North Korea | linked hackers stole at least $2.02 billion in cryptocurrency in 2025, accounting for the majority of global crypto theft this year and marking a sharp escalation in the scale and coordination of state-backed cybercrime. According to a new analysis by blockchain intelligence firm Chainalysis, more than $3.4 billion was stolen worldwide between January and early December, with actors tied to Pyongyang responsible for roughly three-quarters of all major service compromises.
The figures represent a 51 percent increase over last year and push the estimated cumulative total of cryptocurrency stolen by North Korea to $6.75 billion. Analysts say the spike reflects not only larger individual hacks, but also more systematic methods of access, laundering and monetisation—suggesting a maturing financial pipeline rather than sporadic cyber theft.
For governments enforcing international sanctions, the numbers underscore a persistent challenge: digital assets have become one of the most effective tools for North Korea to generate hard currency beyond the reach of traditional financial controls.
The Bybit Breach and the Lazarus Playbook
The largest single incident this year was the February breach of cryptocurrency exchange Bybit, which resulted in the theft of $1.5 billion—nearly three-quarters of North Korea’s total haul in 2025. Investigators attributed the attack to a threat cluster known as TraderTraitor, part of the broader constellation of groups commonly referred to as the Lazarus Group, which has been linked to Pyongyang’s military intelligence apparatus.
Security researchers later tied the operation to malware infrastructure associated with Lumma Stealer, reinforcing suspicions that endpoint compromise played a role in the initial access. The Bybit attack followed a familiar pattern seen in earlier Lazarus operations: deep reconnaissance, targeted compromise of privileged systems, and rapid extraction of assets before detection.
North Korean hackers are also believed to be behind a $36 million theft from South Korea’s Upbit exchange last month, adding to a decade-long record of high-impact crypto heists that analysts say now function as a reliable revenue stream for the regime.
Laundering at Scale: From DeFi to Fiat
Stealing cryptocurrency is only the first step. What distinguishes North Korea’s operations, analysts say, is the industrialisation of laundering. Chainalysis describes a multi-wave process that typically unfolds over 45 days, designed to obscure the origin of stolen funds before they are converted or reinvested.
In the initial days, assets are rapidly moved through decentralised finance protocols and mixing services to break direct links to the original theft. They are then routed through cross-chain bridges, secondary mixers and cryptocurrency exchanges, before reaching services that facilitate conversion into fiat currency or other assets.
A significant portion of this process relies on Chinese-language money laundering networks, including over-the-counter brokers and specialised marketplaces. Investigators say the heavy reliance on such intermediaries reflects North Korea’s long-standing use of regional networks to access the global financial system indirectly—mirroring tactics employed well before the rise of cryptocurrency.
Beyond Hacks: The IT Worker Infiltration Strategy
Alongside direct exchange breaches, North Korea has expanded a parallel strategy that blurs the line between cybercrime and employment fraud: embedding covert IT workers inside companies worldwide. Under false identities or through front companies, these operatives gain legitimate access to corporate systems, including crypto firms, custodians and Web3 platforms.
This approach—sometimes referred to as “Wagemole”—has enabled hackers to bypass perimeter defences entirely. In some cases, infiltrators have operated for months, or even years, before facilitating major compromises.
The U.S. Justice Department recently highlighted the tactic in the sentencing of a Maryland man who allowed North Korean nationals to use his identity to secure remote software jobs, including work tied to U.S. government agencies. Prosecutors said such schemes generated hundreds of thousands of dollars in salary payments, while also providing access to sensitive systems.
Security researchers now warn that the strategy is evolving again, with recruiters targeting freelance platforms and persuading unwitting collaborators to share credentials or install remote-access tools—extending North Korea’s reach deeper into the global digital labour market.
Taken together, the thefts, laundering operations and infiltration schemes point to a sophisticated financial architecture—one that has allowed a heavily sanctioned state to turn cyber operations into a steady source of revenue. As enforcement agencies track stolen funds and dismantle individual networks, the broader system powering North Korea’s crypto economy remains resilient, adaptive and increasingly difficult to contain.
