North Korean hacking groups have been tied to most major crypto exchange attacks in South Korea since 2018, while billions of dollars in suspected illicit crypto flows have also moved through the country’s financial system.
Summary
- Crystal Intelligence linked North Korea’s Lazarus Group to six of nine major South Korean crypto exchange attacks since 2018, with confirmed thefts exceeding $120 million.
- South Korean authorities identified $7.1 billion in illegal crypto transactions between 2021 and August 2025, with $6.4 billion tied to the Hwanchigi laundering network.
- Pig butchering scams targeting South Koreans caused $70.6 million in losses during 2025, while regulators continued tightening anti money laundering oversight on domestic exchanges.
According to Crystal Intelligence’s 2026 South Korea Country Assessment Report, shared with crypto.news, North Korea’s state-backed Lazarus Group has been linked to six of nine major exchange breaches involving South Korean platforms between 2017 and 2025, with confirmed thefts exceeding $120 million. Combined losses across all nine incidents were estimated between $196 million and $225 million.
Among the cases outlined in the report was a November 2025 attack on a major domestic exchange that resulted in losses of about $30.4 million. Crystal Intelligence said the incident remains under investigation, though Lazarus is suspected of involvement.
Earlier breaches included a $49 million Ethereum theft in 2019 and a $100 million cross-chain exploit in 2022 that researchers attributed to the group.
Separate findings from Chainalysis, CertiK, and Elliptic had already identified North Korea as the dominant source of global crypto theft activity in 2025. Those firms estimated DPRK-linked hackers stole about $2.02 billion last year, accounting for nearly 60% of the roughly $3.4 billion taken across the crypto sector globally.
Researchers from Chainalysis said North Korean operators have increasingly relied on insider infiltration tactics, placing IT workers inside exchanges and crypto firms to gain privileged access. Elliptic and Chainalysis also linked the record-breaking Bybit exploit, estimated at $1.46 billion to $1.5 billion, to DPRK actors.
$6.4B laundering route tied to Hwanchigi activity
Elsewhere in the report, Crystal Intelligence identified $7.1 billion in illegal crypto transactions in South Korea between 2021 and August 2025. Of that amount, the firm attributed $6.4 billion to Hwanchigi, a cross-border laundering structure that converts money into crypto offshore before routing it through South Korean exchanges and cashing it out in won.
Crystal Intelligence described the method as difficult to track without advanced blockchain tracing tools because the transactions move through multiple jurisdictions and licensed domestic exchanges using nominee-controlled accounts.
In one example cited by the report, South Korean customs authorities dismantled a $113 million Hwanchigi network in January 2026 after a four-year investigation.
Another case involved two Russian nationals who allegedly processed more than 6,000 transactions through a Russia–Korea laundering corridor valued at $42 million.
Peer-to-peer markets also remained active outside the country’s regulated banking structure. During a March 2026 review of 247 P2P advertisements across four platforms, Crystal Intelligence found settlement methods tied to Chinese payment systems such as Alipay, alongside remittance services including Wise, Western Union, and M-Pesa.
The report said these channels complicate traceability because they operate outside South Korea’s real-name verification rules.
Privacy-focused cryptocurrency Monero appeared in several listings reviewed by Crystal Intelligence, which the firm flagged as carrying elevated money laundering risk. Researchers also identified Telegram and Instagram channels facilitating large in-person crypto cash trades in Seoul’s Gangnam, Yeoksam, and Seocho districts, with some transactions reportedly reaching several billion won.
Fraud targeting South Korean crypto users has also accelerated. The report added that pig-butchering scams caused losses of $70.6 million in 2025 across 1,565 incidents, up 48% from the previous year. Separately, the report linked approximately 1,000 South Koreans to scam compounds operating across Cambodia, Myanmar, and Laos.
January 2026 alone saw 73 South Korean nationals repatriated from a deepfake-driven fraud operation that allegedly targeted more than 860 victims and stole around $33 million, according to Crystal Intelligence. Another 64 nationals were brought back from Cambodia in October 2025.
Regulators in South Korea have continued tightening oversight of the crypto sector. Under current rules, all virtual asset service providers must register with the Korea Financial Intelligence Unit and maintain real-name verified accounts connected to domestic banks.
Back in March 2026, the Korea Financial Intelligence Unit issued what Crystal Intelligence described as its largest enforcement action against a domestic exchange, imposing a $24.6 million fine and a six-month partial suspension over 6.65 million alleged anti-money laundering violations. The Seoul Administrative Court later overturned the suspension order in May 2026.
crypto.news
#North #Korean #hackers #linked #major #South #Korean #crypto #hacks
