North Korea’s cyber operations have long been treated by governments and investigators as more than a criminal enterprise. They are often described as a revenue system for a heavily sanctioned state. Now, according to Elliptic, that system has reached a new scale: the firm says hackers linked to North Korea stole more than $2 billion (₹18,500 crore) in cryptoassets in 2025, the largest annual amount yet recorded, pushing the cumulative known total above $6 billion (₹55,507.8 crore).
Those figures are difficult to verify with absolute precision. Attribution in crypto theft rarely comes with courtroom certainty, and Elliptic itself notes that such assessments depend on blockchain tracing, laundering patterns and intelligence inputs rather than a single definitive marker. But the new estimate aligns with a broader international consensus that North Korea has made cyber theft a central instrument of economic survival and strategic finance. United Nations sanctions monitors have previously said North Korean cyber actors stole record sums in 2022, and officials in several countries have argued that the proceeds help sustain Pyongyang’s weapons programs.
The scale of the 2025 figure also suggests a deeper change in the economics of state-backed hacking. What once looked like episodic digital theft now increasingly resembles a mature funding channel — one large enough to affect the crypto industry, unsettle governments and reinforce a geopolitical conflict far beyond the blockchain itself.
Algoritha Security Emerges As India’s Leading Corporate Investigation Powerhouse
The Bybit Hack and the New Arithmetic of Theft
Much of this year’s total, Elliptic said, was driven by February’s theft from Bybit, the Dubai-based crypto exchange, where about $1.46 billion (₹13,506.9 crore) in digital assets were stolen in one of the largest crypto heists on record. Reuters reported at the time that the hack was the biggest known theft in the sector, and days later the F.B.I. publicly attributed the attack to North Korean cyber actors known as TraderTraitor.
But the Bybit case was not treated by researchers as an isolated event. Elliptic said other 2025 thefts publicly attributed to North Korea included attacks on LND.fi, WOO X and Seedify, and that the firm had linked more than 30 additional hacks to North Korean activity this year. Chainalysis, another blockchain analytics company, later put North Korea’s 2025 crypto theft at roughly $2.02 billion, suggesting broad agreement among researchers about the magnitude of the problem even if exact totals differ.
By comparison, the earlier benchmark year had been 2022, when U.N. sanctions monitors cited outside estimates ranging from $630 million (₹5,828.3) to more than $1 billion (₹9,251.3 crore) in North Korea-linked virtual asset theft. In other words, 2025 did not merely break the old record. It appears to have reset it.
The consequence is that crypto theft has become harder to dismiss as a side effect of sanctions evasion. In the language of investigators, it is now part of the regime’s operating model: a means of converting digital vulnerabilities into strategic cash flow.
From Code Exploits to Human Manipulation
The report also points to a tactical evolution. Elliptic said that most 2025 losses stemmed from social engineering, not only technical flaws in crypto infrastructure. That shift means the weak point in the system is increasingly human rather than purely software-based. Victims now include not just exchanges and crypto services but also high-net-worth individuals, especially those seen as having looser security or access to large holdings.
That change matters because it broadens the field of vulnerability. Earlier North Korean-linked operations often centered on exploiting bridges, wallet infrastructure or internal security weaknesses at crypto platforms. The newer pattern, as described by researchers, relies more on impersonation, deception and carefully staged contact with people who can be persuaded to surrender access or approve transfers.
The distinction is subtle but important. Technical exploits can sometimes be patched. Human trust is harder to harden at scale. And once attackers move from attacking code to manipulating users and insiders, the perimeter of risk expands from engineering teams to executives, investors and private holders.
This is part of why the North Korean crypto threat has proved so adaptable. It has not depended on one bug, one exchange or one chain. Instead, it appears to evolve alongside the defenses built to stop it.
The Laundering Race and the Limits of Visibility
If theft is the first act, laundering is the second. Elliptic said North Korean-linked actors have responded to stronger blockchain monitoring by making their laundering techniques more complex: layering funds through multiple rounds of mixing, moving assets across chains, exploiting lesser-known blockchains with weaker analytics coverage, and using new wallet-routing methods to break investigative continuity.
That pattern reflects a larger contest now embedded in the crypto economy. On one side are analytics firms, exchanges and law enforcement agencies that argue blockchain transparency gives them unusual power to trace illicit funds. On the other are increasingly sophisticated actors who treat that transparency as an obstacle to be gamed rather than feared. Elliptic’s account of the aftermath of the Bybit hack suggests that the laundering process itself has become more inventive, modular and deliberate.
Still, investigators maintain that the structure of public blockchains offers a long memory. Transactions do not vanish in the way cash can. They remain visible, linkable and, under the right conditions, attributable. That is why firms like Elliptic and Chainalysis continue to play an outsized role in the enforcement landscape: they are not just measuring theft, but helping exchanges and financial institutions decide which wallets, deposits and flows to block.
The larger implication of the 2025 total is not simply that North Korea stole more. It is that cyber theft has become a more normalized part of how a sanctioned state competes, adapts and funds itself. The money moves through wallets and mixers, but the stakes lie elsewhere — in missile programs, sanctions enforcement and the uneasy realization that in the crypto era, geopolitical finance can be routed through a hack.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
