How North Korea Stole $2 Billion in Cryptocurrency in 2025
The year 2025 marked a historic escalation in cybercrime within the cryptocurrency industry, as losses exceeded a staggering $3.4 billion globally. A significant portion of these losses was attributed to North Korea-linked hackers, who executed high-impact attacks that collectively resulted in over $2 billion in stolen digital assets. This 51% year-over-year increase cements their position as some of the most sophisticated threat actors on the global stage.
Fewer Attacks, Bigger Rewards
According to Chainalysis, a leading blockchain analytics firm, the Democratic People’s Republic of Korea (DPRK) achieved this record-breaking exploitation despite a noticeable reduction in the number of attacks. Instead, fewer but more targeted attacks yielded massive returns, with incidents like the Bybit hack in March 2025 being a prime example. North Korean hackers accounted for 76% of all known service compromises during the year, pushing their estimated cumulative stolen funds to $6.75 billion since 2020.
How North Korea’s Hackers Operate
Experts believe that North Korea has honed a unique and deliberate approach to cryptocurrency theft. Key attack strategies include:
- IT Worker Infiltration: Operatives secure jobs in technical roles within cryptocurrency firms, gaining insider access to critical systems.
- Posing as Employers: Hackers impersonate industry professionals using fake Zoom and Microsoft Teams meetings to gain trust and steal credentials.
- Advanced Laundering Techniques: Laundering occurs in smaller, deliberate tranches with strong reliance on Chinese-language money movement services, mixers, and cross-chain bridges.
A notable example occurred in July 2025, when an exposé revealed that DPRK-linked operatives infiltrated over 900 jobs in the crypto sector. With privileged access, they orchestrated large-scale breaches while remaining undetected during recruitment.
What Security Analysts Had to Say
Andrew Fierman, Head of National Security Intelligence at Chainalysis, emphasized that North Korea’s increasing reliance on cybercrime stems from the nation’s lack of access to global financial systems. “Combine this with their high level of sophistication, and you have a state-level actor capable of executing devastating attacks,” he noted.
Fierman also explained that their operations involve smaller, calculated fund transfers. Approximately 60% of stolen funds are moved in transactions below $500,000. By comparison, other threat actors focus on larger transfers of $1 million or more. This meticulous approach allows DPRK hackers to evade detection for longer periods.
The 45-Day Laundering Window
North Korean hackers often follow a recurring 45-day laundering timeline. Their process includes:
- Days 0-5: Rapid distancing of stolen funds using DeFi protocols and mixers.
- Days 6-10: Engagement with limited KYC platforms and cross-chain services.
- Days 20-45: Final integration with no-KYC exchanges and Chinese-language money laundering services.
This systematic laundering pattern demonstrates the hackers’ operational precision, revealing critical timeframes where intervention would be most effective. However, this method also points to active collaborations with illicit actors within Asia-Pacific networks.
How Can Crypto Platforms Respond?
The report highlights the urgent need for cryptocurrency exchanges, custodians, and other platforms to strengthen their cybersecurity defenses, particularly against insider threats. Additionally, private sector firms and law enforcement must collaborate in real-time to freeze stolen funds as they traverse the blockchain.
Recommended Product: Ledger Nano X
One proactive step for individuals is to secure their cryptocurrency using trusted cold wallets like the Ledger Nano X. Its robust encryption and offline storage capabilities make it ideal for protecting digital assets from hacking attempts.
The Road Ahead: Preparing for 2026
As we approach 2026, North Korea continues to evolve its methods, targeting both centralized exchanges and decentralized finance (DeFi) protocols. With tools like blockchain analytics and international collaboration, the cryptocurrency industry must remain vigilant to neutralize such threats. Recognizing the DPRK’s unique operational constraints and motivations should be central to these efforts.
Finally, while the Bybit hack serves as a sobering example of the scale of damage possible, it also underscores the importance of high security standards. Platforms with significant reserves must act swiftly to counter vulnerabilities, as North Korea’s strategic focus targets maximum financial impact.
