North Korea's Lazarus crypto theft tops $2bn as Treasury hits IT-worker launderers

Pyongyang's hackers drove 76% of 2026 crypto-hack value while OFAC and DOJ pursued the fake-employee revenue machine

Shadow·Money· worsening أموال من·التحوّل الصامت ·13 takes ·13 مارس 2026 ·rbtfl upd 25 يونيو 2026

Summary

North Korea's Lazarus cluster, under the Reconnaissance General Bureau, stole an estimated $2.02bn in crypto in 2025, a 51% rise, and accounted for ~76% of all crypto-hack value through April 2026, including a $292m Kelp DAO exploit. The FBI attributes the record $1.5bn Bybit theft to the TraderTraitor subunit. In March 2026 OFAC sanctioned six people and two entities that laundered ~$800m, and DOJ filed a $7.74m forfeiture, targeting the DPRK IT-worker scheme, operatives using stolen identities to win remote tech jobs and funnel pay to Pyongyang. Laundering adapted after the Tornado Cash takedown rather than slowing.

By the numbers

$2.02bn, DPRK crypto theft in 2025 (+51% YoY); ~$6.75bn cumulative.
76%, share of crypto-hack value DPRK actors drove through April 2026.
$1.5bn, the Bybit heist, the largest single crypto theft on record.
~$800m, laundered by the network OFAC sanctioned in March 2026.
$7.74m, DOJ civil-forfeiture complaint over laundered DPRK funds.

Why it matters

Crypto theft and IT-worker fraud are now Pyongyang's most scalable hard-currency source, underwriting its missile program outside the banking system. Each designation forces a laundering pivot, mixers, OTC desks, stablecoins, keeping enforcement a step behind.

What to watch

Whether US firms tighten remote-hire vetting against fake DPRK identities.
The next laundering venue after Tornado Cash and sanctioned exchanges.
Coordinated action by the MSMT states.

the record · 3

U.S. Department of the Treasury (OFAC) — Treasury designation of facilitators of DPRK IT-worker fraud targeting US businesses, part of the March 2026 sweep against networks that generated nearly $800m and laundered the proceeds for Pyongyang's weapons programs.
U.S. Department of Justice — DOJ civil-forfeiture complaint against over $7.74m laundered on behalf of the North Korean government, tied to the IT-worker and crypto-heist schemes.
U.S. Department of the Treasury (OFAC) — Treasury sanctions on DPRK bankers and institutions laundering cybercrime proceeds and IT-worker funds, naming the financial conduits routing stolen value back to Pyongyang.

قراءات إقليمية · 2

▸ blockchain-forensics

Chainalysis · United States · en

Quantifies 2025 crypto theft at $3.4bn with DPRK actors stealing $2.02bn, a 51% jump, led by the $1.5bn Bybit hack, and details how laundering adapted after the Tornado Cash takedown rather than shrinking.

“North Korea-linked actors stole $2.02 billion in 2025, a 51% year-on-year rise.”

المصدر ↗

▸ blockchain-intelligence

TRM Labs · United States · en

Maps the cyber-facilitator network behind the IT-worker scheme, showing how a Vietnam-based operator converted roughly $2.5m into crypto for North Koreans and how earnings funnel through fake identities into Pyongyang.

“A facilitator converted about $2.5 million into crypto for North Korean IT workers.”

المصدر ↗

also covering · 8

The Hacker News · India
CoinDesk · United States · 13 مارس 2026
CyberScoop · United States
Cointelegraph · Global
UPI · United States · 22 أبريل 2026
Picus Security · Turkey
U.S. Department of Justice · United States
sanctions.io · Global