- Buy Crypto
- Markets
Futures- Spot
- Copy Trade
Earn- More
Paradigm: Unraveling the Mystery of the North Korean Hacker Group Lazarus Group
Original Article Title: "Demystifying the North Korean Threat"
Original Article Author: samczsun, Research Partner at Paradigm
Original Article Translation: Bright, Foresight News
One morning in February, the SEAL 911 team's alarm bells went off as we watched in confusion as Bybit moved over $1 billion worth of tokens from their cold wallet to a brand-new address and promptly initiated the liquidation of over $200 million worth of LST. Within minutes, through confirmations from the Bybit team and independent analysis (multi-signature, previously using a publicly verifiable Safe Wallet implementation, now deploying a newly deployed unverified contract), it became clear that this was not a routine maintenance. Someone had orchestrated the largest hack in cryptocurrency history, and we were sitting in the front row of this historical spectacle.
While some team members (and the broader intelligence community) began tracing the funds and notifying cooperating exchanges, other team members were trying to figure out what exactly had happened and whether other funds were at risk. Luckily, identifying the culprit was straightforward. Only one known actor had successfully stolen billions of dollars from cryptocurrency exchanges over the past few years: North Korea, also known as the DPRK.
However, beyond that, we had little to go on. Due to the cunning nature of North Korean hackers and their adeptness at self-obliteration, not only was it hard to pinpoint the root cause of the breach, but it was also challenging to determine which specific DPRK unit internally was responsible for this. Our only recourse was existing intelligence, which suggested that North Korea indeed favored infiltrating cryptocurrency exchanges through social engineering. Therefore, we speculated that North Korea likely compromised Bybit's signers and then deployed some malware to interfere with the signing process.
As it turned out, this speculation was entirely baseless. Days later, we discovered that North Korea had actually compromised the infrastructure of the Safe Wallet itself and launched a targeted malicious overload against Bybit. This level of sophistication was something no one had ever considered or prepared for, posing a significant challenge to many security models in the market.
North Korean hackers pose an increasingly serious threat to our industry, and we cannot defeat an enemy we do not know or understand. While there are numerous documented incidents and articles about various aspects of North Korean cyber operations, piecing them together has proven difficult. I hope this overview helps shed light on how North Korea operates and their tactics and procedures, making it easier for us to implement the right mitigation strategies.
Organizational Structure
Perhaps the most significant misconception to address is how to categorize and name the extensive network activities of North Korea. While using the term "Lazarus Group" informally to refer to them is acceptable, employing more precise terminology can be helpful when discussing North Korea's systemic cyber threats in detail.
Firstly, understanding North Korea's "organizational chart" can be helpful. At the top of the hierarchy is North Korea's ruling party (also the only ruling party) — the Workers' Party of Korea (WPK), which leads all of North Korea's governmental entities. This includes the Korean People's Army (KPA) and the Central Committee. Within the People's Army is the General Staff Department (GSD), with the Reconnaissance General Bureau (RGB) housed within. Under the Central Committee is the Ministry of Military Affairs (MID).
The RGB is responsible for nearly all of North Korea's cyber warfare activities, including almost all the activities related to the cryptocurrency industry. Apart from the notorious Lazarus Group, other threat actors that have emerged from the RGB include AppleJeus, APT38, DangerousPassword, and TraderTraitor. On the other hand, the MID oversees North Korea's nuclear missile program, serving as a primary source of North Korean IT workers, known in the intelligence community as Contagious Interview and Wagemole.
Lazarus Group
The Lazarus Group is a highly sophisticated hacking organization, with cybersecurity experts believing that some of the largest and most destructive cyberattacks in history have been attributed to this group. In 2016, Novetta first identified the Lazarus Group while analyzing the Sony Pictures Entertainment hack.
In 2014, Sony was producing the action comedy film "The Interview," with a major plot point involving the embarrassing and subsequent assassination of Kim Jong-un. Understandably, this did not sit well with the North Korean regime, which retaliated by breaching Sony's network, exfiltrating terabytes of data, leaking hundreds of gigabytes of confidential or otherwise sensitive information, and deleting originals. As then-CEO Michael Lynton put it, "The people who did this are criminals. They destroyed a company." Ultimately, the cost of investigation and remediation for Sony in this attack was at least $15 million, with potentially more losses incurred.
Subsequently, in 2016, a hacker group bearing a striking resemblance to the Lazarus Group infiltrated the Bangladesh Bank with the intention of stealing nearly $1 billion. Over the course of a year, the hackers diligently engaged in social engineering attacks on Bangladesh Bank employees, eventually gaining remote access and moving laterally within the bank's internal network until reaching the computer responsible for interfacing with the SWIFT network. From then on, they waited for the perfect moment to strike: the Bangladesh Bank observed a Thursday holiday, while the Federal Reserve Bank of New York had a Friday holiday.
On Thursday night local time in Bangladesh, threat actors utilized their access to the SWIFT network to send 36 separate transfer requests to the Federal Reserve Bank of New York, which was Thursday morning local time. Over the next 24 hours, the Federal Reserve Bank of New York forwarded these transfers to the Rizal Commercial Banking Corporation (RCBC) in the Philippines, which took action. Subsequently, when the Bangladesh Bank resumed business hours, they discovered the hack and attempted to notify RCBC to halt the transactions in progress, only to find that RCBC was closed for the Lunar New Year.
Finally, in 2017, a large-scale WannaCry 2.0 ransomware attack crippled industries worldwide, partly attributed to the Lazarus Group. WannaCry is estimated to have caused billions of dollars in damages, exploiting an NSA-developed Microsoft Windows 0day, encrypting local devices and spreading to other accessible devices, eventually infecting hundreds of thousands of devices globally. Fortunately, security researcher Marcus Hutchins discovered and activated a kill switch within eight hours, limiting the ultimate damage.
Throughout the evolution of the Lazarus Group, they have demonstrated high technical capabilities and operational sophistication, with one of their goals being revenue generation for the North Korean regime. Therefore, their shift of focus to the cryptocurrency industry was only a matter of time.
Derivatives
Over time, as the Lazarus Group has become the catch-all term the media likes to use when describing North Korean cyber activity, the cybersecurity industry has coined more precise names for the specific activities of the Lazarus Group and North Korea. One example is APT38, which split from the Lazarus Group around 2016, focusing on financial crime, initially targeting banks (such as the Bangladesh Bank) and later moving on to cryptocurrency. In 2018, a new threat named AppleJeus was discovered spreading malware targeting cryptocurrency users. Finally, as early as 2018, when OFAC first announced sanctions against two front companies used by North Koreans, North Korean actors posing as IT professionals had already infiltrated the tech industry.
North Korean IT Workers
Although the earliest records mentioning North Korean IT workers date back to OFAC sanctions in 2018, a Unit 42 report in 2023 provided a more detailed account, identifying two distinct threat actors: Contagious Interview and Wagemole.
It has been reported that the Contagious Interview scam involves impersonating recruiters from well-known companies to deceive developers into participating in a fake interview process. Subsequently, the prospective candidates are instructed to clone a repository for local debugging, presented as a coding challenge on the surface, but the repository actually contains a backdoor. Executing the backdoor grants the attacker control of the affected machine. This activity has been ongoing, with the most recent recorded instance on August 11, 2024.
On the other hand, Wagemole operatives' primary objective is not to hire potential victims but to be hired by companies, where they simply work like regular engineers, albeit potentially less efficiently. Nevertheless, there are records of IT workers leveraging their access for attacks, such as in the Munchables incident, where an employee associated with North Korean activities used their privileged access to smart contracts to steal all assets.
The complexity of Wagemole operatives varies, from generic resume templates and reluctance to engage in video calls, to highly customized resumes, deeply faked video interviews, and identity documents like driver's licenses and utility bills. In some cases, operatives have infiltrated victim organizations for up to a year, then used their access to breach other systems and/or cash out completely.
AppleJeus
AppleJeus primarily focuses on spreading malware and excels in sophisticated supply chain attacks. In 2023, the 3CX supply chain attack enabled attackers to potentially infect over 12 million users of 3CX VoIP software, but it was later discovered that 3CX itself was also compromised due to an attack on one of its upstream suppliers, Trading Technologies.
In the cryptocurrency industry, AppleJeus initially distributed malware disguised as legitimate software (such as trading apps or cryptocurrency wallets). However, over time, their strategy evolved. In October 2024, Radiant Capital was compromised by a threat actor who posed as a trusted contractor and sent malicious software via Telegram. Mandiant attributed this incident to AppleJeus.
Dangerous Password
Dangerous Password is responsible for conducting low-complexity, social engineering-based attacks on the cryptocurrency industry. As early as 2019, JPCERT/CC documented that Dangerous Password would send phishing emails with enticing attachments for users to download. In the earlier years, Dangerous Password was known for impersonating industry figures to send phishing emails with subjects like "Stablecoin and Cryptocurrency Risk Assessment."
Today, Dangerous Password is still sending phishing emails, but has also expanded to other platforms. For example, Radiant Capital reports that they received a phishing message via Telegram from someone impersonating a security researcher, who distributed a file named "Penpie_Hacking_Analysis_Report.zip." Furthermore, users reported that someone impersonating journalists and investors contacted them, requesting a call using an inconspicuous video conferencing app. Similar to Zoom, these apps would download a one-time installation program that would, when run, install malware on the device.
TraderTraitor
TraderTraitor is the most seasoned North Korean hacker targeting the cryptocurrency industry, initiating hacks on platforms such as Axie Infinity and Rain.com. TraderTraitor primarily targets exchanges and other companies with significant reserves, opting not to deploy zero-day vulnerabilities against its targets but instead using highly sophisticated spear-phishing techniques to attack victims. In the Axie Infinity hack case, TraderTraitor reached out to a senior engineer via LinkedIn, successfully convincing them to undergo a series of interviews and then sending a "proposal," which delivered malware.
Subsequently, in the WazirX hack, TraderTraitor operatives disrupted an as-yet-unidentified component in the signing pipeline and drained the exchange's hot wallet through repeated deposits and withdrawals, forcing WazirX engineers to rebalance from cold to hot wallet. When the WazirX engineers attempted to sign transactions to transfer funds, they were tricked into signing a transaction handing control of the cold wallet to TraderTraitor. This incident was very similar to the attack on Bybit in February 2025, where TraderTraitor first compromised the Safe{Wallet} infrastructure through social engineering attacks and then deployed malicious JavaScript to the Safe Wallet frontend specifically targeting Bybit's cold wallet. When Bybit attempted to rebalance their wallets, the malicious code was triggered, leading Bybit engineers to sign a transaction handing control of the cold wallet to TraderTraitor.
Stay Safe
North Korea has demonstrated the ability to exploit zero-day vulnerabilities against adversaries, but currently has no recorded incidents or known events of North Korea deploying zero-day vulnerabilities against the cryptocurrency industry. Therefore, typical security recommendations apply to almost all North Korean hacker threats.
For individuals, it is important to use common sense and be cautious of social engineering tactics. For example, if someone claims to have highly confidential information and is willing to share it with you, proceed with caution. Or if someone is exerting time pressure on you to download and run certain software, consider if they are trying to push you into a situation where rational thinking may be compromised.
For organizations, applying the principle of least privilege is crucial. Minimize the number of people with access to sensitive systems as much as possible, and ensure they use password managers and 2FA. Keep personal devices separate from work devices, and install Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) software on work devices to ensure security pre-breach and visibility post-breach.
Unfortunately, for large exchanges or other high-value targets, TraderTraitor can cause more damage than expected even without the need for zero-day vulnerabilities. Therefore, additional preventive measures must be taken to eliminate single points of failure and prevent total loss of funds from a single intrusion.
However, even if all else fails, there is still hope. The FBI has a dedicated division to track and prevent North Korean intrusions, which has been conducting victim notifications for years, and recently I was pleased to assist agents from that division in reaching out to potential North Korean targets. Therefore, to be prepared for the worst-case scenario, ensure you have public contact information available, or that you are connected with a sufficient number of people in the ecosystem (e.g., SEAL 911), so that messages traversing the social graph can reach you at the fastest pace.
You may also like
Token Cannot Compound, Where Is the Real Investment Opportunity?
February 6th Market Key Intelligence, How Much Did You Miss?
China's Central Bank and Eight Other Departments' Latest Regulatory Focus: Key Attention to RWA Tokenized Asset Risk
Foreword: Today, the People's Bank of China's website published the "Notice of the People's Bank of China, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, State Administration for Market Regulation, China Banking and Insurance Regulatory Commission, China Securities Regulatory Commission, State Administration of Foreign Exchange on Further Preventing and Dealing with Risks Related to Virtual Currency and Others (Yinfa [2026] No. 42)", the latest regulatory requirements from the eight departments including the central bank, which are basically consistent with the regulatory requirements of recent years. The main focus of the regulation is on speculative activities such as virtual currency trading, exchanges, ICOs, overseas platform services, and this time, regulatory oversight of RWA has been added, explicitly prohibiting RWA tokenization, stablecoins (especially those pegged to the RMB). The following is the full text:
To the people's governments of all provinces, autonomous regions, and municipalities directly under the Central Government, the Xinjiang Production and Construction Corps:
Recently, there have been speculative activities related to virtual currency and Real-World Assets (RWA) tokenization, disrupting the economic and financial order and jeopardizing the property security of the people. In order to further prevent and address the risks related to virtual currency and Real-World Assets tokenization, effectively safeguard national security and social stability, in accordance with the "Law of the People's Republic of China on the People's Bank of China," "Law of the People's Republic of China on Commercial Banks," "Securities Law of the People's Republic of China," "Law of the People's Republic of China on Securities Investment Funds," "Law of the People's Republic of China on Futures and Derivatives," "Cybersecurity Law of the People's Republic of China," "Regulations of the People's Republic of China on the Administration of Renminbi," "Regulations on Prevention and Disposal of Illegal Fundraising," "Regulations of the People's Republic of China on Foreign Exchange Administration," "Telecommunications Regulations of the People's Republic of China," and other provisions, after reaching consensus with the Cyberspace Administration of China, the Supreme People's Court, and the Supreme People's Procuratorate, and with the approval of the State Council, the relevant matters are notified as follows:
(I) Virtual currency does not possess the legal status equivalent to fiat currency. Virtual currencies such as Bitcoin, Ether, Tether, etc., have the main characteristics of being issued by non-monetary authorities, using encryption technology and distributed ledger or similar technology, existing in digital form, etc. They do not have legal tender status, should not and cannot be circulated and used as currency in the market.
The business activities related to virtual currency are classified as illegal financial activities. The exchange of fiat currency and virtual currency within the territory, exchange of virtual currencies, acting as a central counterparty in buying and selling virtual currencies, providing information intermediary and pricing services for virtual currency transactions, token issuance financing, and trading of virtual currency-related financial products, etc., fall under illegal financial activities, such as suspected illegal issuance of token vouchers, unauthorized public issuance of securities, illegal operation of securities and futures business, illegal fundraising, etc., are strictly prohibited across the board and resolutely banned in accordance with the law. Overseas entities and individuals are not allowed to provide virtual currency-related services to domestic entities in any form.
A stablecoin pegged to a fiat currency indirectly fulfills some functions of the fiat currency in circulation. Without the consent of relevant authorities in accordance with the law and regulations, any domestic or foreign entity or individual is not allowed to issue a RMB-pegged stablecoin overseas.
(II)Tokenization of Real-World Assets refers to the use of encryption technology and distributed ledger or similar technologies to transform ownership rights, income rights, etc., of assets into tokens (tokens) or other interests or bond certificates with token (token) characteristics, and carry out issuance and trading activities.
Engaging in the tokenization of real-world assets domestically, as well as providing related intermediary, information technology services, etc., which are suspected of illegal issuance of token vouchers, unauthorized public offering of securities, illegal operation of securities and futures business, illegal fundraising, and other illegal financial activities, shall be prohibited; except for relevant business activities carried out with the approval of the competent authorities in accordance with the law and regulations and relying on specific financial infrastructures. Overseas entities and individuals are not allowed to illegally provide services related to the tokenization of real-world assets to domestic entities in any form.
(III) Inter-agency Coordination. The People's Bank of China, together with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the State Administration for Market Regulation, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission, the State Administration of Foreign Exchange, and other departments, will improve the work mechanism, strengthen coordination with the Cyberspace Administration of China, the Supreme People's Court, and the Supreme People's Procuratorate, coordinate efforts, and overall guide regions to carry out risk prevention and disposal of virtual currency-related illegal financial activities.
The China Securities Regulatory Commission, together with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the People's Bank of China, the State Administration for Market Regulation, the China Banking and Insurance Regulatory Commission, the State Administration of Foreign Exchange, and other departments, will improve the work mechanism, strengthen coordination with the Cyberspace Administration of China, the Supreme People's Court, and the Supreme People's Procuratorate, coordinate efforts, and overall guide regions to carry out risk prevention and disposal of illegal financial activities related to the tokenization of real-world assets.
(IV) Strengthening Local Implementation. The people's governments at the provincial level are overall responsible for the prevention and disposal of risks related to virtual currencies and the tokenization of real-world assets in their respective administrative regions. The specific leading department is the local financial regulatory department, with participation from branches and dispatched institutions of the State Council's financial regulatory department, telecommunications regulators, public security, market supervision, and other departments, in coordination with cyberspace departments, courts, and procuratorates, to improve the normalization of the work mechanism, effectively connect with the relevant work mechanisms of central departments, form a cooperative and coordinated working pattern between central and local governments, effectively prevent and properly handle risks related to virtual currencies and the tokenization of real-world assets, and maintain economic and financial order and social stability.
(5) Enhanced Risk Monitoring. The People's Bank of China, China Securities Regulatory Commission, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, State Administration of Foreign Exchange, Cyberspace Administration of China, and other departments continue to improve monitoring techniques and system support, enhance cross-departmental data analysis and sharing, establish sound information sharing and cross-validation mechanisms, promptly grasp the risk situation of activities related to virtual currency and real-world asset tokenization. Local governments at all levels give full play to the role of local monitoring and early warning mechanisms. Local financial regulatory authorities, together with branches and agencies of the State Council's financial regulatory authorities, as well as departments of cyberspace and public security, ensure effective connection between online monitoring, offline investigation, and fund tracking, efficiently and accurately identify activities related to virtual currency and real-world asset tokenization, promptly share risk information, improve early warning information dissemination, verification, and rapid response mechanisms.
(6) Strengthened Oversight of Financial Institutions, Intermediaries, and Technology Service Providers. Financial institutions (including non-bank payment institutions) are prohibited from providing account opening, fund transfer, and clearing services for virtual currency-related business activities, issuing and selling financial products related to virtual currency, including virtual currency and related financial products in the scope of collateral, conducting insurance business related to virtual currency, or including virtual currency in the scope of insurance liability. Financial institutions (including non-bank payment institutions) are prohibited from providing custody, clearing, and settlement services for unauthorized real-world asset tokenization-related business and related financial products. Relevant intermediary institutions and information technology service providers are prohibited from providing intermediary, technical, or other services for unauthorized real-world asset tokenization-related businesses and related financial products.
(7) Enhanced Management of Internet Information Content and Access. Internet enterprises are prohibited from providing online business venues, commercial displays, marketing, advertising, or paid traffic diversion services for virtual currency and real-world asset tokenization-related business activities. Upon discovering clues of illegal activities, they should promptly report to relevant departments and provide technical support and assistance for related investigations and inquiries. Based on the clues transferred by the financial regulatory authorities, the cyberspace administration, telecommunications authorities, and public security departments should promptly close and deal with websites, mobile applications (including mini-programs), and public accounts engaged in virtual currency and real-world asset tokenization-related business activities in accordance with the law.
(8) Strengthened Entity Registration and Advertisement Management. Market supervision departments strengthen entity registration and management, and enterprise and individual business registrations must not contain terms such as "virtual currency," "virtual asset," "cryptocurrency," "crypto asset," "stablecoin," "real-world asset tokenization," or "RWA" in their names or business scopes. Market supervision departments, together with financial regulatory authorities, legally enhance the supervision of advertisements related to virtual currency and real-world asset tokenization, promptly investigating and handling relevant illegal advertisements.
(IX) Continued Rectification of Virtual Currency Mining Activities. The National Development and Reform Commission, together with relevant departments, strictly controls virtual currency mining activities, continuously promotes the rectification of virtual currency mining activities. The people's governments of various provinces take overall responsibility for the rectification of "mining" within their respective administrative regions. In accordance with the requirements of the National Development and Reform Commission and other departments in the "Notice on the Rectification of Virtual Currency Mining Activities" (NDRC Energy-saving Building [2021] No. 1283) and the provisions of the "Guidance Catalog for Industrial Structure Adjustment (2024 Edition)," a comprehensive review, investigation, and closure of existing virtual currency mining projects are conducted, new mining projects are strictly prohibited, and mining machine production enterprises are strictly prohibited from providing mining machine sales and other services within the country.
(X) Severe Crackdown on Related Illegal Financial Activities. Upon discovering clues to illegal financial activities related to virtual currency and the tokenization of real-world assets, local financial regulatory authorities, branches of the State Council's financial regulatory authorities, and other relevant departments promptly investigate, determine, and properly handle the issues in accordance with the law, and seriously hold the relevant entities and individuals legally responsible. Those suspected of crimes are transferred to the judicial authorities for processing according to the law.
(XI) Severe Crackdown on Related Illegal and Criminal Activities. The Ministry of Public Security, the People's Bank of China, the State Administration for Market Regulation, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission, as well as judicial and procuratorial organs, in accordance with their respective responsibilities, rigorously crack down on illegal and criminal activities related to virtual currency, the tokenization of real-world assets, such as fraud, money laundering, illegal business operations, pyramid schemes, illegal fundraising, and other illegal and criminal activities carried out under the guise of virtual currency, the tokenization of real-world assets, etc.
(XII) Strengthen Industry Self-discipline. Relevant industry associations should enhance membership management and policy advocacy, based on their own responsibilities, advocate and urge member units to resist illegal financial activities related to virtual currency and the tokenization of real-world assets. Member units that violate regulatory policies and industry self-discipline rules are to be disciplined in accordance with relevant self-regulatory management regulations. By leveraging various industry infrastructure, conduct risk monitoring related to virtual currency, the tokenization of real-world assets, and promptly transfer issue clues to relevant departments.
(XIII) Without the approval of relevant departments in accordance with the law and regulations, domestic entities and foreign entities controlled by them may not issue virtual currency overseas.
(XIV) Domestic entities engaging directly or indirectly in overseas external debt-based tokenization of real-world assets, or conducting asset securitization activities abroad based on domestic ownership rights, income rights, etc. (hereinafter referred to as domestic equity), should be strictly regulated in accordance with the principles of "same business, same risk, same rules." The National Development and Reform Commission, the China Securities Regulatory Commission, the State Administration of Foreign Exchange, and other relevant departments regulate it according to their respective responsibilities. For other forms of overseas real-world asset tokenization activities based on domestic equity by domestic entities, the China Securities Regulatory Commission, together with relevant departments, supervise according to their division of responsibilities. Without the consent and filing of relevant departments, no unit or individual may engage in the above-mentioned business.
(15) Overseas subsidiaries and branches of domestic financial institutions providing Real World Asset Tokenization-related services overseas shall do so legally and prudently. They shall have professional personnel and systems in place to effectively mitigate business risks, strictly implement customer onboarding, suitability management, anti-money laundering requirements, and incorporate them into the domestic financial institutions' compliance and risk management system. Intermediaries and information technology service providers offering Real World Asset Tokenization services abroad based on domestic equity or conducting Real World Asset Tokenization business in the form of overseas debt for domestic entities directly or indirectly venturing abroad must strictly comply with relevant laws and regulations. They should establish and improve relevant compliance and internal control systems in accordance with relevant normative requirements, strengthen business and risk control, and report the business developments to the relevant regulatory authorities for approval or filing.
(16) Strengthen organizational leadership and overall coordination. All departments and regions should attach great importance to the prevention of risks related to virtual currencies and Real World Asset Tokenization, strengthen organizational leadership, clarify work responsibilities, form a long-term effective working mechanism with centralized coordination, local implementation, and shared responsibilities, maintain high pressure, dynamically monitor risks, effectively prevent and mitigate risks in an orderly and efficient manner, legally protect the property security of the people, and make every effort to maintain economic and financial order and social stability.
(17) Widely carry out publicity and education. All departments, regions, and industry associations should make full use of various media and other communication channels to disseminate information through legal and policy interpretation, analysis of typical cases, and education on investment risks, etc. They should promote the illegality and harm of virtual currencies and Real World Asset Tokenization-related businesses and their manifestations, fully alert to potential risks and hidden dangers, and enhance public awareness and identification capabilities for risk prevention.
(18) Engaging in illegal financial activities related to virtual currencies and Real World Asset Tokenization in violation of this notice, as well as providing services for virtual currencies and Real World Asset Tokenization-related businesses, shall be punished in accordance with relevant regulations. If it constitutes a crime, criminal liability shall be pursued according to the law. For domestic entities and individuals who knowingly or should have known that overseas entities illegally provided virtual currency or Real World Asset Tokenization-related services to domestic entities and still assisted them, relevant responsibilities shall be pursued according to the law. If it constitutes a crime, criminal liability shall be pursued according to the law.
(19) If any unit or individual invests in virtual currencies, Real World Asset Tokens, and related financial products against public order and good customs, the relevant civil legal actions shall be invalid, and any resulting losses shall be borne by them. If there are suspicions of disrupting financial order and jeopardizing financial security, the relevant departments shall deal with them according to the law.
This notice shall enter into force upon the date of its issuance. The People's Bank of China and ten other departments' "Notice on Further Preventing and Dealing with the Risks of Virtual Currency Trading Speculation" (Yinfa [2021] No. 237) is hereby repealed.
Former Partner's Perspective on Multicoin: Kyle's Exit, But the Game He Left Behind Just Getting Started
Why Bitcoin Is Falling Now: The Real Reasons Behind BTC's Crash & WEEX's Smart Profit Playbook
Bitcoin's ongoing crash explained: Discover the 5 hidden triggers behind BTC's plunge & how WEEX's Auto Earn and Trade to Earn strategies help traders profit from crypto market volatility.
Wall Street's Hottest Trades See Exodus
Vitalik Discusses Ethereum Scaling Path, Circle Announces Partnership with Polymarket, What's the Overseas Crypto Community Talking About Today?
Believing in the Capital Markets - The Essence and Core Value of Cryptocurrency
Polymarket's 'Weatherman': Predict Temperature, Win Million-Dollar Payout
$15K+ Profits: The 4 AI Trading Secrets WEEX Hackathon Prelim Winners Used to Dominate Volatile Crypto Markets
How WEEX Hackathon's top AI trading strategies made $15K+ in crypto markets: 4 proven rules for ETH/BTC trading, market structure analysis, and risk management in volatile conditions.
A nearly 20% one-day plunge, how long has it been since you last saw a $60,000 Bitcoin?
Raoul Pal: I've seen every single panic, and they are never the end.
Key Market Information Discrepancy on February 6th - A Must-Read! | Alpha Morning Report
2026 Crypto Industry's First Snowfall
The Harsh Reality Behind the $26 Billion Crypto Liquidation: Liquidity Is Killing the Market
Why Is Gold, US Stocks, Bitcoin All Falling?
Key Market Intelligence for February 5th, how much did you miss out on?
Wintermute: By 2026, crypto had gradually become the settlement layer of the Internet economy
Token Cannot Compound, Where Is the Real Investment Opportunity?
February 6th Market Key Intelligence, How Much Did You Miss?
China's Central Bank and Eight Other Departments' Latest Regulatory Focus: Key Attention to RWA Tokenized Asset Risk
Foreword: Today, the People's Bank of China's website published the "Notice of the People's Bank of China, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, State Administration for Market Regulation, China Banking and Insurance Regulatory Commission, China Securities Regulatory Commission, State Administration of Foreign Exchange on Further Preventing and Dealing with Risks Related to Virtual Currency and Others (Yinfa [2026] No. 42)", the latest regulatory requirements from the eight departments including the central bank, which are basically consistent with the regulatory requirements of recent years. The main focus of the regulation is on speculative activities such as virtual currency trading, exchanges, ICOs, overseas platform services, and this time, regulatory oversight of RWA has been added, explicitly prohibiting RWA tokenization, stablecoins (especially those pegged to the RMB). The following is the full text:
To the people's governments of all provinces, autonomous regions, and municipalities directly under the Central Government, the Xinjiang Production and Construction Corps:
Recently, there have been speculative activities related to virtual currency and Real-World Assets (RWA) tokenization, disrupting the economic and financial order and jeopardizing the property security of the people. In order to further prevent and address the risks related to virtual currency and Real-World Assets tokenization, effectively safeguard national security and social stability, in accordance with the "Law of the People's Republic of China on the People's Bank of China," "Law of the People's Republic of China on Commercial Banks," "Securities Law of the People's Republic of China," "Law of the People's Republic of China on Securities Investment Funds," "Law of the People's Republic of China on Futures and Derivatives," "Cybersecurity Law of the People's Republic of China," "Regulations of the People's Republic of China on the Administration of Renminbi," "Regulations on Prevention and Disposal of Illegal Fundraising," "Regulations of the People's Republic of China on Foreign Exchange Administration," "Telecommunications Regulations of the People's Republic of China," and other provisions, after reaching consensus with the Cyberspace Administration of China, the Supreme People's Court, and the Supreme People's Procuratorate, and with the approval of the State Council, the relevant matters are notified as follows:
(I) Virtual currency does not possess the legal status equivalent to fiat currency. Virtual currencies such as Bitcoin, Ether, Tether, etc., have the main characteristics of being issued by non-monetary authorities, using encryption technology and distributed ledger or similar technology, existing in digital form, etc. They do not have legal tender status, should not and cannot be circulated and used as currency in the market.
The business activities related to virtual currency are classified as illegal financial activities. The exchange of fiat currency and virtual currency within the territory, exchange of virtual currencies, acting as a central counterparty in buying and selling virtual currencies, providing information intermediary and pricing services for virtual currency transactions, token issuance financing, and trading of virtual currency-related financial products, etc., fall under illegal financial activities, such as suspected illegal issuance of token vouchers, unauthorized public issuance of securities, illegal operation of securities and futures business, illegal fundraising, etc., are strictly prohibited across the board and resolutely banned in accordance with the law. Overseas entities and individuals are not allowed to provide virtual currency-related services to domestic entities in any form.
A stablecoin pegged to a fiat currency indirectly fulfills some functions of the fiat currency in circulation. Without the consent of relevant authorities in accordance with the law and regulations, any domestic or foreign entity or individual is not allowed to issue a RMB-pegged stablecoin overseas.
(II)Tokenization of Real-World Assets refers to the use of encryption technology and distributed ledger or similar technologies to transform ownership rights, income rights, etc., of assets into tokens (tokens) or other interests or bond certificates with token (token) characteristics, and carry out issuance and trading activities.
Engaging in the tokenization of real-world assets domestically, as well as providing related intermediary, information technology services, etc., which are suspected of illegal issuance of token vouchers, unauthorized public offering of securities, illegal operation of securities and futures business, illegal fundraising, and other illegal financial activities, shall be prohibited; except for relevant business activities carried out with the approval of the competent authorities in accordance with the law and regulations and relying on specific financial infrastructures. Overseas entities and individuals are not allowed to illegally provide services related to the tokenization of real-world assets to domestic entities in any form.
(III) Inter-agency Coordination. The People's Bank of China, together with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the State Administration for Market Regulation, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission, the State Administration of Foreign Exchange, and other departments, will improve the work mechanism, strengthen coordination with the Cyberspace Administration of China, the Supreme People's Court, and the Supreme People's Procuratorate, coordinate efforts, and overall guide regions to carry out risk prevention and disposal of virtual currency-related illegal financial activities.
The China Securities Regulatory Commission, together with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the People's Bank of China, the State Administration for Market Regulation, the China Banking and Insurance Regulatory Commission, the State Administration of Foreign Exchange, and other departments, will improve the work mechanism, strengthen coordination with the Cyberspace Administration of China, the Supreme People's Court, and the Supreme People's Procuratorate, coordinate efforts, and overall guide regions to carry out risk prevention and disposal of illegal financial activities related to the tokenization of real-world assets.
(IV) Strengthening Local Implementation. The people's governments at the provincial level are overall responsible for the prevention and disposal of risks related to virtual currencies and the tokenization of real-world assets in their respective administrative regions. The specific leading department is the local financial regulatory department, with participation from branches and dispatched institutions of the State Council's financial regulatory department, telecommunications regulators, public security, market supervision, and other departments, in coordination with cyberspace departments, courts, and procuratorates, to improve the normalization of the work mechanism, effectively connect with the relevant work mechanisms of central departments, form a cooperative and coordinated working pattern between central and local governments, effectively prevent and properly handle risks related to virtual currencies and the tokenization of real-world assets, and maintain economic and financial order and social stability.
(5) Enhanced Risk Monitoring. The People's Bank of China, China Securities Regulatory Commission, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, State Administration of Foreign Exchange, Cyberspace Administration of China, and other departments continue to improve monitoring techniques and system support, enhance cross-departmental data analysis and sharing, establish sound information sharing and cross-validation mechanisms, promptly grasp the risk situation of activities related to virtual currency and real-world asset tokenization. Local governments at all levels give full play to the role of local monitoring and early warning mechanisms. Local financial regulatory authorities, together with branches and agencies of the State Council's financial regulatory authorities, as well as departments of cyberspace and public security, ensure effective connection between online monitoring, offline investigation, and fund tracking, efficiently and accurately identify activities related to virtual currency and real-world asset tokenization, promptly share risk information, improve early warning information dissemination, verification, and rapid response mechanisms.
(6) Strengthened Oversight of Financial Institutions, Intermediaries, and Technology Service Providers. Financial institutions (including non-bank payment institutions) are prohibited from providing account opening, fund transfer, and clearing services for virtual currency-related business activities, issuing and selling financial products related to virtual currency, including virtual currency and related financial products in the scope of collateral, conducting insurance business related to virtual currency, or including virtual currency in the scope of insurance liability. Financial institutions (including non-bank payment institutions) are prohibited from providing custody, clearing, and settlement services for unauthorized real-world asset tokenization-related business and related financial products. Relevant intermediary institutions and information technology service providers are prohibited from providing intermediary, technical, or other services for unauthorized real-world asset tokenization-related businesses and related financial products.
(7) Enhanced Management of Internet Information Content and Access. Internet enterprises are prohibited from providing online business venues, commercial displays, marketing, advertising, or paid traffic diversion services for virtual currency and real-world asset tokenization-related business activities. Upon discovering clues of illegal activities, they should promptly report to relevant departments and provide technical support and assistance for related investigations and inquiries. Based on the clues transferred by the financial regulatory authorities, the cyberspace administration, telecommunications authorities, and public security departments should promptly close and deal with websites, mobile applications (including mini-programs), and public accounts engaged in virtual currency and real-world asset tokenization-related business activities in accordance with the law.
(8) Strengthened Entity Registration and Advertisement Management. Market supervision departments strengthen entity registration and management, and enterprise and individual business registrations must not contain terms such as "virtual currency," "virtual asset," "cryptocurrency," "crypto asset," "stablecoin," "real-world asset tokenization," or "RWA" in their names or business scopes. Market supervision departments, together with financial regulatory authorities, legally enhance the supervision of advertisements related to virtual currency and real-world asset tokenization, promptly investigating and handling relevant illegal advertisements.
(IX) Continued Rectification of Virtual Currency Mining Activities. The National Development and Reform Commission, together with relevant departments, strictly controls virtual currency mining activities, continuously promotes the rectification of virtual currency mining activities. The people's governments of various provinces take overall responsibility for the rectification of "mining" within their respective administrative regions. In accordance with the requirements of the National Development and Reform Commission and other departments in the "Notice on the Rectification of Virtual Currency Mining Activities" (NDRC Energy-saving Building [2021] No. 1283) and the provisions of the "Guidance Catalog for Industrial Structure Adjustment (2024 Edition)," a comprehensive review, investigation, and closure of existing virtual currency mining projects are conducted, new mining projects are strictly prohibited, and mining machine production enterprises are strictly prohibited from providing mining machine sales and other services within the country.
(X) Severe Crackdown on Related Illegal Financial Activities. Upon discovering clues to illegal financial activities related to virtual currency and the tokenization of real-world assets, local financial regulatory authorities, branches of the State Council's financial regulatory authorities, and other relevant departments promptly investigate, determine, and properly handle the issues in accordance with the law, and seriously hold the relevant entities and individuals legally responsible. Those suspected of crimes are transferred to the judicial authorities for processing according to the law.
(XI) Severe Crackdown on Related Illegal and Criminal Activities. The Ministry of Public Security, the People's Bank of China, the State Administration for Market Regulation, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission, as well as judicial and procuratorial organs, in accordance with their respective responsibilities, rigorously crack down on illegal and criminal activities related to virtual currency, the tokenization of real-world assets, such as fraud, money laundering, illegal business operations, pyramid schemes, illegal fundraising, and other illegal and criminal activities carried out under the guise of virtual currency, the tokenization of real-world assets, etc.
(XII) Strengthen Industry Self-discipline. Relevant industry associations should enhance membership management and policy advocacy, based on their own responsibilities, advocate and urge member units to resist illegal financial activities related to virtual currency and the tokenization of real-world assets. Member units that violate regulatory policies and industry self-discipline rules are to be disciplined in accordance with relevant self-regulatory management regulations. By leveraging various industry infrastructure, conduct risk monitoring related to virtual currency, the tokenization of real-world assets, and promptly transfer issue clues to relevant departments.
(XIII) Without the approval of relevant departments in accordance with the law and regulations, domestic entities and foreign entities controlled by them may not issue virtual currency overseas.
(XIV) Domestic entities engaging directly or indirectly in overseas external debt-based tokenization of real-world assets, or conducting asset securitization activities abroad based on domestic ownership rights, income rights, etc. (hereinafter referred to as domestic equity), should be strictly regulated in accordance with the principles of "same business, same risk, same rules." The National Development and Reform Commission, the China Securities Regulatory Commission, the State Administration of Foreign Exchange, and other relevant departments regulate it according to their respective responsibilities. For other forms of overseas real-world asset tokenization activities based on domestic equity by domestic entities, the China Securities Regulatory Commission, together with relevant departments, supervise according to their division of responsibilities. Without the consent and filing of relevant departments, no unit or individual may engage in the above-mentioned business.
(15) Overseas subsidiaries and branches of domestic financial institutions providing Real World Asset Tokenization-related services overseas shall do so legally and prudently. They shall have professional personnel and systems in place to effectively mitigate business risks, strictly implement customer onboarding, suitability management, anti-money laundering requirements, and incorporate them into the domestic financial institutions' compliance and risk management system. Intermediaries and information technology service providers offering Real World Asset Tokenization services abroad based on domestic equity or conducting Real World Asset Tokenization business in the form of overseas debt for domestic entities directly or indirectly venturing abroad must strictly comply with relevant laws and regulations. They should establish and improve relevant compliance and internal control systems in accordance with relevant normative requirements, strengthen business and risk control, and report the business developments to the relevant regulatory authorities for approval or filing.
(16) Strengthen organizational leadership and overall coordination. All departments and regions should attach great importance to the prevention of risks related to virtual currencies and Real World Asset Tokenization, strengthen organizational leadership, clarify work responsibilities, form a long-term effective working mechanism with centralized coordination, local implementation, and shared responsibilities, maintain high pressure, dynamically monitor risks, effectively prevent and mitigate risks in an orderly and efficient manner, legally protect the property security of the people, and make every effort to maintain economic and financial order and social stability.
(17) Widely carry out publicity and education. All departments, regions, and industry associations should make full use of various media and other communication channels to disseminate information through legal and policy interpretation, analysis of typical cases, and education on investment risks, etc. They should promote the illegality and harm of virtual currencies and Real World Asset Tokenization-related businesses and their manifestations, fully alert to potential risks and hidden dangers, and enhance public awareness and identification capabilities for risk prevention.
(18) Engaging in illegal financial activities related to virtual currencies and Real World Asset Tokenization in violation of this notice, as well as providing services for virtual currencies and Real World Asset Tokenization-related businesses, shall be punished in accordance with relevant regulations. If it constitutes a crime, criminal liability shall be pursued according to the law. For domestic entities and individuals who knowingly or should have known that overseas entities illegally provided virtual currency or Real World Asset Tokenization-related services to domestic entities and still assisted them, relevant responsibilities shall be pursued according to the law. If it constitutes a crime, criminal liability shall be pursued according to the law.
(19) If any unit or individual invests in virtual currencies, Real World Asset Tokens, and related financial products against public order and good customs, the relevant civil legal actions shall be invalid, and any resulting losses shall be borne by them. If there are suspicions of disrupting financial order and jeopardizing financial security, the relevant departments shall deal with them according to the law.
This notice shall enter into force upon the date of its issuance. The People's Bank of China and ten other departments' "Notice on Further Preventing and Dealing with the Risks of Virtual Currency Trading Speculation" (Yinfa [2021] No. 237) is hereby repealed.
Former Partner's Perspective on Multicoin: Kyle's Exit, But the Game He Left Behind Just Getting Started
Why Bitcoin Is Falling Now: The Real Reasons Behind BTC's Crash & WEEX's Smart Profit Playbook
Bitcoin's ongoing crash explained: Discover the 5 hidden triggers behind BTC's plunge & how WEEX's Auto Earn and Trade to Earn strategies help traders profit from crypto market volatility.
App