On 12 February 2025, North Korea reopened to visitors, five years after closing its borders during the COVID-19 pandemic. Despite political isolation, few trading partners, crippling food insecurity, record drops in exports and the largest contraction of its economy since the 1990s, this embattled, impoverished nation had persisted.

Nine days later, hackers allegedly working for the North Korean state reportedly pulled off the biggest heist in history, stealing US$1.5 billion from a Dubai-based cryptocurrency exchange. Then, on 5 March – just weeks after reopening to visitors – North Korea announced it was shutting its borders again. This episode highlights two developments in the secluded nation. First, its sanctions-defying strategies to raise illicit funds and channel them home are growing in reach and sophistication. Second, Pyongyang’s most valuable relationships – the partners vital to its economic survival – are increasingly its criminal allies, not its diplomatic ones.

So, where does North Korea get its cash and how is it brought into the country? The answer lies in Pyongyang’s long history of nurturing relationships with corrupt and criminal actors in the gambling industry, and its well-established role as a major cybercrime operator. The country has adapted to the changing landscape of illegal online gambling sites and online scams, and – crucially – has exploited money-laundering ecosystems and technologies targeted to transnational criminal groups driving the cyber scam industry.

North Korea’s Bureau 39 is tasked with raising foreign currency, and has often been accused of sending citizens abroad to run businesses, work in foreign markets or even serve as front-line soldiers, and creating a foothold in black- and grey-market economies along the way. An estimated 10 000 North Korean programmers work illegally in China, Russia and South East Asia, generating US$250−600 million annually for Pyongyang. A 2022 UN Panel of Experts report found that companies in Laos and Russia knowingly employed North Koreans. In Cambodia, authorities granted citizenship to North Koreans whose businesses were found to violate sanctions, while the UN Security Council identified a North Korean spy operating a string of casinos, alleging he was a ‘business associate’ of a US-sanctioned tycoon whose business park on the Thai border has been raided for human trafficking and cryptocurrency scams.

Many countries targeted by Bureau 39 are well-known hubs for transnational crime groups focused on online scams and illegal gambling, creating potential new criminal collaborations and income streams. In 2020, authorities arrested a South Korean fraud ring based in China that purchased voice-phishing technology and stolen data from a North Korean IT worker. One of the masterminds behind the technology, Song Rim, worked for a company controlled by the ministry developing North Korea’s missile and nuclear programmes. In 2023, South Korea sanctioned Song Rim and the UN Security Council alleged he had sold voice-phishing and hacking apps to a Chinese ring that operated six cyber scam centres.

Telecom frauds targeting South Koreans run out of Dandong, on the Chinese side of the North Korea border, are estimated to rake in US$600 million a year. According to South Korean intelligence services, North Korea makes and sells thousands of illegal gambling websites to South Korean criminal groups, raising billions of dollars for the regime while installing malicious software to harvest South Korean user data.

A BBC investigation alleged that North Korea’s dedicated cybercrime unit operates primarily from China, where it is believed to specialize in large-scale hacks (including the 2016 Lazarus Heist that stole US$81 million from Bangladesh Bank), ransomware attacks and cryptocurrency thefts. According to Reuters, as of 2019, North Korea had stolen an estimated US$2 billion from targets in 17 countries. Other thefts attributed to the group include US$540 million from the Ronin network in 2022, US$100 million from the crypto platform Atomic in 2023 and US$350 million from the Japanese exchange DMM Bitcoin in 2024.

Channelling stolen funds into North Korea presents a separate challenge. North Korea has historically turned to the gambling industry for solutions, laundering money through casinos in Macau and South East Asia. In Japan, the North Korea-funded Chongryon Association offers Korean-language schooling and support to ethnic Koreans (known as Zainichi) of North Korean origin, creating a loyal support base that can be pressed for payments – a valuable resource given that the Zainichi community dominate ownership of Japan’s 11 000 pachinko gambling arcades, representing an industry worth US$200 billion a year.

However, bricks-and-mortar casinos have limitations, especially when converting between crypto and fiat currencies, or scaling up from dealing in the millions to the billions. This problem is shared by illicit gambling and online scam operators looking to upgrade to sophisticated, high-volume, online alternatives. Large-scale online scam and illegal gambling operations normally involve complex transnational networks and multicurrency or cryptocurrency-to-fiat transactions, while avoiding raising red flags or triggering sanctions alerts. North Korea faces similar challenges as it grows its cybercrime capabilities.

In response, a thriving fintech industry has developed in South East Asia, with Cambodia among the hubs. This includes the platform Huione Pay, whose subsidiary Huione Guarantee acts as an escrow service for crypto payments and whose users openly advertise their ability to launder money from online scams and illegal gambling operations through a complex web of Telegram channels. Extensive tracing of criminal funds transferred through the Huione Guarantee system and through Huione Pay itself has been conducted by Elliptic, a blockchain analytics organization that works with governments and financial institutions to identify and prevent the use of cryptocurrency for financial crime.

In 2024, DL News alleged that Huione Guarantee was used to move at least US$35 million of the funds stolen from DMM Bitcoin for North Korea, while Elliptic reported that the cryptocurrency exchange Tether froze one of Huione Pay’s accounts, apparently to prevent it receiving money from Bureau 39’s Lazarus Group. In March 2025, Radio Free Asia reported that Huione Pay had been stripped of its banking licence by the National Bank of Cambodia; but Huione then claimed in a Telegram post  that its payment operations do not require one. It also said media reports linking it to illicit activities were false and baseless.

According to Elliptic, North Korean hackers have also exploited decentralized crypto exchanges such as eXch, which says on its site that it performs no identity checks, deletes transaction data automatically, cannot prohibit users from any jurisdiction and warns against using platforms that cooperate with law enforcement. Hackers have also used privacy wallets, considered ‘top threats’ by Europol due to their use by organized crime groups to conceal transaction trails.

These platforms shift financial flows to Pyongyang further out of reach of bodies that can implement sanctions. More broadly, they facilitate avenues for corrupt governments to collude with criminal organizations. Nevertheless, convergence between these groups could become a galvanizing factor for the cooperation needed to disrupt illicit flows across borders. Transnational crime and money laundering thrive when governments and financial bodies see no reason to work together. By indiscriminately serving the enemies of so many states, these operators may well unite global actors whose interests they collectively harm.