North Korean Hackers Stole $2 Billion in Crypto This Year
▼ Summary
– North Korean hackers stole over $2 billion in cryptocurrency in 2025, with the largest theft being $1.46 billion from Bybit exchange in February.
– Hackers are increasingly targeting high-net-worth individuals using social engineering tactics like fake job offers and video calls to install malware.
– The shift to social engineering highlights that human vulnerabilities, rather than technical flaws, are now the primary weak point in cryptocurrency security.
– Stolen cryptocurrency funds North Korea’s nuclear weapons and missile programs, serving as a major cash flow into its isolated economy.
– North Korea also uses clandestine IT workers hired by global companies to access sensitive systems, steal data, and extort ransoms after employment ends.
North Korean state-sponsored hacking groups have reportedly pilfered over $2 billion in cryptocurrency so far in 2025, according to analysis from blockchain intelligence firm Elliptic. This staggering figure, accumulated before the year’s end, underscores a massive and sustained campaign targeting the digital asset space. While a single, colossal breach of the cryptocurrency exchange Bybit in February—resulting in a loss of $1.46 billion—accounts for a large portion of the total, investigators have connected more than thirty other distinct hacks to Pyongyang’s operatives.
Analysts caution that the actual financial damage is likely even greater. Many other thefts display characteristics consistent with North Korean tactics but currently lack the definitive evidence required for a confident attribution. Furthermore, an unknown number of incidents likely go entirely unreported, remaining hidden from public view.
The threat is not confined to large corporate entities. Elliptic’s report highlights a noticeable uptick in attacks directed at high-net-worth individuals. As cryptocurrency valuations climb, with Bitcoin reaching unprecedented price levels, these wealthy holders have become increasingly attractive targets. Their personal security measures are often less robust and multi-layered than the sophisticated defenses employed by exchanges and financial institutions, making them vulnerable.
The attackers employ highly personalized social engineering schemes. They frequently create fake professional profiles, posing as recruiters or potential investors to connect with employees at firms that manage substantial crypto assets. The objective is to first compromise the individual, then use that access as a foothold to infiltrate the company’s internal systems and plunder organizational funds. This emphasis on direct human interaction makes it difficult for conventional cybersecurity software to flag the malicious activity early.
One particularly insidious method involves orchestrating fake video calls. Hackers, impersonating venture capitalists or project collaborators—sometimes even using hijacked, legitimate social media accounts—lure their target into a meeting. During the call, they stage a technical “error” and instruct the participant to run a specific command-line script. This script secretly installs malware, granting the attackers the ability to drain wallets or compromise protocols the victim has administrative control over.
Another common ruse aimed at software developers involves sending them enticing job offers. These offers require the candidate to complete a “technical skills test,” which involves cloning a code repository from a platform like GitHub. Unbeknownst to the developer, the repository contains concealed malware that infects their system upon download.
This widespread reliance on social engineering marks a significant strategic shift. In previous years, North Korean hackers more commonly focused on exploiting technical vulnerabilities in blockchain code or smart contracts. The current trend demonstrates that the most susceptible point in the cryptocurrency security chain is increasingly the human element, not the underlying technology.
The proceeds from these digital heists represent a critical source of foreign currency for North Korea’s sanctioned and isolated economy. Intelligence agencies widely believe these stolen funds are funneled into the country’s illicit weapons programs, including the development of nuclear arms and ballistic missiles.
Beyond direct theft and ransomware attacks, North Korea continues to deploy a network of clandestine IT workers who seek remote employment with companies abroad. Recent research from identity management company Okta indicates these workers are now casting a wider net. While they historically targeted tech and crypto firms, they are now actively seeking positions at artificial intelligence labs, financial institutions, fintech companies, healthcare organizations, and even government and public administration bodies in the United States, the Middle East, and Australia.
This strategy provides a dual benefit. Not only do these operatives earn a legitimate salary, funneling money back to the regime, but they also gain privileged access to sensitive corporate systems and data. This access can be leveraged to exfiltrate valuable information, which may later be held for ransom, especially after their employment is terminated.
(Source: HelpNet Security)
