North Korea and Crypto: Hacks, Sanctions, and Stolen Billions

KEY TAKEAWAYS

• In February 2025, North Korea’s Lazarus Group stole $1.5 billion from ByBit, the largest crypto theft ever recorded.
  
• Hackers laundered $160 million in the first 48 hours using mixers and DeFi platforms.
  
• North Korea has stolen over $3.4 billion in crypto to fund its sanctioned nuclear and missile programs.
  
• Tactics include phishing, malware, fake job offers (“Contagious Interview”), and targeting personal wallets.
  
• The ByBit hack triggered a 20% drop in BTC prices, underscoring the vulnerability of the crypto market.
  
• The hacks carry serious geopolitical risks, strengthening Pyongyang’s military and complicating diplomatic stability.

In ahead 2025, the world witnessed one of the largest cryptocurrency heists in history, a staggering $1.5 billion theft from the Dubai-based platform . This breach, attributed to North Korean state-backed hacker groups, underscores the growing role of cryptocurrencies in the secretive regime’s strategies to bypass international sanctions and fund its military ambitions. 

Behind these operations lies a sophisticated and relentless cybercrime apparatus that has stolen billions in crypto over recent years. This article examines North Korea’s cryptocurrency hacking campaigns, its methods for laundering stolen funds, and the broader implications for global security and regulation.

The ByBit Heist: A Record-Breaking Crypto Theft

On February 21, 2025, a coordinated cyberattack by the infamous , an elite North Korean hacking collective linked to the country’s Reconnaissance General Bureau, successfully infiltrated ByBit, one of the world’s leading cryptocurrency platforms.

Exploiting vulnerabilities in software and employing advanced phishing tactics, the hackers moved approximately $1.5 billion worth of ETH tokens to a complex network of blockchain addresses.

This event marked the most significant theft of digital currency ever recorded, surpassing all previous breaches in magnitude. Notably, about $160 million was laundered within the first 48 hours, demonstrating the group’s speed and sophistication in obscuring the financial trail. 

Despite ByBit’s lack of operations in the United States, the hack sent shockwaves throughout the global crypto market, contributing to a 20% drop in and raising fresh concerns about the security of decentralized platforms and wallets.

North Korea’s Expanding Crypto Crime Portfolio

The Lazarus Group, active since the mid-2000s, has evolved from traditional cyber espionage and sabotage into a prolific operation targeting cryptocurrency platforms and users worldwide. Since emerging in the crypto hacking scene, the group is estimated to have stolen over $3.4 billion in digital assets, making it a critical source of revenue for Pyongyang’s sanctioned nuclear weapons and ballistic missile programs.

North Korean cybercriminals operate at a scale unmatched by other nation-state groups, responsible for nahead two-thirds of worldwide in 2024 alone. Their methods extend beyond direct hacking, encompassing deceptive recruitment campaigns within the crypto industry, where fake job offers and intricate interview ruses are used to gain insider access to company systems. 

This campaign, dubbed the “Contagious Interview” by cybersecurity firms, has targeted hundreds of cryptocurrency professionals globally, indicating a shift toward blending social engineering with traditional hacking techniques.

Weapons of the Shadow Economy: Bypassing Sanctions with Crypto

Cut off from the international banking system and heavily sanctioned, North Korea relies on these illicit cryptocurrency operations to sustain its economy and military endeavours. Unlike traditional monetary theft, crypto assets are attractive due to their decentralized nature, relative anonymity, and global accessibility, allowing the regime to sidestep financial restrictions imposed by the United Nations and Western powers.

The stolen funds support the regime’s nuclear and missile development programs, potentially funding procurement of materials and technology otherwise blocked. Experts assess that a dedicated team, possibly working around the clock, uses advanced , including converting stolen cryptocurrencies to other digital assets and dispersing funds across thousands of blockchain addresses to evade detection.

Laundering Stolen Cryptocurrencies: The Race Against Time

Once cryptocurrencies are stolen, laundering becomes critical for converting digital assets into usable fiat currency without being traced. North Korean groups invest heavily in automation and operational secrecy to move stolen funds rapidly through mixers, decentralized finance (DeFi) platforms, and networks.

Approximately 20% of the ByBit heist funds have “gone dark,” meaning they are currently untraceable and unrecoverable. This indicates the perpetrators’ success in deploying effective obfuscation strategies, making recovery efforts by authorities exceedingly hard. The urgency of laundering is underscored by the fact that the quicker stolen crypto is moved, the lower the chances of interception by law enforcement and blockchain monitoring firms.

Additional Hacks and Persistent Threats in 2025

The ByBit hack is not an isolated incident. In the first half of 2025 alone, North Korean hackers are believed to have been responsible for over $2 billion in stolen cryptocurrencies, marking the worst year-to-date record for crypto thefts. Their targets go beyond platforms to include personal wallets, decentralized finance projects, and protocols with vulnerabilities.

For example, in late September 2025, SBI Crypto reportedly suffered a $21 million hack attributed to Lazarus Group, reaffirming the ongoing threat posed by North Korean cyber operatives. Additionally, these hackers continuously adapt their tactics, including the use of coercion (the so-called “wrench” attacks) to gain control of crypto holders’ assets.

Global Response: Sanctions, Cyber Defence, and Regulation

The United States and its allies have taken an increasingly aggressive stance against North Korean cybercrime, imposing sanctions on individuals and entities linked to the Lazarus Group and enhancing crypto market regulation to prevent money laundering. 

The Federal Bureau of Investigation (FBI) publicly named North Korea as responsible for the ByBit hack and has dubbed the specific cyber activity “TraderTraitor,” emphasizing the state’s central role in these attacks.

Moreover, international cooperation in blockchain analysis has improved, with firms like Chainalysis, Elliptic, and SentinelOne playing vital roles in tracking illicit flows of digital funds and exposing North Korean laundering techniques.

Regulatory efforts are also underway to enhance operational security in cryptocurrency platforms, strengthen know-your-customer (KYC) protocols, and expedite the development of laws targeting ransomware and illicit proceeds. 

The Trump administration’s push to make the U.S. “Crypto capital of the planet” includes balancing innovation with security, a task made more urgent by high-profile heists such as the ByBit incident.

Economic and Geopolitical Implications

North Korea’s ability to steal and launder billions in cryptocurrency has significant repercussions beyond financial crime. It fuels the regime’s capacity to sustain and expand weapons of mass destruction programs, destabilizing regional security in East Asia and complicating diplomatic talks.

Moreover, the blending of cybercrime, espionage, and geopolitical strategy exemplifies the challenges modern states face in controlling digital assets that transcend borders. Cryptocurrencies, by design, provide hard-to-police avenues for money movement, raising urgent questions about the resilience of the global digital financial architecture.

The Road Ahead: Challenges in Combating North Korean Crypto Crime

Despite mounting efforts, North Korean cybercrime continues to evolve with agility, exploiting gaps in global cyber defence coordination and the technical complexities of blockchain. Their recruitment schemes, combined with advanced malware, deploy an operational sophistication rarely matched in the cybercrime world.

Looking forward, combating these threats will require enhanced intelligence sharing, stronger industry collaboration, and technological advances in blockchain forensics. As North Korea continues to innovate its cyber and financial tactics, the international community’s response must be equally adaptive to mitigate the financial flows enabling the regime’s malign activities.

FAQ 

What happened in the ByBit hack of 2025?
On February 21, 2025, North Korea’s Lazarus Group stole $1.5 billion in ETH from ByBit, marking the most significant crypto theft in history.

Who is behind the attack?
The Lazarus Group, a state-backed North Korean hacking collective linked to the Reconnaissance General Bureau, carried out the heist using advanced phishing and software exploits.

Why does North Korea target cryptocurrency?
Cryptocurrency provides a means for Pyongyang to circumvent international sanctions, fund its nuclear and missile programs, and access global financial systems that are otherwise blocked.

How do North Korean hackers launder stolen crypto?
They use mixers, DeFi platforms, P2P networks, and rapid blockchain transfers, dispersing funds across thousands of wallets to obscure the trail.

How much has North Korea stolen in total?
Since entering the crypto crime scene, North Korean groups have stolen over $3.4 billion in digital assets, with 2025 marking their most active year.