- Crypto thefts by North Korea-linked hackers in 2025 already reach unprecedented levels.
- The stolen cryptocurrency is believed to be channeled into North Korea’s nuclear weapons initiatives.
This year, North Korean cybercriminals, backed by the state, have reportedly amassed over $2 billion in stolen
cryptocurrencies, establishing a new annual high with three months still remaining in the year.
According to blockchain analytics provider Elliptic, the total amount of crypto pilfered by the regime now exceeds $6
billion. Experts are calling it one of the most enduring and lucrative cybercrime operations ever observed.
“The actual amount may be even greater,” Elliptic
stated, clarifying that its analysis only included confirmed instances of cyber theft carried out by North Korean
actors.
The firm
linked
a substantial portion of the losses to the $1.5 billion breach of crypto exchange Bybit in February. Additional
publicly reported attacks encompass breaches on LND.fi, WOO X, and Seedify. Elliptic further stated it has connected
over 30 other cyberattacks to North Korea.
The scale of these thefts demonstrates the North Korean government’s increasing reliance on cryptocurrency crime to
finance its nuclear weapons and missile programs,
reports
the United Nations and several intelligence agencies in the West.
These illicit funds, channeled through a complex web of blockchain wallets and mixing services, provide one of the
regime’s few steady sources of foreign capital amidst prevailing international sanctions.
The $2 billion taken this year significantly exceeds figures from previous years, almost tripling the total from 2024
and surpassing the $1.35 billion siphoned off in 2022 from high-profile exploits on the Ronin Network and Harmony
Bridge.
The Human Factor in Crypto Security
Elliptic revealed that while most of the 2025 losses originated from crypto exchanges, there’s an emerging trend of
high-net-worth individuals becoming targets through “social engineering attacks, in which hackers deceive or manipulate
individuals to gain access to cryptocurrency.”
This indicates a notable departure from earlier attacks that capitalized on technical weaknesses in underlying
protocols.
“The vulnerable point in cryptocurrency security is increasingly the human element, rather than technological
infrastructure,” the firm cautioned.
Social engineering has evolved into a defining strategy employed by North Korea’s Lazarus Group, which has been
associated with phishing campaigns and deceptive job offers
disseminated
via platforms such as LinkedIn and other sites, designed to entice developers and executives to open files infected
with malware.
Monitoring and Tracing Crypto Crime
Elliptic presented details about increasingly complex methods, including multiple rounds of token mixing, cross-chain
transactions, utilizing less-known blockchains that possess limited analytical visibility, and creating and trading
tokens issued directly by laundering operations.
One example traced from the Bybit incident displayed stolen funds moving across Bitcoin, Ethereum, and Tron
blockchains, involving several cross-chain services to obscure the funds’ origins.
The report concludes that, despite North Korea’s growing sophistication in illicit activities, blockchain’s inherent
transparency provides a critical investigative advantage. Every stolen digital asset leaves a digital footprint on the
blockchain.
“North Korea may be adapting its methodologies, but with advanced forensic techniques, the cryptocurrency industry and
law enforcement agencies are well-positioned to detect and trace these threats.”
Lance Datskoluo is DL News’ markets reporter in Europe. Have a story tip? Get in touch at
lance@dlnews.com.