Russia’s March 2024 veto of the renewal of the UN Panel of Experts on North Korea ended 15 years of unanimous Security Council support for the sole independent body monitoring Pyongyang’s sanctions evasion, marking the effective collapse of multilateral enforcement of the DPRK sanctions regime.
The UNSC 1718 Sanctions Committee, established in 2006, has been deadlocked since 2017, which was the year of its last adoption of new measures. The unraveling began in May 2022 when Russia and China jointly vetoed a U.S.-proposed resolution that would have imposed tougher oil import restrictions after North Korea’s March 2022 ICBM test – the first double veto on North Korea sanctions since 2006.
The final step came in March 2024, when Russia single-handedly blocked the annual extension of the Panel of Experts’ mandate, with China abstaining, dissolving the group tasked with investigating, analyzing, and publicly reporting violations of UN sanctions.
For over a decade, the Panel, which was composed of experts appointed by the UN Secretary-General, issued consensus-based midterm and final reports each year, which exposed illicit coal and oil transfers, front companies, cyber theft networks, and weapons-program advances. Every report was approved by all eight experts, including those from Russia and China, contradicting later Russian claims of Western bias.
The Panel’s termination has eliminated the only systematic, impartial source of public evidence on North Korea’s sanctions-busting activities and sharply weakened global oversight. Among its active investigations were 58 suspected North Korean cryptocurrency heists between 2017 and 2023 that generated an estimated $3 billion in funds widely believed to finance the regime’s nuclear and missile programs.
In response, the United States, United Kingdom, South Korea, Japan, and other partners established the Multilateral Sanctions Monitoring Team (MSMT) in 2024–2025 to preserve expertise and continue independent reporting outside the UN framework.
Moscow’s veto is part of a longer campaign, alongside China, to neuter the Panel through budget cuts and arbitrary travel restrictions in the years before its dissolution. Russia has also obstructed other UN expert panels – delaying appointments in 2021 for South Sudan, DRC, CAR, and Mali to shield its own mercenary operations in Africa.
With the UN Panel gone, the last consensus-driven window into North Korea’s illicit finance and procurement networks has closed, signaling the end of unified great-power pressure on Pyongyang via the Security Council.
The June 2024 Treaty on Comprehensive Strategic Partnership between Russia and North Korea, which includes an explicit mutual-defense clause, was arguably designed to broadcast Moscow’s willingness to embrace and upgrade one of the world’s most controversial regimes as a weapon against the West. By openly transferring sensitive military technology and deepening ties with Pyongyang, the Kremlin is deliberately signaling that it is prepared to escalate indirectly against the West if support for Ukraine continues. Putin has no desire for direct war with NATO, but he is perfectly willing to push proxies into the fight and threaten instability in every region where the United States has formal security commitments: the Korean Peninsula, Taiwan, the Middle East, and the Balkans. The ultimate aim is to raise the global risk level, divert Western resources, spark new peripheral conflicts, and force Washington into bilateral talks on Ukraine that freeze the conflict on Russian terms.
Since the invasion of Ukraine in 2022, North Korea has evolved from a marginal supplier to an indispensable wartime ally, transferring more than 12 million artillery shells, over 100 short-range ballistic missiles, and numerous multiple-rocket launchers. In the most dramatic escalation, North Korea deployed 11,000–15,000 elite troops to Russia’s Kursk region starting in late 2024, with an estimated 6,000 North Korean casualties by mid-2025 (and confirmed captures of DPRK soldiers since 1953).
Kim Jong Un has repeatedly pledged “unconditional support” to Russia, and celebrated the first anniversary of the deployment in October 2025 with a new museum exhibit in Pyongyang honoring fallen soldiers, in turn receiving massive Russian shipments of food, fuel, hard currency, and advanced military know-how in missile guidance, satellite technology, hypersonics, and drone production.
For Pyongyang, the partnership is a strategic windfall. Cash from munitions and manpower sales is vital, but of equal importance is the diplomatic shield provided by Russia’s Security Council vetoes (including the March 2024 decision that killed the UN Panel of Experts), and battlefield experience for an army that has not fought a real war in seven decades. Most alarming is the technology transfer: Russian assistance has already helped North Korea place its first military reconnaissance satellite in orbit and accelerate development of solid-fuel ICBMs, submarine-launched missiles, and hypersonic warheads.
In the two years since it began openly backing Russia’s war, North Korea has dramatically stepped up ballistic-missile testing, achieved breakthroughs in long-restricted technologies, sharply expanded revenue-generating schemes (including record cryptocurrency thefts and overseas IT-worker dispatch), and effectively dismantled the remnants of the UN sanctions-monitoring architecture. What began as an opportunistic exchange of shells for cash has hardened into a full-blown military-technological alliance that is eroding the post-1991 non-proliferation order and turning the Korean Peninsula into an active extension of Russia’s confrontation with the West.
As heavily sanctioned states like North Korea and Russia increasingly decouple from Western financial systems and corporate ecosystems, the traditional pressure points that once helped disrupt sanctions evasion – i.e., private-sector compliance programs, correspondent banking relationships, and KYC enforcement – have largely evaporated.
Pyongyang has spent years systematically refining an ever-expanding toolkit to generate hard currency for its nuclear and ballistic-missile programs, which run the gamut from classic diplomatic cover and ship-to-ship transfers to aggressive cyber theft and, more recently, the large-scale deployment of highly skilled IT workers operating under false identities abroad.
But it is cybercrime that has rapidly become a cornerstone of North Korea’s state survival. Having already built sophisticated, destructive, and espionage capabilities by the mid-2010s, the regime pivoted toward financially motivated operations that offered astronomical returns on investment. The February 2016 theft from the Bangladesh Bank–executed through fraudulent SWIFT messages sent to its accounts at the Federal Reserve Bank of New York–netted more than $81 million and was on track to steal nearly $1 billion before a simple spelling error in one of the transfer instructions triggered alarms and halted the operation.
Three months later, the May 2017 WannaCry ransomware outbreak infected several hundred thousand computers in at least 150 countries, demonstrating how hackers operating from untouchable jurisdictions could extort victims on an industrial scale. These high-profile successes validated the model: state-directed cybercrime could generate revenue far beyond what traditional smuggling or overseas labor schemes ever could. Over the past decade, Pyongyang has nurtured an ecosystem of overlapping threat groups–most prominently Lazarus Group–whose primary or secondary mission is revenue generation. Collectively, these units have stolen several billion dollars, almost matching the volume of North Korea’s licit foreign trade, which has not exceeded $3 billion annually since 2019.
The repertoire is strikingly similar to that of non-state criminal syndicates: large-scale enterprise breaches and crypto heists remain the most lucrative, but the regime also runs ransomware campaigns, pumps fraudulent investment schemes, hijacks third-party computing power for cryptocurrency mining, steals payment-card data from e-commerce platforms, and even programs ATMs to dispense cash without authorization for collection by money-mule networks. Since the pandemic-driven remote-work boom, North Korea has inserted thousands of its programmers into legitimate freelance IT jobs–building websites, mobile apps, and databases for unsuspecting Western companies–using fake identities and remote workflows that would be entirely legal (sanctions notwithstanding).
Among all these vectors, cryptocurrency has emerged as the single most important channel for both theft and sanctions evasion. After the total crypto market capitalization crossed $1 trillion in 2021, the space has become a virtually bottomless pool of liquidity. Near-instantaneous, borderless transfers allow thieves to channel funds in seconds, while decentralization diffuses responsibility for compliance, investigation, and victim restitution. The explosive growth of DeFi, with its emphasis on automation, speed, and pseudonymity, has made virtual assets even more attractive to North Korean operators.
Tracking and seizing illicit flows remains extraordinarily difficult. Law-enforcement and intelligence agencies often lack specialized training, and North Korean laundering teams employ a sophisticated, iterative approach: they continuously experiment with new obfuscation playbooks involving layering, disposable exchange accounts, sanctioned mixers, cross-chain bridges, and rapid wallet churn.
It is the mixers – services that pool and reshuffle funds to break transactional trails – that have become a central pillar of DPRK laundering operations. Newer non-custodial mixers, such as Tornado Cash before its 2022 sanctioning, use smart contracts to tumble coins automatically without any central operator ever holding the assets, dramatically reducing seizure risk and legal exposure. North Korean launderers routinely chain multiple mixers together and engage in “chain-hopping” (bridging funds across blockchains) to add additional layers of complexity.
North Korea-linked hackers, overwhelmingly the Lazarus Group cluster (also tracked as APT38 and TraderTraitor), continue to dominate global cryptocurrency theft. According to blockchain analytics firms and public reporting, these actors stole approximately $660 million in 20 incidents in 2023, $1.34 billion across 47 incidents in 2024, and already more than $2 billion in over 30 confirmed attacks in 2025 through October – figures that almost certainly understate the true total as new breaches are still being discovered and attributed.
A list of major heists, where funds stolen exceeded $10 million in value at the time of the theft, based on confirmed attributions from blockchain analytics, includes the following:
Atomic Wallet (non-custodial wallet)
$100 million
Hackers compromised user wallets via likely phishing or supply-chain attack, draining funds across multiple blockchains (ETH, BTC, etc.). Funds were laundered via DEXs and mixers.
CoinsPaid (crypto payment provider)
$37 million
A social engineering attack tricked an employee into installing malware during a fake job interview, allowing hot wallet drainage.
Alphapo (crypto payment platform)
$60 million
Private key compromise via fake job offers; stolen USDT, USDC, and ETH moved to exchanges like Bitget and mixers.
CoinEx (cryptocurrency exchange)
$70 million
Hot wallet breach via compromised private keys; initial estimates were $27 million, later revised upward.
HTX (Huobi) exchange & HECO Bridge
$112.5 million
Cross-chain bridge exploit; funds laundered through Tornado Cash despite sanctions.
DMM Bitcoin (Japanese exchange)
$305 million
Infrastructure vulnerability exploited; 4,502 BTC stolen, laundered via CoinJoin mixers and bridges to Cambodian marketplaces. Largest single 2024 heist.
Bybit (Dubai-based exchange)
$1.5 billion
Largest crypto heist in history; Ether drained from hot wallets, quickly converted to BTC, and dispersed via DEXs and bridges. Attributed by the FBI. Accounts for ~75% of the 2025 total.
WOO X (cryptocurrency exchange)
$14 million
Targeted attack on 9 high-net-worth users; part of a broader shift to individual wallet compromises.
Taiwan-based exchange
$14 million
Specific details limited; attributed via on-chain analysis linking to Lazarus laundering patterns.
LND.fi (DeFi platform)
~$10-20 million (estimated)
DeFi exploit; exact amount not publicly detailed, but confirmed as part of 30+ smaller 2025 incidents.
The international community now confronts a North Korea that is simultaneously more dangerous, less constrained, and more deeply embedded in the security architecture of a revisionist great power than at any point in the post-Cold War era.
The collapse of the UN sanctions regime, the emergence of a Russia–North Korea axis that exchanges battlefield commodities for cutting-edge military technology, and the maturation of Pyongyang’s cybercrime apparatus into a multi-billion-dollar parallel economy have created a self-reinforcing cycle: all stolen cryptocurrency funds another missile test; every Russian satellite launch or hypersonic blueprint shortens the timeline to a more survivable North Korean nuclear arsenal; every veto or obstruction in the United Nations buys the regime additional years of impunity.
Without a fundamental shift in the geopolitical landscape–most plausibly a resolution or frozen conflict in Ukraine that removes Moscow’s immediate dependence on Pyongyang–the trends documented in this report are likely to accelerate. North Korea is no longer a hermetic, starving pariah; it is an active participant in a broader challenge to the rules-based order, armed with nuclear weapons, a battle-tested expeditionary force, and a cyber-looting machine that no sanctions regime currently in existence can effectively police. The Korean Peninsula has become a second front in Russia’s confrontation with the West, and the costs of that reality–measured in proliferation risk, regional instability, and the erosion of global non-proliferation norms–are only beginning to be felt.
