North Korea Steals a Record $2 Billion in Crypto Heists This Year
A network of hackers linked to North Korea has stolen more than $2 billion worth of crypto assets in the first nine months of 2025, according to a report by Elliptic. Analysts describe this as the largest annual total ever recorded, even with three months still remaining in the year. The aggregate known amount of stolen funds has now surpassed $6 billion, and, according to the United Nations and several government agencies, these proceeds help finance North Korea’s nuclear and missile development programs.
Elliptic notes that the true figure is likely higher, as attributing specific heists to Pyongyang is complex and relies on blockchain forensics, money-laundering pattern analysis, and intelligence gathering. Some incidents only partially align with the known tactics of North Korean threat groups, while others never become public knowledge.
The most significant losses stem from the February breach of the Bybit exchange, where attackers siphoned off $1.46 billion in cryptocurrency. Other confirmed incidents this year include attacks on LND.fi, WOO X, and Seedify. Elliptic has also linked over 30 additional cases to North Korean actors that were never included in public disclosures. This figure is nearly triple that of last year and far exceeds the previous record set in 2022, when massive thefts targeted platforms like Ronin Network and Horizon Bridge.
Meanwhile, the attack vector has evolved. Whereas earlier operations exploited technical flaws in crypto infrastructure, the latest campaigns increasingly rely on social engineering. The majority of 2025’s losses have resulted not from vulnerabilities in code, but from human deception. Wealthy individuals lacking enterprise-grade protection mechanisms have become the primary targets, deceived through fake business contacts, phishing messages, and highly convincing impersonation schemes — often due to their association with organizations managing large volumes of digital assets. The human factor has become the weakest link in the cryptocurrency ecosystem.
At the same time, a race has emerged between blockchain analysts and professional money launderers. As blockchain tracing tools grow more precise, cybercriminals continue to refine their obfuscation methods. Elliptic’s latest report details new laundering tactics: multi-layered transaction mixing, cross-chain transfers across Bitcoin, Ethereum, BTTC, and Tron, the use of obscure networks with limited forensic visibility, and the exploitation of “return addresses” that redirect stolen funds into freshly created wallets. In some cases, attackers even mint and exchange their own tokens within the laundering networks themselves. The result is a cat-and-mouse dynamic between investigators and state-sponsored, highly skilled cyber units.
Nevertheless, the inherent transparency of blockchain remains a powerful investigative advantage. Every stolen coin leaves a digital footprint, traceable across multiple transactions and platforms. Researchers argue that this transparency not only enhances the resilience of the crypto ecosystem but also undermines North Korea’s ability to sustain its military ambitions through illicit finance.
The theft of $2 billion in just nine months stands as a stark reminder of the scale of the threat. North Korea’s cyber units are growing increasingly sophisticated and adaptive, yet the expanding reach of blockchain forensics continues to maintain a fragile equilibrium — promoting accountability and transparency in an industry still fighting for legitimacy. In this ongoing struggle for control over digital capital flows, the stakes extend far beyond cryptocurrency — they touch upon the broader questions of global security and geopolitical stability.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
