North Korean Hackers Steal More Than $2 Billion in Crypto

Elliptic Flags Record-Breaking Crypto Loot This Year

North Korean-connected hacking units have thieved upward of $2 billion in cryptocurrency this year, new research shows from Elliptic. The blockchain analytics firm said that by its count it is more than 30 separate incidents linked to the regime’s operators, making it the biggest annual haul on record with months left in the year.

Elliptic warns the real sums are likely to be higher, saying that attributions are probabilistic and many thefts go unreported or lack the forensic detail required to name suspects publicly. The estimate is consistent with previous appraisals by the United Nations Security Council’s Panel of Experts and joint findings released by authorities in Japan, South Korea and the United States — which have repeatedly linked North Korean actors to major cryptocrime waves.

Bybit Heist Leads the Tally in Suspected North Korea Hacks

The biggest such driver of the year is the theft of more than $1.4 billion from Bybit, which both the FBI and multiple teams focused on blockchain tracking say was carried out by hackers working on behalf of North Korea.

Investigators say the attackers used their privileges to raid hot wallets across a number of assets and swiftly move funds through cross-chain infrastructure while lingering compliance controls caught up.

That blow fits the usual pattern; high-value venues with hot wallets loaded for bear have long been preferred targets. Previous high-profile cases linked to the regime include a $625 million raid of the Ronin bridge that affected Axie Infinity and a $100 million hack on Harmony’s Horizon bridge. Researchers also cite exchange raids in Asia, where up to hundreds of millions have reportedly been stolen from local platforms in recent years.

Social Engineering Becomes Weapon of Choice

Elliptic notes a significant change this year from the use of code vulnerabilities to using people. Most of the hacks that defined 2025 were about social engineering—getting insiders to run trojanized tools, approve rogue payments or hand over credentials. And high-net-worth individuals, not merely exchanges and service providers, are increasingly the targets.

These tradecraft updates have been documented in security advisories issued by CISA and the FBI. These campaigns are typically disguised as job offers for crypto engineers or so-called community-manager roles, submitted through professional networks, Telegram and Discord. Lazarus activity-associated malware families, such as AppleJeus and TraderTraitor-related variants, are delivered in the form of “test projects,” wallet utilities, or code repositories that contain credential theft and remote access.

Laundering Playbook Gets an Upgrade to Evade Tracing

After the money is taken, the launderers quickly accelerate their activity. Analysts talk about fast chain-hopping, peel chains and how mixers and cross-chain bridges are being used to slice and dice flows. Units have been passed through low-liquidity tokens to shake detectors, then shaken into bundles of liquidity by over-the-counter brokerages and peer-to-peer markets that operate in more permissive compliance zones.

Sanctions make it harder but not impossible to cash out. The U.S. Treasury has sanctioned entities and wallets linked to North Korea’s crypto work, and law enforcement authorities have seized pieces of stolen assets in real time as they traveled through cryptocurrency networks. Even so, experts say elaborate typologies and time-delayed movements leave large quantities finding a way through, surfacing later in emergent clusters where there was not one before.

Strategic Cash Flow for Pyongyang from Crypto Thefts

UN investigators have repeatedly found that cyber-enabled thefts fund prohibited weapons programmes in North Korea, providing hard currencies that bypass the tens of billions of dollars in global sanctions Washington has imposed to try and force Pyongyang’s denuclearisation.

With the traditional export trade hampered, crypto crime has emerged as a durable revenue stream — one that scales globally and can be conducted from the other side of the world without risk of physical harm.

If Elliptic is accurate, then combined thefts by actors linked to North Korea, between 2017 and the present day, are fast approaching or exceeding $6 billion, depending on methodology. Elliptic’s estimates were on the lower end compared to some other firms that pegged 2022’s pre-peak at around $1.35 billion or higher — further illustrating the on-chain attribution fog.

How Exchanges and Investors Can React to Rising Threats

The key for institutions is to shrink the human attack surface. You need your strict hot-wallet policy with hardware-backed multi-sig, and transaction policy engines with velocity and address allowlists, session-bound approvals, just-in-time privileges. Out-of-band authorizations for large dollar transfers and separation of production and employee workstations can mitigate social engineering.

Security teams must rehearse for insider compromise scenarios and implement continuous authentication monitoring versus just MFA at the perimeter. For individual investors — especially the larger ones — best practices include hardware wallets, offline signing, unique device profiles, and rigorous validation of wallet updates and “investment opportunities.” If a request disrupts typical application flow, consider it an enemy first until proven otherwise.

What Comes Next as Sanctions and Takedowns Intensify

At the current pace, this will be a record year for nation-states stealing money in cryptocurrency. Anticipate more sanctions designations, harder wallet freezes and targeted takedowns of laundering infrastructure. That pressure could move activity to smaller venues, decentralized front-ends or more informal cash-out channels.

Researchers caution that actual numbers are likely to be higher than those currently reported. Now that social engineering is the more common vector and there are whales to consider, the most obvious defense, beyond sound operational security discipline — is that the weakest link in crypto in 2025 will no longer be the code, but rather a person at a keyboard.