Why North Korea Is Winning Crypto Crime | Ari Redbord

The discussion focuses on the escalating issue of crypto crime, particularly concerning North Korea's state-sponsored hacking activities, and strategies to combat it. The speaker, Ary Redboard from TRM Labs, a blockchain analytics firm, emphasizes that North Korea's cybercriminal activities are not merely state-sponsored but are direct actions of the North Korean government, which has professionalized cybercrime due to its lack of a viable economy. Their primary goal is to steal and launder funds, with crypto being the latest medium for this. North Korea's hacking efforts have evolved significantly over the years. Historically, they engaged in counterfeiting and attempts like the Sony Pictures hack and the Bank of Bangladesh heist. However, with the advent of crypto, they realized the potential for "bank robbery at the speed of the internet," leading to an average of a billion dollars stolen annually over the last five to six years, totaling an estimated $6-7 billion. These funds are primarily used for weapons proliferation and destabilizing activities. A recent and particularly alarming case is the Drift protocol hack on April 1st, where North Korea drained $285 million in just 12 minutes. This incident, along with the Kelp DAO hack, accounted for 76% of all hack value in 2026. What makes the Drift hack so unnerving is the sophisticated social engineering involved. North Korean proxies reportedly met developers at conferences over several months, infiltrating the project and gaining access to private keys or validator credentials. This marks a shift from solely targeting technology to targeting people, employing social engineering at scale. The use of Western proxies to facilitate these operations is a chilling development, suggesting a deeper and more integrated approach to their cyber warfare. North Korea's cyber army is structured with different groups, often operating autonomously but coordinated, each with distinct signatures for stealing and laundering funds. These "cyber warriors" are recruited from a young age, trained in STEM, and given internet access, often sent to China for education, mirroring the rigorous training of athletes in other nations. Unlike private hacks, these operations are directly aimed at funding weapons and destabilizing the Korean peninsula. The necessity of these criminal activities stems from North Korea's dire economic situation. Crypto provides them with a consistent, significant revenue stream that no other economic sector could match. The speaker's personal entry into crypto was through investigating North Korean money laundering cases involving Bitcoin, highlighting their early adoption of the technology. Major hacks attributed to North Korea include the $1.5 billion Bybit hack in February 2025 and the $600 million Ronin bridge hack, which was a "game-changer" that brought significant government attention to the issue. Regarding the stolen funds, North Korea's laundering strategy involves moving funds as quickly as possible, using services like mixers to obfuscate transactions. They are less concerned with being caught than with off-ramping funds to use them for their regime, often losing some in the process but retaining enough to be highly valuable. This funding directly supports their weapons programs and rogue regime. The $6 billion stolen is a monumental sum for North Korea, making these operations a critical part of their national strategy. The US national security community's response is focused on stopping these attacks rather than shutting down crypto services, recognizing that cyberattacks target all sectors. Two main approaches are advocated: hardening cyber defenses within the DeFi community through best practices and building security into protocols, and taking offensive cyber action against North Korea. The idea is to "steal it back" through capabilities within the national security community. The speaker proposes empowering the private sector through "cyber letters of marque," akin to historical privateers, to actively pursue and recover stolen crypto assets. This leverages the speed and expertise of the private sector, incentivizing them with a cut of recovered funds. An example of successful recovery is the Colonial Pipeline ransomware attack, where law enforcement traced and reclaimed the ransom. Similarly, the FBI and DOJ seized $15 billion in Bitcoin from a "pig butchering" scam ring, the Chenzai operation, which involved human trafficking victims and was a "whole of government" effort involving indictments, forfeiture, and sanctions. The mystery surrounding how these funds were recovered suggests potential insider cooperation or advanced technical capabilities. The shift in law enforcement strategy is moving from solely focusing on arrests to prioritizing asset seizure and forfeiture, recognizing that arresting actors in North Korea or other non-extraditing countries is often impossible. Taking the money has a significant impact, akin to seizing assets from drug dealers. A crucial aspect is victim compensation. The speaker advocates for a victim restoration fund, similar to the Office of Vaccine Restoration, where victims can petition for restitution from seized funds. This is a complex challenge due to the difficulty of associating individual victims with specific criminal compounds, but it is a vital step for restoring trust and making victims whole. TRM Labs' role involves collecting and attributing blockchain data to illicit actors, providing this information to law enforcement, regulators, and compliance teams at financial institutions. Their threat hunters actively communicate on dark channels to gather intelligence and attribute illicit crypto addresses. Law enforcement uses TRM's software and global investigations team to track and trace illicit proceeds. While crypto crime amounted to a record $158 billion in 2025, it still represents only about 1.3% of all crypto activity, far less than the 3-6% typically seen in fiat money laundering. Law enforcement agencies appreciate crypto's transparent and immutable ledger, which offers enhanced traceability compared to traditional money laundering methods involving shell companies, bulk cash smuggling, or high-value art. However, visibility is lost when funds move off-chain. North Korea's post-hack laundering flow involves quickly moving funds, often converting Ethereum to Bitcoin, and utilizing services like ThorChain. While stablecoins like USDT could be frozen, Bitcoin offers a different challenge. They often use professional money launderers, particularly Chinese networks associated with organized crime, which handle off-ramping through casinos and OTC brokers. To counter this, TRM Labs initiated the Beacon Network, a collaboration with major exchanges (representing 85% of centralized crypto), fintechs, and DeFi protocols, alongside 70 global law enforcement agencies. When illicit proceeds are flagged in real-time, Beacon alerts exchanges, requiring them to block and seize funds, thus creating a "strong perimeter" to prevent off-ramping. The debate around privacy protocols like Tornado Cash and Zcash is central. The speaker believes that privacy is essential for an open financial system, but it must be balanced with the need to prevent illicit use. TRM Labs' approach is to attribute addresses to entities (lawful or illicit) rather than individuals, relying on centralized services and lawful processes to obtain user information when necessary. They advocate for leveraging technology, such as zero-knowledge proofs, to allow privacy for legitimate users while still enabling detection of illicit activity, offering a "pseudonymous" financial system rather than an anonymous one. Regarding developer liability, the speaker aligns with the view that "code is not a crime," provided developers are not conspiring with bad actors. The Roman Storm case for Tornado Cash highlights this tension, as the US government's stance appears conflicted. Criminal intent, not merely creating a tool that can be misused, should be the basis for prosecution. Recent events like Operation Economic Fury against Iran's IRGC demonstrate the effectiveness of crypto forensics. The US froze $344 million in USDT on Tron, directly sanctioning an Iranian central bank-controlled wallet. This is an "only-in-crypto story," as seizing fiat in such a direct manner is impossible. Iran, like North Korea, is building crypto infrastructure at scale to circumvent the US financial system, using exchanges as shell companies and leveraging expert money launderers. The persistent use of crypto by state actors, despite increased tracking capabilities, is a "cat-and-mouse game." Bad actors are early adopters of transformative technology, using crypto for faster and larger cross-border value transfers. Law enforcement must continuously evolve to track them. The possibility of nation-states "defeating" Bitcoin, as hinted by Secretary of War Pete Hexith, is discussed. The speaker expresses uncertainty about what "defeating" Bitcoin would entail, suggesting it might refer to quantum computing or other advanced technologies. However, his focus remains on "harnessing the technology" to combat adversaries, not defeating the technology itself. Finally, addressing the DeFi community, the speaker emphasizes the need for collective action beyond just reimbursing victims. He recommends establishing industry-wide best practices for cyber hygiene and security, much like other sectors, and expanding networks like Beacon. He believes that a happy future for DeFi involves both strong security and user privacy, as an ecosystem where billions can be stolen will not attract widespread adoption. The ultimate goal is to balance security and privacy, not compromise one for the other, ensuring that crypto becomes a secure and trusted financial system.