North Korean Hackers Lead 2025 Crypto Theft Surge
â–¼ Summary
– North Korean hackers stole a record $2.02 billion in cryptocurrency in 2025, a 51% increase, despite conducting fewer attacks than before.
– Their tactics have shifted from infiltrating companies with fake IT workers to directly tricking existing employees and executives with elaborate recruitment or investment scams.
– These social engineering schemes compromise victims’ machines to steal credentials and gather detailed intelligence on high-value AI and blockchain company infrastructure.
– While theft incidents and unique victims surged in 2025 due to greater crypto adoption, the total value stolen from individuals declined, indicating attackers are targeting more people for smaller amounts.
– The hackers rapidly launder stolen funds through a variety of methods, including DeFi protocols, mixing services, and exchanges with weak identity checks.
A significant shift in cybercrime tactics is driving a surge in cryptocurrency theft, with North Korean hacking groups now responsible for stealing over $2 billion in digital assets in 2025 alone. This represents a staggering 51% increase from the previous year, bringing their cumulative total to an estimated $6.75 billion. The alarming trend underscores a strategic pivot by these state-sponsored actors toward fewer, more sophisticated attacks designed to yield maximum financial returns from high-value targets.
For a long time, a core strategy involved infiltrating companies with IT workers using fabricated identities. These operatives would secure remote positions, particularly within technology and cryptocurrency firms, to siphon salaries back to the regime and gather intelligence. However, recent analysis points to a more aggressive evolution. Hackers are now directly targeting existing employees and executives at strategically important AI and blockchain companies, bypassing the need to get hired themselves.
One prevalent method involves sophisticated social engineering. Attackers pose as recruiters from prominent web3 or artificial intelligence companies, contacting engineers with enticing job offers. The process mimics a legitimate hiring pipeline, complete with technical interviews. During these staged interviews, candidates are instructed to run specific code or open documents that secretly install malware. This compromise grants the hackers access to the victim’s credentials, proprietary source code, and critical corporate systems like VPNs.
A parallel scheme targets senior leadership. Posing as potential investors or acquisition partners, the attackers engage executives in lengthy discussions that can span weeks. These conversations involve fake pitch meetings and due diligence questionnaires, cleverly designed to extract detailed information about internal security protocols, system architecture, and workflow vulnerabilities. This intelligence-gathering phase meticulously maps out the target’s infrastructure to identify the weakest points of entry.
Following a successful breach, the focus shifts to obscuring the stolen funds. North Korean operatives rapidly launder cryptocurrency through a complex web of decentralized finance (DeFi) protocols, cross-chain bridges, and mixing services. They also exploit exchanges with lax identity verification processes, alongside instant exchange platforms and specialized money laundering networks, to cash out or conceal the illicit proceeds.
Alongside these large-scale heists, a broader trend of wallet compromises is affecting individual users. The total number of theft incidents skyrocketed to 158,000 in 2025, nearly triple the figure from 2022. This rise correlates with wider cryptocurrency adoption. Networks with large numbers of active personal wallets, like Solana, saw a disproportionately high number of victims, approximately 26,500. While Ethereum and Tron also experienced significant targeting in terms of frequency, platforms like Base and Solana, despite their large user bases, demonstrated a lower relative likelihood of user victimization.
Interestingly, the total dollar value stolen from individuals actually decreased from a 2024 peak of $1.5 billion to $713 million in 2025. This indicates a strategic shift where attackers are casting a wider net, compromising a greater number of wallets but for smaller average amounts per theft. The data suggests that as the user base expands, criminals are adapting to exploit smaller, more frequent opportunities alongside their high-stakes attacks on major services.
(Source: HelpNet Security)
