
• Monitor Your Addresses: Consider using blockchain analytics services that alert you if your addresses interact with known malicious clusters.

For businesses and exchanges, the lesson is clear: traditional perimeter defense is no longer sufficient. You need real-time cross-chain monitoring, automated compliance checks, and collaboration with law enforcement. The days of reacting after the fact are over; prevention must happen before the funds even leave the wallet.