{
	"id": "07dda418-6d1d-4d2b-be61-d4578fe44c81",
	"created_at": "2026-04-06T00:10:35.836634Z",
	"updated_at": "2026-04-10T03:35:59.554211Z",
	"deleted_at": null,
	"sha1_hash": "1e612a2ad14ce3de4d805ed09efffb65b2ad8f51",
	"title": "Inside North Korea's Crypto Heists: $200M in Crypto Stolen in 2023; Over $2B in the Last Five Years | TRM Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 972058,
	"plain_text": "Inside North Korea's Crypto Heists: $200M in Crypto Stolen in\r\n2023; Over $2B in the Last Five Years | TRM Blog\r\nArchived: 2026-04-05 13:42:16 UTC\r\nOver the past five years, North Korean hackers have stolen over USD 2 billion in cryptocurrencies in over 30\r\nattacks, according to TRM Labs. While reports have indicated the amount of crypto stolen by North Korea since\r\n2018 to be as high as $3 billion, our research indicates that this figure likely includes multiple large hacks\r\nmisattributed to North Korea.\r\nIn 2023, although the total amount stolen in cryptocurrency attacks is down from a record-setting 2022, North\r\nKorea has maintained its focus on the crypto ecosystem. Year-to-date, North Korea has stolen USD 200 million in\r\ncryptocurrency, accounting for over 20% of all stolen crypto this year. \r\nNorth Korean cyberattacks have been successful. In fact, their hacks in 2023 are 10 times larger than attacks by\r\nother actors.\r\nNorth Korean Hackers Continue To Evolve Their Targets, Techniques, and Money Laundering Patterns in\r\na Multi-Chain Crypto Landscape\r\nNorth Korean hacks appear to be opportunistic – reflected by an array of target and exploit types that have\r\nresulted in unprecedented gains.\r\nhttps://www.trmlabs.com/post/inside-north-koreas-crypto-heists\r\nPage 1 of 4\n\nIn recent years, North Korea has almost exclusively targeted the DeFi ecosystem. Cross-chain bridges, which hold\r\nincreasing volume, are a continued target. In 2022, North Korea stole over USD 800 million in three attacks\r\nagainst cross-chain bridges.\r\nNorth Korea exploits vulnerabilities in the crypto ecosystem in a variety of ways including through phishing and\r\nsupply chain attacks, and through infrastructure hacks which involve private key or seed phrase compromises.\r\nThese types of attacks are often enabled by conventional cyber operations and allow the attackers to seize and\r\ntransfer the cryptocurrency to wallets they control. According to the FBI, North Korea conducted the largest\r\ncryptocurrency hack on record, stealing USD 625 million from Ronin Bridge in March 2022 using stolen private\r\nkeys.\r\nWhile North Korea’s targets and techniques have evolved over time, so has their on-chain laundering\r\nmethodologies. North Korea’s early exploits – which tend to involve the direct use of cryptocurrency exchanges –\r\nnow feature highly complex, multi-stage money laundering processes in response to more aggressive OFAC\r\nsanctions, law enforcement focus, and improved tracing capabilities. A 2023 hack by North Koreans on Atomic\r\nWallet exemplifies this evolution.\r\nA Profile of North Korea’s 2023 Atomic Wallet Hack\r\nOn June 3, 2023, North Korean hackers targeted users of Atomic Wallet, a non-custodial wallet provider, resulting\r\nin the theft of approximately USD 100 million worth of cryptocurrency, from over 4,100 individual addresses. The\r\nnature of the attack on Atomic Wallet indicates that the exploit was most likely carried out through a phishing or\r\nsupply chain attack.\r\nThe hackers drained victims’ wallets on the Ethereum, Tron, Bitcoin, XRP, DOGE, Stellar, and Litecoin\r\nblockchains, and sent funds to freshly created addresses under their control. ERC-20 and TRC-20 tokens were\r\nswapped to native assets (Ether and Tron) through decentralized exchanges, and then laundered through a range of\r\ncomplex techniques including the use of automated software programs, mixers and cross-chain swaps.\r\nThe hackers – who operate brazenly without fear of being caught as they operate almost exclusively inside North\r\nKorea – then drain high value wallets rapidly and send the funds directly to centralized exchanges in a race to off-ramp the funds. Once the hack is discovered, hackers then move the funds through a series of more complex\r\nlaundering techniques, stages of which have been visualized in TRM Forensics software below.\r\nhttps://www.trmlabs.com/post/inside-north-koreas-crypto-heists\r\nPage 2 of 4\n\nStages of Atomic Wallet hack visualized in TRM Forensics: ETH is programmatically laundered\r\nthrough several layers of intermediaries with intertwining paths, before exiting to ninety two (92)\r\nfirst-time Ethereum addresses. WETH is then bridged to Avalanche blockchain, swapped to WBTC\r\nand then bridged to the Bitcoin blockchain.\r\nStages of Atomic Wallet hack visualized in TRM Forensics: WETH from Ethereum is bridged to\r\nAvalanche, swapped for WBTC, bridged to Bitcoin, and then sent to a mixing service.\r\nhttps://www.trmlabs.com/post/inside-north-koreas-crypto-heists\r\nPage 3 of 4\n\nStages of Atomic Wallet hack visualized in TRM Forensics: Post-mixed bitcoin is bridged to\r\nAvalanche, where the receiving address forwards funds to an intermediary address. A decentralized\r\nexchange is used to swap WBTC for USDT.e with the USDT.e being forwarded to a new address -\r\nrather than returned to the initiator. This provides an additional layer of obfuscation to the flow of\r\nfunds. USDT.e is then bridged to the Tron blockchain.\r\nThe Role of Blockchain Intelligence in Following North Korean Stolen Funds\r\nNorth Korea’s recent Atomic Wallet hack is one example of its evolved obfuscation techniques in a multi and\r\ncross-chain ecosystem. Blockchain intelligence – blockchain data enriched with open-source and proprietary\r\nthreat intelligence – as represented by TRM Forensics in the Atomic Wallet hack profile, enables investigators to\r\nfollow the money in cryptocurrency to ultimately identify threat actors and seize illicit funds including funds\r\nstolen and laundered by North Korea.\r\nIn 2019, in response to the growing number of blockchains and the growing use of different chains by\r\ncybercriminals, TRM Labs introduced cross-chain analytics in TRM Forensics, our flagship tracing tool. This\r\nenables investigators to trace funds from multiple blockchains and multiple assets in a single visualization. \r\nIn 2022, TRM identified the growing use of chain-hopping as an obfuscation technique, and  introduced TRM\r\nPhoenix, the industry’s first solution for automatically tracing the flow of funds across blockchains through\r\nbridges and other services.\r\nAs North Korea continues to attack the growing crypto ecosystem, the ability to follow stolen funds is more\r\ncritical than ever, and, as North Korea’s laundering methodologies evolve so must the tools investigators rely on.\r\nSource: https://www.trmlabs.com/post/inside-north-koreas-crypto-heists\r\nhttps://www.trmlabs.com/post/inside-north-koreas-crypto-heists\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trmlabs.com/post/inside-north-koreas-crypto-heists"
	],
	"report_names": [
		"inside-north-koreas-crypto-heists"
	],
	"threat_actors": [
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434235,
	"ts_updated_at": 1775792159,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e612a2ad14ce3de4d805ed09efffb65b2ad8f51.pdf",
		"text": "https://archive.orkl.eu/1e612a2ad14ce3de4d805ed09efffb65b2ad8f51.txt",
		"img": "https://archive.orkl.eu/1e612a2ad14ce3de4d805ed09efffb65b2ad8f51.jpg"
	}
}