North Korean Hackers Steal Over $2.1B in Crypto in Record-Breaking 2025

How Large Were North Korea’s Crypto Thefts This Year?

Hackers linked to North Korea stole record amounts of cryptocurrency in 2025, reinforcing the country’s role as the most active state-backed cyber threat in the digital asset sector. According to blockchain analytics firm Chainalysis, groups tied to the Democratic People’s Republic of Korea took more than $2.17 billion in crypto during the first half of the year alone, exceeding the total stolen across all of 2024.

The largest single incident occurred on Feb. 21, when attackers drained nahead $1.5 billion worth of ether from crypto platform Bybit. Chainalysis described the breach as the largegest crypto theft ever recorded. The Bybit attack was followed by a series of additional incidents attributed to North Korean-linked actors, including a $37 million hack of .

Chainalysis said the scale and pace of the attacks point to a sustained campaign rather than isolated events, with hacking continuing to serve as a funding source for the regime amid tight international sanctions.

Investor Takeaway

Why Does North Korea Rely So Heavily on Crypto Hacks?

to its broader economic and geopolitical constraints. With limited access to and increasing pressure from sanctions, the regime has turned cybercrime into a revenue channel to support state priorities, including weapons development.

According to Chainalysis, hacking groups affiliated with Pyongyang, including the well-known Lazarus Group, have steadily refined their methods over several years. Rather than relying on a single exploit type, these groups now deploy a mix of technical vulnerabilities, social engineering, and long-term infiltration strategies to access funds.

“North Korea will always viewk new vectors to steal funds on behalf of the regime, whether through fiat or crypto,” Andrew Fierman, head of national security intelligence at Chainalysis, said. He added that their methods are “highly sophisticated, diversified, and deeply embedded across jurisdictions.”

Fierman said sanctions alone have not stopped these activities and warned that crypto theft is likely to remain a central pillar of the regime’s funding strategy.

How Are DPRK Hacking Tactics Changing?

Chainalysis said North Korean-linked hackers adopted more aggressive and coordinated tactics in 2025. These included supply-chain attacks targeting third-party service providers, custodians, and infrastructure vendors rather than just platforms themselves. By compromising upstream services, attackers gained indirect access to funds and sensitive systems.

Another area of focus has been IT worker infiltration. North Korean operatives posing as freelance developers or engineers have continued to secure roles inside crypto, AI, and defense-related companies using false identities. Once embedded, these workers can access internal systems, intellectual property, or crypto reserves.

Laundering methods have also grown more complex. “Stolen funds follow diverse laundering paths, including mixing services, OTC brokers, chain-hopping, token swaps, decentralised platforms, and bridge protocols to obscure flows,” Fierman said. He noted that a defining trait of recent operations is the use of multiple laundering channels at the identical time, executed rapidly to make tracking and recovery harder.

Chainalysis also warned that could strengthen these operations. AI tools may assist attackers create more convincing fake identities or automate parts of the laundering process, increasing speed and scale.

Investor Takeaway

What Can the Industry Do to Limit Future Attacks?

Fierman said some preventive steps can reduce exposure, particularly against infiltration-based attacks. These include stricter identity checks for remote workers, mandatory video interviews, IP and geolocation monitoring, and tighter controls on opaque payment methods. Such measures can assist identify inconsistencies in access patterns or financial behavior before attackers gain a foothold.

Still, he cautioned against expecting complete prevention. “As long as there is crime, such as hacks will continue to occur,” Fierman said. He argued that quicker information sharing between platforms, analytics firms, and law enforcement is one of the few tools that can meaningfully reduce the impact of future attacks.

The data from 2025 suggest that North Korea’s cyber operations are not sluggishing. Instead, they are becoming more organized, better funded, and harder to disrupt. For the crypto industry, that reality raises the stakes around security, due diligence, and coordinated response as state-backed threats grow more capable.