Accessing the Stolen Funds
While the theft of $1.5 billion in ETH is no insignificant feat, this does not mean that the North Korean government now has $1.5 billion in usable funds. Instead, the stolen ETH must be laundered, obscuring the origins of the stolen funds, and exchanged for usable currency.
The process of laundering and transferring cryptocurrency is costly and involves great friction, some of which is intentionally manufactured by law enforcement and some of it is inherent to the market structure. As such, the total reaching the North Korean government will fall far below $1.5 billion.
In past cryptocurrency thefts by North Korean hackers, the threat actors almost immediately transferred their stolen funds into Bitcoin (BTC). This is likely due to BTC being harder to trace than ETH because of Bitcoin’s transaction model. Bitcoin uses the Unspent Transaction Output (UTXO) model, comparable to transactions with physical cash where each individual bill would need to be traced. On other hand, Ethereum uses an account model, akin to a bank account with a running balance, which is more centralized than Bitcoin.
TraderTraitor once again took this route. On March 20, 2025, Bybit CEO Ben Zhou shared that the hackers had converted 86.29% of the stolen ETH to BTC. TraderTraitor also worked to further obscure the transaction trail, as reported by the Blockchain intelligence platform TRM Labs, through the use of “multiple intermediary wallets, decentralized exchanges (DEXs), and cross-chain bridges.” Moreover, Zhou shared that the hackers started using BTC and ETH mixers. As the name implies, mixers mix transactions which further inhibits blockchain analysts’ ability to track the funds. Following the use of mixers, these North Korean operatives are leveraging peer to peer (P2P) vendors, platforms facilitating the direct purchase and selling of crypto from one user to another.
Additionally, it appears that the threat actors are leveraging money laundering-as-a-service, provided by organized crime syndicates in China and countries throughout Southeast Asia. Use of this service seeks to further obfuscate funds, reducing traceability and seemingly utilizing a “flood the zone” tactic. This tactic seeks to overwhelm compliance analysts, law enforcement, and blockchain analysts by performing thousands of transactions, both through DEXs and wallet-to-wallet transfers. After the costly efforts to hide the transaction trail, the ultimate goal of this process will be to convert the funds into fiat currency, or currency issued by a government like the US dollar or the euro.
As the threat actors engage in this laundering process, Bybit, law enforcement, and partners from across the industry continue to actively work to recover the funds. However, the timeframe where funds can be frozen or recovered moves rapidly. Within the laundering process there are three main stages where the funds can be frozen: when it’s exchanged for BTC; when it's exchanged for a stablecoin, or any cryptocurrency with its value attached to stable assets like fiat currency; or when it's cashed out at exchanges. As the window for seizure at these stages is extremely small, it requires efficient collective action from law enforcement, cryptocurrency services and exchanges, and international actors. The more time that passes, the more difficult recovery becomes.
Strengthening Security
Discussions around security in the crypto industry are not new, but this incident once again highlights the need for change. A lot of insecurity in crypto amounts to a lack of basic cyber hygiene, a problem endemic to businesses across sectors, industries, and countries. This industry is full of startups that grow rapidly. Often, when these startups are trying to “make it,” cybersecurity measures may become an afterthought, especially when companies lack the funds or personnel for such measures. The problem isn’t unique to those new to business; however, even well-established companies may let cybersecurity fall to the wayside or may lack the education to understand the rapidly evolving threat landscape.
Additional security measures from either Safe{Wallet} or Bybit would have reduced the likelihood of this incident occurring. For instance, implementing pre-signing simulations would have allowed employees to preview the destination of a transaction. Enacting delays for large withdrawals also would have given Bybit time to review the transaction and freeze the funds. Utilizing more transaction validation, through methods like raw transaction validation (reviewing the raw data in a smart contract versus the UI) or off-chain validation (verifying the transaction outside of the blockchain), could have prevented this incident as well.
Policy solutions should put more emphasis on educating industry actors around major threats in crypto and the role of cybersecurity while also incentivizing higher security standards.
That is not to say that the crypto industry does not follow any security standards. For instance, the Financial Action Task Force, an intergovernmental body, sets and updates global guidelines for anti-money laundering (AML) protocols and Know Your Customer (KYC) processes for customer verification and risk assessments of those customers. These have largely been codified by the Financial Crimes Enforcement Network (FinCEN) in the United States. Back in 2013, FinCEN also stipulated that the Bank Secrecy Act and its AML standards apply to administrators and exchanges in crypto.
However, things get tricky when one considers that in the United States and most countries, crypto is still largely unregulated, and the efficacy of its current regulation is often debated. Many argue that regulation effective for securing banks is less effective in the crypto space due to the industry’s decentralized nature. Crypto needs more security regulations, but it also needs new solutions that take into account its differences from fiat financial institutions.
Both the United Arab Emirates and Bahrain have turned to regulatory sandboxes, controlled environments where crypto firms can test new technologies and business models, to find an array of solutions to issues posed by crypto while still promoting innovation. Policymakers in the United States should similarly utilize sandboxes to try to find more effective AML and KYC solutions for the crypto space to ensure effective and efficient regulation.
In addition to US regulation, cooperation and collaboration–domestically and internationally–is imperative, particularly given the limited opportunity that exists to freeze or recover stolen funds. Efficient coordination between industry actors, government agencies, and law enforcement must be included in any efforts to strengthen the security of cryptocurrency. Information sharing organizations like Crypto ISAC and SEAL-ISAC, with partners across the cryptocurrency industry, work to improve the speed and integration of efforts to stem cryptocurrency thefts. The industry-wide response to the Bybit heist is a great example of the value of collaboration. Yet, the need for ever faster action remains.
Continuing to formalize channels between different industry actors, governments, and law enforcements, while still maintaining the decentralized nature of crypto, would advance faster incident response as well as improve incident preparedness.
Additionally, response times can be improved by ensuring individuals working across the agencies involved in preventing financial crime receive training on cryptocurrency and how to leverage its “investigative power.”
Moreover, harmonizing regulations and response frameworks would improve coordination and collaboration efforts. Harmonization would allow for ease of collaboration across jurisdictions, pivotal for intervening in the small windows of opportunity to regain stolen funds.
Overall, building a secure crypto industry will require clearer regulatory environments that companies can safely operate in, innovative policy solutions, higher security standards, and formalizing international and domestic partnerships. Securing the crypto industry must be made a priority if we wish to mitigate the illicit funding of the DPRK’s weapons programs.