North Korea-linked hackers have already stolen more than $2 billion in cryptocurrency since the beginning of the year, according to independent blockchain analytics companies so far, recording their biggest annual revenues on record even with four months still remaining in 2025 and highlighting a marked surge both in scale and sophistication.
Attribution from Elliptic and Chainalysis highlights clusters tied to well-known units like Lazarus and APT38 as part of a drumbeat that raises the combined total of known Pyongyang-linked crypto theft to over $6 billion.
Investigators say the money pipeline continues to be central to sanctions-busting and hard-currency generation.
Multiple Trackers Behind Record-Breaking Haul
Elliptic’s most recent estimate pegs the regime’s 2025 crypto loot north of $2 billion, whereas Chainalysis estimates it at around $2.17 billion over the same period. The convergence of independent stats increases confidence in the magnitude of the activity and reveals consistent on-chain patterns related to North Korean wallets.
The United Nations Panel of Experts has long cautioned that DPRK cyber activities finance the state’s banned programmes and US authorities regularly post indicators of compromise on significant malicious crypto hacks traceable to a state-directed actor. What is new this year is the pace — and the breadth — of victim profiles.
Inside The Bybit Breach And Cold Wallet Compromise
The Bybit exchange hack was the biggest threat to adopters — and the health of Ethereum DeFi users at large — as attackers used a compromise as their channel to exploit a scaled-back hot wallet provider, eventually hacking an offline cold wallet containing about 400,000 ETH. The take from that incident alone exceeded $1.4 billion, making it the largest single crypto theft to date.
Bybit later said about 68 percent of the funds stolen from the platform were still traceable, suggesting that the attackers faced challenges in cashing out completely amid a strict level of monitoring and sanctions screening. The episode serves as a fitting reminder to all that “cold” in no way implies invincibility; operational controls, key ceremonies and vendor security are also essential.
Targets Broaden From Exchanges to Individuals
North Korean operators are not just going after major platforms anymore. Personal wallet hacks are now a larger proportion of losses — 23.35% of all funds stolen in 2025 thus far — as attackers move towards highly motivated social-engineering patterns and malware attacks based on high-net-worth individuals or founders within the crypto industry.
Recent activities that are attributed to DPRK actors are attacks on LND.fi, WOO X and Seedify, as well as dozens of other hacks connected by laundering activity and shared infrastructure. Tactics include fake recruiter outreach and poisoned developer tools, as well as wallet drainer scripts which hijack token approvals.
Security teams call it the patient, multi-shot approach: compromise a supplier (or community admin) account; plant malicious updates or bad browser extensions; then just wait for one slip-up in key handling or transaction verification. The result is a cocktail of supply-chain-penetrating, human-targeted deception that sidesteps pure technical defenses.
How the Money Moves, and Why It’s Getting Harder
After illicit monies are stolen, DPRK-connected wallets will often swap through chains and assets quickly, exchanging into stablecoins and liquid tokens before transacting through mixers, peel chains (processing networks), and over-the-counter brokers. Analysts have called out a great deal of TRON-based stablecoin rails for liquidity and fastness.
These laundering channels are coming under pressure. The US Treasury has already sanctioned mixers including Blender, Tornado Cash and Sinbad for supporting North Korean activity, and exchanges and compliance providers are now more frequently blacklisting addresses as well as freezing suspect deposits. Certainly, none of these tactics has put the thefts to an end; however, they seem to have at least applied some sort of brake pedal on the cash-out cycles and boosted chances of a recovery.
The friction leads the adversaries to do more chain-hopping, more visits to decentralized places, and make use of cross-border OTC networks; all introducing new detection points. Both Elliptic and Chainalysis observe that continued coordination between the public and private sectors has resulted in assets being frozen, with some partial clawbacks following big breaches.
Defense Playbook For Platforms And Users
Exchanges and custodians are moving faster to implement stronger operational controls.
- Multi-party computation for key management
- Strict withdrawal allowlists
- Velocity limits for newly funded accounts
- Anomaly detection linked to behavior baselines
For individuals, national cyber agencies and industry responders offer straightforward guidance.
- Use hardware wallets for significant holdings
- Verify each on-chain consent request one by one
- Segregate hot and cold funds
- Treat unsolicited job offers or “partnerships” as potential lures
- Developers: lock down repositories, require signed builds and watch for malicious package typosquats
What to Watch Next in North Korea-Linked Crypto Heists
Look for additional supply-chain compromise and continued draining of personal wallets where recovery is weakest and oversight most lax. Regulators are extending travel rule enforcement and cross-border data sharing, while the cat-and-mouse game over mixers, bridges and OTC brokers will ratchet up a notch.
For the moment, this much is evident: North Korea’s crypto theft machine is running at full blast in 2025 yet again, even as laundering becomes more challenging and the initial compromises become better. The only lasting counter is layered responses — tight key governance, endless user education, real-time intel sharing that makes every stolen coin a beacon.
