North Korean Hackers Steal $2.02 Billion in Crypto in 2025

North Korea-Linked Hackers Steal $2.02 Billion in Crypto in 2025

North Korea-linked threat actors stole $2.02 billion in cryptocurrency in 2025, a 51% increase from the previous year, according to Chainalysis. This represents the most substantial year on record for crypto theft attributed to DPRK actors, accounting for 76% of all service compromises.

Why This Matters

Current threat models struggle to keep pace with the sophistication and scale of nation-state actors like those linked to North Korea. The ideal model assumes perimeter security, but these groups consistently demonstrate the ability to bypass defenses through social engineering (Operation Dream Job), IT worker infiltration (Wagemole), and exploiting vulnerabilities in exchange infrastructure (Bybit hack). The financial impact of these breaches—over $6.75 billion cumulatively—highlights the critical need for improved detection and prevention strategies.

Key Insights

• $1.5 billion stolen from Bybit exchange, February 2025: A single attack accounted for a significant portion of the total stolen funds.
• Lazarus Group and RGB affiliation: The Lazarus Group, linked to North Korea’s Reconnaissance General Bureau (RGB), is a persistent and well-funded threat actor.
• Multi-wave laundering: Stolen funds are laundered over approximately 45 days through DeFi protocols, mixers, and cross-chain bridges.

Working Example

(No code exists in the context)

Practical Applications

• Use Case: Cryptocurrency exchanges are targeted to steal large sums of cryptocurrency, then laundered through complex chains of transactions to obscure the origin.
• Pitfall: Reliance on single-factor authentication and inadequate monitoring of employee access can enable insider threats and facilitate large-scale theft.

References:

• https://thehackernews.com/2025/12/north-korea-linked-hackers-steal-202.html