Inside South Korea’s $7.1B crypto crime problem

South Korea is one of the world’s most tightly regulated crypto markets. It is also one of the most targeted by financial crime. Between 2021 and August 2025, enforcement actions identified $7.1B in illegal crypto transactions — with $6.4B linked to a single cross-border laundering method. Crystal Intelligence’s 2026 South Korea Country Assessment Report maps what is happening, how it works, and what compliance teams need to know.

Key takeaways

• $7.1B in illegal crypto transactions identified in South Korea between 2021 and August 2025

• $6.4B of that total is linked to Hwanchigi — a cross-border laundering method that bypasses the formal banking system

• North Korea’s Lazarus Group has been attributed to six of nine major exchange attacks since 2018

• South Korea’s peer-to-peer market reveals compliance gaps that tight exchange regulation cannot close

• The same cross-chain toolkit is used by state-sponsored hackers, Hwanchigi networks, and pig-butchering rings

Why South Korea matters for crypto compliance

South Korea is not a peripheral market. More than 16 million South Koreans held crypto assets with major domestic exchanges in 2025 — one third of the population. The country has some of the strictest virtual asset regulations in Asia: all service providers must register with the Korea Financial Intelligence Unit (KoFIU), real-name verified accounts linked to domestic banks are mandatory, and the FATF Travel Rule is enforced.

That regulatory maturity makes South Korea a useful benchmark. It shows what a well-structured framework looks like in practice — and it reveals the limits of exchange-level compliance when threats move off-exchange.

What is Hwanchigi and why is it so hard to detect?

Hwanchigi is a cross-border money laundering method that works by bypassing the formal banking system entirely. The process runs in three steps: funds are converted into cryptocurrency offshore, routed through domestic South Korean exchanges, and cashed out in South Korean won.

The method is effective because it exploits the gap between offshore crypto activity and domestic exchange oversight. By the time funds arrive on a licensed South Korean exchange, they appear to be routine crypto-to-won conversions. Without cross-chain tracing capability — the ability to follow funds across multiple blockchains and jurisdictions — the laundering pathway is invisible.

$6.4B of the $7.1B in illegal transactions identified between 2021 and August 2025 is linked to Hwanchigi. Suspicious transaction reports filed by Korean VASPs reached a record 36,684 cases between January and August 2025 alone — approximately 90% of them Hwanchigi-related. That record figure reflects both the scale of the problem and the growing effectiveness of detection. But it also raises a question compliance teams should be asking: how much is still going undetected?

In January 2026, South Korean customs authorities dismantled a major Hwanchigi network responsible for laundering approximately $113M over four years. Two Russian nationals were separately found to have conducted over 6,000 transactions moving $42M between South Korea and Russia using the same method.

The North Korea threat is real and ongoing

South Korea’s crypto market faces a second, distinct threat that cannot be separated from the broader geopolitical context of the Korean peninsula. North Korea’s state-sponsored Lazarus Group has been attributed to six of nine major attacks on South Korean exchanges since 2018.

The 2019 Upbit breach — the largest single attack on a South Korean exchange, with $49M stolen — was formally attributed to Lazarus Group five years after the event. Combined estimated losses across all nine incidents between 2017 and 2025 reach $196M-$225M. The November 2025 Upbit hack, worth $30.4M, remains under investigation.

These are not opportunistic attacks. Lazarus Group operations are characterised by patience, technical sophistication, and the use of North Korea-controlled mixers to move stolen funds. Crystal Intelligence has proved North Korean attribution by following fund flows backward to known DPRK operations — a process that traditional blockchain forensics alone cannot achieve. Real-time attribution is difficult. The forensic work required to link an attack to a state actor can take years.

For VASPs and compliance teams, the implication is direct: exposure to North Korea-linked addresses is a sanctions risk, not just a security risk. Cross-chain tracing capability is the prerequisite for identifying that exposure.

What Crystal Intelligence found in the peer-to-peer market

Beyond licensed exchanges, Crystal Intelligence analysed 247 active peer-to-peer advertisements across four platforms in March 2026. The findings reveal a market that sits entirely outside South Korea’s real-name verification system.

USDT dominates peer-to-peer activity at 47% of all advertisements — consistent with a preference for dollar-linked assets as a hedge against South Korean won volatility. Domestic bank transfer appears in 106 of 247 advertisements. Gift cards account for 31% of payment methods, with international traders paying premiums of 15-130% over market rate. That premium pattern is consistent with money laundering typologies documented by the Financial Action Task Force.

Chinese payment systems including Alipay appear as settlement methods, introducing a cross-border payment layer that sits outside South Korea’s real-name verification system and complicates transaction traceability for compliance teams.

Monero is also present. As a privacy coin it carries elevated AML risk and warrants enhanced due diligence on any transaction involving it.

The peer-to-peer market does not exist in isolation from the crime picture. The same informal channels used by retail traders are used by criminal actors seeking anonymity.

Pig-butchering and the human cost

South Koreans lost $70.6M to pig-butchering investment scams in 2025 — a 48% year-on-year rise across 1,565 reported incidents. Approximately 1,000 South Korean nationals are estimated to be detained in scam compounds across Cambodia, Myanmar, and Laos, recruited or coerced into running large-scale fraud operations targeting victims in their home country.

In January 2026, 73 nationals were repatriated from a single deepfake-driven fraud network that had defrauded 860 victims of $33M. Scam Alert — Crystal Intelligence’s fraud prevention platform — connects victim reports with blockchain attribution to identify fraud networks, link related cases, and broadcast wallet alerts to VASPs before further transfers occur.

What the data means for compliance teams

South Korea’s experience points to three compliance implications that apply beyond its borders.

Exchange-level compliance is necessary but not sufficient. South Korea has one of the most rigorous licensed exchange frameworks in Asia. Hwanchigi exploits the gap between that framework and the unregulated offshore activity that precedes domestic exchange entry.

Cross-chain tracing is the core capability requirement. Hwanchigi, Lazarus Group fund movements, and peer-to-peer settlement methods all share one characteristic: they move across chains, jurisdictions, and payment rails to obscure origin and destination. Rule-based systems that monitor individual transactions cannot detect these patterns. Cross-chain tracing that maps fund flows across 330+ blockchains can.

The peer-to-peer market is a compliance blind spot. Gift cards, Alipay, Monero, and informal OTC trading operate entirely outside the real-name verification system that makes licensed South Korean exchanges traceable. For any VASP receiving funds that may have originated in this market, enhanced due diligence is warranted.

FAQ

What is Hwanchigi?

Hwanchigi is a cross-border money laundering method used in South Korea. It works by converting funds into cryptocurrency offshore, routing them through domestic South Korean exchanges, and cashing out in South Korean won. It bypasses the formal banking system and is difficult to detect without cross-chain tracing capability.

How much illegal crypto activity has been identified in South Korea?

Between 2021 and August 2025, enforcement actions in South Korea identified $7.1B in illegal crypto transactions. $6.4B of that total is linked to Hwanchigi. In 2025 alone, KoFIU VASPs filed a record 36,684 suspicious transaction reports.

Is North Korea a real threat to crypto exchanges?

Yes. North Korea’s state-sponsored Lazarus Group has been formally attributed to six of nine major attacks on South Korean exchanges since 2018. Combined estimated losses across all nine incidents reach $196M-$225M. The most recent — the November 2025 Upbit hack — remains under investigation.

What compliance risks does the South Korean peer-to-peer market present?

The peer-to-peer market operates outside South Korea’s real-name verification system. Crystal Intelligence identified gift card payments (31% of ads), Chinese payment rails including Alipay, and the privacy coin Monero across 247 advertisements. All three present elevated AML risk and complicate transaction traceability.

Where can I read the full Crystal Intelligence South Korea report?

The 2026 South Korea Country Assessment Report is available to download here. It covers the regulatory framework, registered market infrastructure, peer-to-peer market analysis, financial crime landscape, and forward-looking assessment of South Korea’s digital asset legislation.

Conclusion

South Korea shows what happens when strong exchange-level regulation meets sophisticated cross-border threats. The licensed market is among the most traceable in Asia. But Hwanchigi, Lazarus Group operations, and peer-to-peer activity all exploit the gaps that exchange regulation cannot close.

The 2026 South Korea Country Assessment Report gives compliance teams, law enforcement, and VASPs the verified intelligence they need to understand those gaps — and act on them.