But the world isn't just watching. When the United Nations Panel of Experts dissolved in May 2024, it left a dangerous gap in how we track these criminals. To fix this, 11 nations-including the US, UK, Japan, and South Korea-stepped up in October 2024 to form the Multilateral Sanctions Monitoring Team (MSMT). Think of the MSMT as a high-speed task force designed to replace the slow, consensus-heavy UN model with something more agile and aggressive. Their goal is simple: find the money, trace the flow, and shut down the wallets.
The Machinery of State-Sponsored Theft
Most of these attacks aren't random. They are meticulously planned by the Lazarus Group, a notorious hacking collective operating under the Reconnaissance General Bureau, North Korea's primary intelligence agency. These actors have turned cybercrime into a professional business. In 2024, they were responsible for roughly 35% of all stolen crypto globally, a number that climbed to 38.7% by 2025.
They don't just target big exchanges. They've expanded into Decentralized Finance (DeFi) and NFT marketplaces. One of their most clever tricks is the "IT worker infiltration." They create fake identities to get hired by Western tech firms. Once inside, these workers don't just earn a salary; they act as sleeper agents, conducting espionage against defense contractors to steal military secrets while funneling money back to Pyongyang.
How the International Response Actually Works
Fighting a ghost in the machine requires a mix of government power and private-sector tech. The MSMT relies heavily on blockchain analytics firms like Chainalysis, Elliptic, and TRM Labs. These companies provide the "digital binoculars" needed to see through the chaos of the blockchain.
The process usually follows a specific pattern: detection, attribution, and action. For example, the US Department of Justice recently targeted $7.7 million in assets-including NFTs and various coins-tied to a laundering network. In another high-speed operation, a coordinated effort between five MSMT nations and analytics firms froze $237 million from the LND.fi hack within just 72 hours. That's the kind of speed required when dealing with assets that can move across the world in seconds.
| Feature | UN Panel of Experts (Pre-2024) | MSMT (Current) |
|---|---|---|
| Decision Model | Consensus-based (Slow) | Like-minded coalition (Agile) |
| Membership | Broad UN membership | 11 key strategic nations |
| Primary Focus | General sanctions reporting | Active crypto monitoring & enforcement |
| Speed of Action | Diplomatic and delayed | Rapid intelligence sharing |
The Cat-and-Mouse Game of Money Laundering
If you try to freeze a wallet, the hackers just move the funds. North Korean operators are incredibly adaptable. In the first half of 2025, they reportedly rotated through 17 different wallet clustering techniques to confuse investigators. They also use "cross-chain swaps" and privacy coins like Monero to erase their digital footprints.
The new frontier of this fight is Artificial Intelligence. The MSMT has documented cases where generative AI was used to create social engineering emails so convincing they bypassed the security protocols of three major tech firms in late 2025. This isn't just about hacking a password anymore; it's about manipulating humans using AI to open the door for the hackers.
The Cost of Compliance for the Private Sector
For crypto exchanges, the international response means a lot more paperwork and higher costs. New laws like the EU's MiCA II regulations (effective January 2026) and US Executive Order 14155 are forcing platforms to implement strict due diligence for transactions over $10,000.
While giants like Coinbase and Binance can handle these requirements, smaller platforms are feeling the pinch. Some estimate compliance costs at roughly $1.2 million per platform annually. This creates a weird paradox: the more we tighten the rules, the more some smaller exchanges might struggle, potentially creating new gaps that the Lazarus Group can exploit.
What's Next in the Fight Against Cyber Theft?
The international community is moving toward a "war room" approach. In early 2026, the MSMT plans to launch a Cryptocurrency Intelligence Fusion Cell with an initial $85 million budget. This will be a dedicated hub for real-time intelligence, similar to how counterterrorism units operate. The goal is to reach a state where transaction monitoring happens in real-time across all participating nations by the third quarter of 2026.
However, it's not all good news. The deepening military alliance between North Korea and Russia makes coordinated action harder. Some analysts warn that as long as there are "safe haven" countries that refuse to participate in the MSMT, the hackers will always have a place to hide their loot. Recovery rates for seized assets still hover around a low 12.3%, meaning that for every dollar the government "seizes," most of it has already been laundered into the shadows.
What is the MSMT and why was it created?
The Multilateral Sanctions Monitoring Team (MSMT) is a coalition of 11 nations formed in October 2024. It was created to fill the void left by the dissolution of the UN Panel of Experts, providing a more agile way to track and report North Korea's sanctions violations, specifically focusing on cryptocurrency theft.
How did North Korea steal $1.5 billion from ByBit?
The breach occurred on February 21, 2025, when hackers exploited a compromised multi-signature approval system during a scheduled wallet transfer. This allowed them to bypass standard security checks and move a massive amount of funds out of the exchange.
What is the role of the Lazarus Group?
The Lazarus Group is a state-sponsored hacking collective directed by North Korea's Reconnaissance General Bureau. They execute the actual cyberattacks, social engineering schemes, and money laundering operations that fund the regime's weapons programs.
How is AI being used in these crypto crimes?
North Korean actors use generative AI to create highly sophisticated social engineering content. This allows them to trick employees at tech firms and financial institutions more effectively than traditional phishing, leading to compromised credentials and system access.
Can stolen cryptocurrency actually be recovered?
Yes, but it is difficult. While the MSMT and DOJ have filed numerous forfeiture actions, the actual recovery rate is only about 12.3%. This is because hackers use complex techniques like cross-chain swaps and privacy coins to hide the funds before they can be frozen.
