Quick take
North Korean hackers set a new record in 2025, stealing more than $2.17 billion in cryptocurrency, according to Chainalysis.
The largest single crypto theft in history came from a $1.5 billion Ethereum hack targeting Bybit, underscoring how cybercrime remains a core revenue source for Pyongyang.
A record-breaking year for crypto crime
Hackers linked to the Democratic People’s Republic of Korea (DPRK) have intensified their attacks on the global crypto industry, making 2025 the worst year on record for crypto theft. Chainalysis reports that North Korea–affiliated groups stole over $2.17 billion in digital assets in the first half of the year alone, already surpassing the total stolen throughout all of 2024.
The surge highlights how cryptocurrency hacking has become a strategic tool for the regime, helping fund state priorities as international sanctions continue to tighten.
The $1.5 billion Bybit hack
The most significant incident occurred on February 21, when attackers drained nearly $1.5 billion in Ethereum from Bybit. This single breach now stands as the largest crypto hack ever recorded. It was followed by a wave of additional attacks attributed to Pyongyang, including a $37 million breach of South Korean exchange Upbit.
Security analysts attribute many of these operations to the notorious Lazarus Group, which has a long history of targeting crypto exchanges, DeFi platforms, and blockchain infrastructure.
Sanctions fail to slow cyber operations
Despite mounting sanctions against North Korea and individuals tied to its cyber programs, state-sponsored hacking activity continues to accelerate.
“North Korea will always seek new vectors to steal funds on behalf of the regime, whether through fiat or crypto,” said Andrew Fierman, head of national security intelligence at Chainalysis. He emphasized that these operations are becoming more sophisticated, diversified, and deeply embedded across multiple jurisdictions.
According to Fierman, sanctions alone are not enough. Combating North Korea’s crypto hacking ecosystem requires coordinated action across exchanges, blockchain analytics firms, and global law enforcement agencies.
Evolving hacking and laundering tactics
Chainalysis notes that DPRK-linked hacker groups significantly upgraded their techniques in 2025. These include coordinated supply-chain attacks targeting third-party service providers, custodians, and software vendors connected to crypto platforms.
Another growing threat is IT worker infiltration. North Korean operatives continue to pose as legitimate remote workers, gaining access to companies in the AI, blockchain, and even defense sectors to extract sensitive data or siphon digital assets.
More complex crypto laundering routes
Once funds are stolen, laundering methods are executed rapidly and at scale. Stolen crypto now flows through a complex web of mixing services, OTC brokers, chain-hopping, token swaps, decentralized exchanges, and cross-chain bridges to obscure transaction trails.
Fierman said the defining feature of current DPRK operations is the simultaneous use of multiple laundering channels, designed to overwhelm monitoring systems and delay detection.
Emerging AI technologies could further strengthen these efforts, enabling more convincing fake identities and automating laundering processes to move stolen funds faster and more discreetly.
Preventive measures that can help
While no solution is foolproof, enhanced due diligence remains one of the most effective defenses. Measures such as mandatory video interviews, stricter identity verification, IP and geolocation monitoring, and tighter controls on crypto-based payments can help organizations identify fraudulent actors before damage is done.
“These steps can reveal inconsistencies in behavior, access patterns, and financial flows linked to North Korean IT workers,” Fierman said.
Collaboration is critical
Ultimately, experts warn that cybercrime will not disappear. However, rapid intelligence sharing and close cooperation between platforms, private-sector firms, and law enforcement can significantly reduce the success rate of large-scale crypto hacks.
When response pathways are clear and information moves quickly, illicit actors face fewer opportunities to deploy their tactics—raising the cost and risk of future attacks on the crypto ecosystem.
