# North Korea's Lazarus crypto theft tops $2bn as Treasury hits IT-worker launderers > Pyongyang's hackers drove 76% of 2026 crypto-hack value while OFAC and DOJ pursued the fake-employee revenue machine **Meta:** type: story · date: 2026-03-13 · heads: किसका पैसा, खामोश बदलाव · 13 takes · 3 lenses · 4 regions ## Summary [North Korea's](/hi/entity/north-korea-evasion) Lazarus cluster, under the Reconnaissance General Bureau, stole an estimated $2.02bn in crypto in 2025, a 51% rise, and accounted for ~76% of all crypto-hack value through April 2026, including a $292m Kelp DAO exploit. The FBI attributes the record $1.5bn Bybit theft to the TraderTraitor subunit. In March 2026 OFAC sanctioned six people and two entities that laundered ~$800m, and DOJ filed a $7.74m forfeiture, targeting the [DPRK](/hi/entity/north-korea) IT-worker scheme, operatives using stolen identities to win remote tech jobs and funnel pay to Pyongyang. Laundering adapted after the Tornado Cash takedown rather than slowing. ## By the numbers - $2.02bn, DPRK crypto theft in 2025 (+51% YoY); ~$6.75bn cumulative. - 76%, share of crypto-hack value DPRK actors drove through April 2026. - $1.5bn, the Bybit heist, the largest single crypto theft on record. - ~$800m, laundered by the network OFAC sanctioned in March 2026. - $7.74m, DOJ civil-forfeiture complaint over laundered DPRK funds. ## Why it matters Crypto theft and IT-worker fraud are now Pyongyang's most scalable hard-currency source, underwriting its [missile program](/hi/n/north-korea-2026-missile-tempo) outside the banking system. Each designation forces a laundering pivot, mixers, [OTC desks](/hi/entity/crypto-laundering), stablecoins, keeping enforcement a step behind. ## What to watch - Whether US firms tighten remote-hire vetting against fake DPRK identities. - The next laundering venue after Tornado Cash and sanctioned exchanges. - Coordinated action by the [MSMT](/hi/n/north-korea-maritime-oil-evasion-2026) states. ## Regional takes (batched by bias / lens) ### unlabelled - **U.S. Department of the Treasury (OFAC)** (United States, en) — Treasury designation of facilitators of DPRK IT-worker fraud targeting US businesses, part of the March 2026 sweep against networks that generated nearly $800m and laundered the proceeds for Pyongyang's weapons programs. Source: https://home.treasury.gov/news/press-releases/sb0416 - **U.S. Department of Justice** (United States, en) — DOJ civil-forfeiture complaint against over $7.74m laundered on behalf of the North Korean government, tied to the IT-worker and crypto-heist schemes. Source: https://www.justice.gov/opa/pr/department-files-civil-forfeiture-complaint-against-over-774m-laundered-behalf-north-korean - **U.S. Department of the Treasury (OFAC)** (United States, en) — Treasury sanctions on DPRK bankers and institutions laundering cybercrime proceeds and IT-worker funds, naming the financial conduits routing stolen value back to Pyongyang. Source: https://home.treasury.gov/news/press-releases/sb0302 - **The Hacker News** (India, en) — Source: https://thehackernews.com/2025/12/north-korea-linked-hackers-steal-202.html - **CoinDesk** (United States, en) — Source: https://www.coindesk.com/business/2026/03/13/u-s-sanctions-6-people-2-companies-that-laundered-usd800-million-in-crypto-for-north-korea - **CyberScoop** (United States, en) — Source: https://cyberscoop.com/us-nationals-sentenced-facilitate-north-korea-tech-worker-scheme/ - **Cointelegraph** (Global, en) — Source: https://cointelegraph.com/news/us-treasury-sanctions-north-korea-it-worker-crypto-fraud - **UPI** (United States, en) — Source: https://www.upi.com/Top_News/World-News/2026/04/22/KelpDAO-LayerZero-North-Korea-crypto-hack-theft-Lazarus-Group/6151776848419/ - **Picus Security** (Turkey, en) — Source: https://www.picussecurity.com/resource/blog/fbi-north-korean-lazarus-group-bybit-crypto-heist - **U.S. Department of Justice** (United States, en) — Source: https://www.justice.gov/opa/pr/justice-department-announces-nationwide-actions-combat-illicit-north-korean-government - **sanctions.io** (Global, en) — Source: https://www.sanctions.io/blog/the-lazarus-group-and-dprk-crypto-theft-in-2026 ### blockchain-forensics - **Chainalysis** (United States, en) — Quantifies 2025 crypto theft at $3.4bn with DPRK actors stealing $2.02bn, a 51% jump, led by the $1.5bn Bybit hack, and details how laundering adapted after the Tornado Cash takedown rather than shrinking. > "North Korea-linked actors stole $2.02 billion in 2025, a 51% year-on-year rise." Source: https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/ ### blockchain-intelligence - **TRM Labs** (United States, en) — Maps the cyber-facilitator network behind the IT-worker scheme, showing how a Vietnam-based operator converted roughly $2.5m into crypto for North Koreans and how earnings funnel through fake identities into Pyongyang. > "A facilitator converted about $2.5 million into crypto for North Korean IT workers." Source: https://www.trmlabs.com/resources/blog/us-treasury-sanctions-north-korean-cyber-facilitator-linked-to-it-worker-scheme ## Across the graph - Related: [[north-korea-maritime-oil-evasion-2026]], [[garantex-grinex-crypto-sanctions-2026]], [[apt28-signal-phishing-advisory]], [[north-korea-2026-missile-tempo]] - Entities: North Korea Evasion, Ransomware, Crypto Laundering, North Korea, United States --- Canonical: https://rbtfl.xyz/hi/n/north-korea-crypto-theft-it-workers-2026