Discover top fintech news and events!
Subscribe to FinTech Weekly's newsletter
Read by executives at JP Morgan, Coinbase, Blackrock, Klarna and more
North Korea’s Bitcoin Holdings Now Exceed El Salvador and Bhutan
North Korea has quietly ascended to the ranks of the world’s largest government Bitcoin holders after hackers linked to the regime executed a high-profile cryptocurrency theft.
The notorious Lazarus Group, a cybercrime syndicate tied to North Korea’s intelligence services, infiltrated Bybit, one of the largest cryptocurrency exchanges, on February 21. The hackers stole $1.4 billion, primarily in Ethereum, before converting a significant portion of the stolen assets into Bitcoin.
READ: Hackers Steal Record $1.4 Billion from Bybit in Largest-Ever Crypto Heist
This move has propelled North Korea’s total Bitcoin holdings to 13,562 BTC, valued at approximately $1.14 billion. This places the country third among national Bitcoin holders, surpassing Bhutan, which holds 10,635 BTC, and El Salvador, which has accumulated 6,117 BTC. Only the United States, with 198,109 BTC ($16.71 billion), and the United Kingdom, with 61,245 BTC ($5.17 billion), hold more.
Strategic Crypto Acquisitions Raise Security Concerns
Unlike other nations that acquired Bitcoin through legal means, North Korea’s rise in the rankings stems from a long history of cyber-enabled financial crimes. The Lazarus Group has repeatedly targeted crypto platforms, exploiting security vulnerabilities to steal digital assets that fund North Korea’s nuclear and military programs.
Cybersecurity analysts suggest that the timing of the Bybit hack is not coincidental. Just days after the attack, the U.S. government announced the formation of the Strategic Bitcoin Reserve (SBR), fueling speculation that North Korea is closely monitoring global crypto accumulation trends among nation-states.
The geopolitical implications of North Korea’s Bitcoin stash are significant. As a heavily sanctioned country with limited access to the global financial system, the regime has turned to cryptocurrency to bypass restrictions and maintain liquidity. Bitcoin’s decentralized nature makes it difficult to seize or freeze these assets, granting North Korea a financial cushion against economic sanctions.
Laundering Stolen Funds Despite Global Crackdowns
Blockchain tracking firms report that at least $300 million from the Bybit hack has already been laundered, despite coordinated efforts to freeze the stolen funds. Cryptocurrency laundering networks, often operating through decentralized exchanges, make it challenging for authorities to track and recover illicit assets.
North Korean hackers use advanced laundering techniques, including chain-hopping (swapping assets across multiple blockchains), privacy mixers, and sophisticated obfuscation tools to evade detection. Financial regulators in the United States, Europe, and Asia have ramped up efforts to disrupt these illicit flows, but the sheer scale of laundering operations makes complete recovery unlikely.
Bybit’s $140 Million Bounty Program to Recover Stolen Crypto
In response to the hack, Bybit has launched “LazarusBounty,” a $140 million initiative aimed at tracking down and recovering stolen funds. The program offers a 10% reward for recovered assets, with 5% allocated to individuals who successfully freeze the stolen funds and another 5% for those who provide intelligence leading to asset seizures.
Despite these efforts, only $2.2 million in bounties have been awarded so far, with a vast majority of the stolen funds still in circulation. Real-time monitoring indicates that 89% of the $1.4 billion theft remains under surveillance, with 7.5% awaiting responses from authorities and just 3.52% successfully frozen.
OKX Under Scrutiny for Alleged Role in Laundering Stolen Funds
Regulators across Europe are investigating cryptocurrency exchange OKX for allegedly facilitating the laundering of $100 million tied to the Bybit hack. Officials from the European Securities and Markets Authority (ESMA) have convened to determine whether OKX’s Web3 platform falls under the European Union’s Markets in Crypto-Assets (MiCA) framework.
Authorities claim that the Lazarus Group exploited OKX’s self-custodial wallet and decentralized trading service to move stolen funds. If found complicit, OKX could face hefty penalties and heightened regulatory scrutiny. Meanwhile, other exchanges, including Bybit, have actively frozen hacked funds, but not all platforms have cooperated. Reports suggest that one exchange, eXch, allowed Lazarus hackers to cash out over $90 million before responding to asset freeze requests.
Lazarus Group’s Expanding Cyber Operations
Beyond crypto theft, the Lazarus Group has intensified its cyber-espionage efforts, targeting developers in the financial and blockchain sectors. Security researchers recently uncovered a campaign in which Lazarus hackers compromised npm, a widely used JavaScript package manager.
By using typosquatting techniques, the group deployed malware-infected versions of legitimate software packages, tricking developers into unknowingly installing malicious code. Once executed, the malware—dubbed BeaverTail—harvests login credentials, scans browser files for saved passwords, and drains cryptocurrency wallets linked to platforms like Solana and Exodus.
Experts warn that these attacks pose a serious threat to software developers working in the fintech sector, as compromised credentials could provide hackers with backdoor access to major blockchain projects.
The Global Fallout of North Korea’s Crypto Strategies
The implications of North Korea’s growing Bitcoin reserves extend beyond financial markets. Analysts argue that Pyongyang’s ability to use stolen cryptocurrency for economic resilience could complicate international efforts to pressure the regime into denuclearization talks.
The United States and its allies continue to attribute multiple crypto-related hacks to North Korea, emphasizing that stolen funds directly support weapons development. With the Lazarus Group shifting its focus from traditional financial institutions to digital asset exchanges, crypto platforms remain prime targets.
Despite international crackdowns, North Korea’s ability to execute large-scale crypto heists remains a significant concern. Its growing Bitcoin holdings not only highlight vulnerabilities in the cryptocurrency sector but also underscore the geopolitical stakes of digital assets in the modern financial era.
