When you hear about a crypto exchange getting hacked for $200 million, chances are North Korean IT workers, state-backed cyber units operating under agencies like Bureau 121 or Bureau 120. Also known as Pyongyang hackers, they're not lone actors—they're disciplined teams with military-grade training and direct funding from the regime. These aren't random criminals. They're part of a national strategy to bypass sanctions, generate hard currency, and fund weapons programs—all through digital theft.
They don't just target big exchanges like Binance or KuCoin. They go after DeFi protocols, bridge exploits, and even small airdrop campaigns that lack proper security audits. In 2022, the Lazarus Group—linked directly to North Korea—stole over $600 million in crypto, mostly from cross-chain bridges. That’s more than the entire market cap of 90% of tokens listed on CoinMarketCap. And they’re getting smarter: they now fake team members, create fake whitepapers, and even run fake airdrops to trap unsuspecting users. If you’ve ever seen a crypto project with anonymous devs, no real code repo, and sudden hype on Twitter? It might be a decoy—set up by them to lure in wallets.
This isn’t just about money. Their presence changed how the whole industry thinks about security. Exchanges now run internal threat assessments for North Korean TTPs (tactics, techniques, procedures). Wallet providers added extra layers to detect suspicious transfers linked to known laundering addresses. Even airdrops, like the ones you see on CoinMarketCap, now require KYC checks or multi-step verification just to reduce the chance of bot farms run by Pyongyang. And it’s not just tech—it’s psychology. They study trader behavior, exploit fear during market crashes, and time attacks when liquidity is thin. If you’ve ever lost money in a rug pull that felt too perfect? It might not be a scammer—it could be a state-sponsored team.
What you’ll find in the posts below are real cases where these actors left digital fingerprints: from the WazirX hack that wiped out $230 million to the Tether wallet freezes in Iran that mirrored North Korean money laundering patterns. You’ll also see how projects like Hacken Token and TRAVA.FINANCE became targets not because they were weak—but because they were visible. These aren’t just stories about crypto. They’re stories about how a small, isolated country built one of the world’s most effective cyber warfare units—and turned digital assets into its new oil.
North Korean IT workers are using fake identities and crypto payments to launder over $1.6 billion since early 2025, funding weapons programs while hiding in plain sight as remote employees. Here's how they do it - and how to stop them.
Read More