North Korean Hackers Set New Record for Crypto Theft in 2025
In the evolving landscape of cryptocurrency security, state-sponsored cyberattacks have become a persistent threat, with North Korea emerging as a dominant force. As global sanctions tighten around the regime, hackers affiliated with the Democratic People’s Republic of Korea (DPRK) have intensified efforts to exploit vulnerabilities in the blockchain ecosystem, stealing billions to fund nuclear programs and evade international restrictions.
Record-Breaking Thefts Amid Escalating Tactics
North Korean hackers stole more than $2.17 billion in cryptocurrency during the first half of 2025, surpassing the total for all of 2024 and marking the worst year-to-date on record, according to blockchain analytics firm Chainalysis. This surge in activity underscores the regime’s reliance on crypto as a primary revenue stream, with groups like Lazarus refining their methods to target exchanges and infrastructure. Key incidents include:
- The February 21 breach of Bybit, where hackers siphoned nearly $1.5 billion in Ethereum—the largest single crypto theft in history.
- A $37 million hack of South Korean exchange Upbit in late 2025.
- Coordinated supply-chain attacks on third-party service providers and fund custodians, allowing infiltration into AI, blockchain, and defense sectors.
Chainalysis noted that DPRK actors have adopted aggressive techniques, including IT firm infiltrations under false identities to access company infrastructure or reserves. These operations persist despite international sanctions targeting individuals and entities involved.
"North Korea will always seek new vectors to steal funds on behalf of the regime, whether through fiat or crypto," said Andrew Fierman, head of national security intelligence at Chainalysis. "So, their mechanisms are forever evolving, and are highly sophisticated, diversified, and deeply embedded across jurisdictions."
Fierman emphasized that sanctions alone are insufficient, calling for coordinated industry action involving exchanges, analytics firms, and law enforcement to disrupt the hacking ecosystem.
Complex Laundering and Future Risks
The laundering of stolen funds has grown more intricate, with DPRK hackers employing diverse paths to obscure transactions. These include mixing services, over-the-counter (OTC) brokers, chain-hopping, token swaps, decentralized exchanges (DEXs), and bridge protocols.
"Stolen funds follow diverse laundering paths, including mixing services, OTC brokers, chain-hopping, token swaps, decentralised exchanges, and bridge protocols to obscure flows," Fierman added.
The hallmark of these operations is the simultaneous use of multiple large-scale channels, executed rapidly to evade detection. Chainalysis highlighted that evolving AI technologies could further enhance these tactics, aiding in persona creation for infiltrations and automating complex laundering processes. Preventive measures recommended by experts include enhanced due diligence by companies, such as mandatory video interviews, stricter identity verification, IP and geolocation monitoring, and limits on opaque payment methods like crypto. These steps aim to identify inconsistencies in financial flows and access patterns associated with DPRK-linked actors.
"Ultimately, however, we should be realistic. As long as there is crime, illicit financial activity such as hacks will continue to occur," Fierman stated. "This is why close collaboration between platforms, private-sector, and law enforcement is critical."
How do you see this ongoing threat influencing the development of security standards across the crypto industry?
