What to Know:
- North Korea-linked hackers stole over $2.17 billion in crypto in early 2025, already surpassing last year’s total losses.
- The $1.5 billion Bybit breach marked the largest single crypto hack ever recorded, followed by multiple exchange attacks.
- Analysts say evolving hacking and laundering tactics keep crypto theft central to Pyongyang’s sanctions-evasion strategy.
North Korea’s state-linked hacking groups have pushed cryptocurrency crime to new extremes in 2025, with over $2 billion in crypto theft and laundering. Security researchers say the scale, speed, and sophistication of these operations now place Pyongyang at the center of global crypto crime.
North Korea Hacking Groups Stole Over $2 Billion in Crypto
According to blockchain analytics firm Chainalysis, hackers affiliated with the Democratic People’s Republic of Korea stole more than $2.17 billion in cryptocurrency during the first six months of 2025 alone. That figure already exceeds the total amount taken throughout all of 2024. Analysts describe the surge as unprecedented, both in financial impact and operational reach.
The most crucial incident came on February 21, when attackers breached crypto exchange Bybit and drained nearly $1.5 billion worth of Ethereum.
Investigators later reported that the theft was the largest single crypto hack ever recorded. And thereafter, the Bybit attack was accompanied by various smaller but still substantial breaches, including a $37 million exploit of South Korean exchange Upbit that investigators have linked to North Korean actors.
Security officials and intelligence analysts say the operations are closely tied to Pyongyang’s efforts to generate revenue under heavy international sanctions. Given limited access to traditional financial systems, the regime has increasingly relied on cybercrime as a funding source, particularly for weapons development.
The international nature of crypto platforms as well as their uneven security standards, however, makes them a prime target. “North Korea will always seek new vectors to steal funds on behalf of the regime, whether through fiat or crypto,” said Andrew Fierman, head of national security intelligence at Chainalysis. He noted that the country’s cyber units operate across multiple jurisdictions and continuously refine their techniques to stay ahead of enforcement efforts.
Sanctions, Fierman added, have limited effect on their own. He said meaningful disruption requires coordination across exchanges, analytics firms, cybersecurity providers, and law enforcement agencies.
Without that alignment, North Korean hackers are likely to continue treating crypto theft as a reliable revenue stream. This year, hacking groups tied to the DPRK have taken a more aggressive approach, Chainalysis notes. These include supply-chain attacks targeting third-party service providers, wallet infrastructure firms, and custodians who manage large pools of digital assets.
The attackers are using intermediaries to infiltrate rather than exchanges directly, which means they can gain indirect access to the funds while avoiding some frontline security controls. North Korean IT worker infiltration campaigns continue simultaneously. Operatives, under false identities, have reportedly secured remote roles at companies operating in blockchain, AI, and defense-related sectors.
These positions provide access to internal systems, sensitive data, and in some cases direct control over crypto assets.
Once funds are stolen, laundering techniques have become more complex. Chainalysis says stolen assets now move rapidly through a mix of coin mixers, over-the-counter brokers, decentralized exchanges, token swaps, and cross-chain bridges. This multi-pronged approach disperses funds quickly and obscures transaction trails before investigators can react.
Fierman said the defining feature of current DPRK-linked operations is the simultaneous use of several large laundering channels. Transactions are executed at high speed and across multiple networks, complicating attribution and asset recovery. Emerging artificial intelligence tools may further strengthen these campaigns.
AI can help attackers craft more convincing fake identities for corporate infiltration, as per security researchers. Automation may also enable faster, more adaptive laundering processes, increasing the difficulty of tracking illicit flows in real time. Analysts in this vein say prevention relies heavily on tighter controls at crypto firms and related service providers. Fierman cited enhanced due diligence as a pragmatic line of defense.
Mandatory video interviews for remote hires, stricter identity verification, IP and geolocation monitoring, and tighter limits on anonymous crypto payments, for eg, can help expose fraudulent workers before they gain access. These checks, he said, can reveal inconsistencies in behavior, access patterns, and financial flows associated with North Korean operatives. Early detection remains critical.
At the same time, experts caution against expecting a permanent solution. Illicit activity, they argue, remains a constant feature of global finance. Rapid information sharing and clear response frameworks, however, can narrow the window in which attackers operate and raise the cost of future campaigns.
As 2025 progresses, North Korea’s dominance in crypto crime continues to test the resilience of the digital asset industry. The year has already reset expectations around risk, enforcement, and the scale of state-backed cyber theft.
Also Read: Crypto Crime Report: T3 FCU Freezes Over $300M in Criminal Assets
