How North Korean Hackers Use Cross-Chain Crypto Laundering to Hide Stolen Funds

How North Korean Hackers Use Cross-Chain Crypto Laundering to Hide Stolen Funds Jul, 16 2026

North Korean hackers have stopped playing by the old rules. For years, they relied on simple mixing services to hide stolen cryptocurrency. Today, they are orchestrating complex, high-speed maneuvers across multiple blockchain networks to launder billions of dollars. This shift isn't just a technical upgrade; it is a strategic survival mechanism for a regime under heavy sanctions.

In 2025 alone, groups linked to the Democratic People's Republic of Korea (DPRK) stole over $2 billion in digital assets. The single largest event was the Bybit heist in February 2025, where attackers drained more than $1.5 billion. To move this money without getting caught, they use cross-chain crypto laundering. This technique involves rapidly moving funds between different blockchains-like Ethereum, Bitcoin, and Tron-to break the trail that investigators follow.

The Evolution from Mixers to Chain-Hopping

Until recently, the standard playbook for hiding crypto involved mixing services. Tools like Tornado Cash or Wasabi Wallet would pool your coins with others, making it hard to tell who owned what. But as governments cracked down on these mixers, the Lazarus Group, a primary hacking unit associated with North Korea, had to adapt.

Around 2022 and 2023, the group shifted its focus. Instead of just mixing coins on one chain, they started "chain-hopping." This means converting stolen tokens into native assets on a different blockchain almost immediately. For example, if they steal an ERC-20 token on Ethereum, they might swap it for Ether, bridge it to Binance Smart Chain, convert it to BNB, and then bridge it again to Bitcoin. Each step adds a layer of complexity that makes manual tracking nearly impossible.

Data from Elliptic shows that the Lazarus Group became responsible for a massive surge in funds processed through cross-chain conversion services. Between June 2023 and early 2025, they seized roughly $240 million from breaches at platforms like CoinsPaid, Alphapo, and Stake.com, using these rapid swaps to obscure the origin of the funds.

Anatomy of a Cross-Chain Attack

Understanding how these operations work requires looking at the specific tools and tactics used. The process is automated, fast, and designed to overwhelm compliance teams.

  1. Initial Theft: Hackers breach a centralized exchange or a high-value wallet. In the Bybit case, they exploited vulnerabilities to access user funds directly.
  2. Rapid Conversion: Within minutes, the stolen tokens are swapped for native currencies (like ETH or TRX) via decentralized exchanges (DEXs).
  3. Bridging: The funds are moved across chains using bridges. TRM Labs identified frequent use of the Ren Bridge and the Avalanche Bridge. Bitdefender reported that the Lazarus Group deposited more than 9,500 BTC through the Avalanche Bridge alone.
  4. Flood the Zone: This is a tactic described by Nick Carlsen, a North Korea expert at TRM Labs. Hackers generate hundreds of transactions simultaneously across multiple networks. The goal is not just to hide the money, but to confuse analysts with sheer volume.
  5. Final Obfuscation: The funds often end up in Bitcoin, which is then held stationary or moved to obscure wallets. Sometimes, hackers create new tokens on lesser-known chains to further complicate tracing.

This multi-stage process ensures that by the time a security team identifies the initial theft, the money has already bounced through several ecosystems, breaking the direct link to the source.

The Bybit Heist: A Case Study in Scale

The February 2025 Bybit breach serves as the perfect example of modern DPRK laundering tactics. The FBI attributed this attack to TraderTraitor, a subunit of the Reconnaissance General Bureau’s 3rd Bureau. The scale was unprecedented.

After stealing the funds, the hackers didn’t just run. They executed a sophisticated dance across blockchains. Investigators traced swaps between Bitcoin, Ethereum, BTTC (BitTorrent Chain), and Tron. Portions of the stolen Ethereum were routed through Solana and Binance Smart Chain before being converted back to Bitcoin.

What made this particularly difficult to track was the speed. Automated software programs facilitated these transactions, executing them faster than human analysts could react. The "flood the zone" technique meant that compliance officers at exchanges were bombarded with thousands of small transfers, making it hard to distinguish legitimate traffic from illicit flows.

Comparison of DPRK Laundering Tactics Over Time
Period Primary Method Key Tools Used Complexity Level
2017-2021 Mixing Services Tornado Cash, Sinbad, YoMix Low to Medium
2022-2023 Transition to Bridges Atomic Swap, Early Cross-Chain Protocols Medium
2024-2026 Advanced Chain-Hopping Ren Bridge, Avalanche Bridge, DEXs High
Data wave crashing over an overwhelmed security analyst

Why Cross-Chain? The Strategic Advantage

You might wonder why hackers bother with such complexity. Why not just sell the Bitcoin directly? The answer lies in detection capabilities. Blockchain analytics firms like Chainalysis and TRM Labs have become incredibly good at tracking single-chain movements. If you send Bitcoin from Wallet A to Wallet B, it’s easy to flag if Wallet A is known to be malicious.

Cross-chain laundering breaks this continuity. When funds move from Ethereum to Bitcoin via a bridge, the transaction hashes are different. The address structures change. It forces investigators to piece together a puzzle where half the pieces are missing or hidden in obscure ledgers.

Additionally, some blockchains offer less transparency. While Ethereum and Bitcoin have robust analytics coverage, newer or smaller chains may not. Hackers exploit these "blind spots" by routing funds through obscure networks where tracking tools have limited data. This allows them to pause, regroup, and re-enter the mainstream financial system later.

The Human Element: Social Engineering Rises

While the technology gets more advanced, the entry point for many hacks remains surprisingly human. In 2025, there was a marked pivot toward targeting individuals rather than just institutional platforms. High-net-worth crypto holders and company executives became prime targets.

Elliptic noted that "the weak point in cryptocurrency security is now human, not technological." Hackers use phishing emails, fake job offers, and compromised social media accounts to steal private keys. Once they have access, they don’t need to exploit code vulnerabilities; they just need to log in. This shift broadens the attack surface significantly. An individual’s personal wallet lacks the multi-signature requirements and real-time monitoring of a major exchange, making it easier to drain quickly.

Digital funds flowing into a looming missile silhouette

The Geopolitical Stakes

This isn’t just about lost money for victims. It’s about national security. The UN has reported that the DPRK’s weapons program is largely funded by cyber operations. In 2024, a senior Biden administration official stated that approximately 50% of North Korea’s foreign-currency earnings came from cybercrime.

The escalation from $660.5 million stolen in 2023 to over $2 billion in 2025 shows that this is a state-sponsored priority. The funds generated from these heists help bypass international sanctions, allowing the regime to purchase materials for nuclear and missile development. Every dollar laundered through cross-chain bridges is a dollar that potentially fuels global instability.

How Defenders Are Responding

The cybersecurity community hasn’t stood still. Firms like TRM Labs introduced cross-chain analytics features to their forensic tools, enabling investigators to visualize fund flows across multiple blockchains in a single dashboard. TRM Phoenix, launched in 2022, was one of the first solutions to automatically trace funds through bridges.

Law enforcement is also adapting. The FBI has urged exchanges to halt transactions from known Lazarus Group addresses. However, the cat-and-mouse game continues. As defenders improve their detection algorithms, hackers refine their "flood the zone" tactics, using higher volumes and more obscure chains to stay ahead.

For users and businesses, the lesson is clear: traditional security measures aren’t enough. You need multi-layered protection, including hardware wallets, strict access controls, and constant monitoring of unusual transaction patterns. Understanding that your assets can be moved across chains in seconds should change how you view custody and risk.

What is cross-chain crypto laundering?

Cross-chain crypto laundering is a technique where stolen cryptocurrency is rapidly moved between different blockchain networks (such as Ethereum, Bitcoin, and Tron) using bridges and decentralized exchanges. This process obscures the origin of the funds, making it difficult for investigators to trace the money back to the initial hack.

Who are the main actors behind DPRK crypto hacks?

The primary group is the Lazarus Group, which operates under the 3rd Bureau of the DPRK's Reconnaissance General Bureau (RGB). Specific subunits, such as TraderTraitor, have been attributed to major heists like the 2025 Bybit breach. These are state-sponsored entities acting on behalf of the North Korean government.

Why did North Korean hackers stop using mixers like Tornado Cash?

Governments and regulators increased scrutiny and enforcement actions against mixing services, leading to sanctions and seizures. To avoid detection, hackers shifted to cross-chain bridges and chain-hopping techniques, which are harder to regulate and trace compared to centralized mixing protocols.

What is the "flood the zone" technique?

This is a strategy where hackers execute a massive volume of transactions across multiple platforms simultaneously. The goal is to overwhelm compliance teams and blockchain analysts, making it difficult to identify which transactions are illicit amidst the noise of normal activity.

How much money have DPRK hackers stolen in recent years?

In 2023, they stole approximately $660.5 million. This escalated to $1.34 billion in 2024. In 2025, estimates exceed $2 billion, driven largely by the record-breaking Bybit heist in February, which alone surpassed all of 2023's combined theft totals.

Are individual investors safe from these attacks?

No. Hackers have increasingly targeted high-net-worth individuals and executives through social engineering tactics like phishing and fake job offers. Personal wallets often lack the robust security infrastructure of institutional exchanges, making them vulnerable to quick drainage once access is gained.

Which bridges are commonly used by Lazarus Group?

Investigations by TRM Labs and Bitdefender have identified frequent use of the Ren Bridge and the Avalanche Bridge. The group has deposited thousands of BTC through these channels to facilitate rapid movement between ecosystems.

How does this affect global security?

The funds stolen through these cyber operations are believed to finance the DPRK's weapons and nuclear programs. With cybercrime accounting for a significant portion of the regime's foreign currency earnings, these hacks pose a direct threat to international stability and non-proliferation efforts.