North Korean hackers stole over $2 billion in cryptocurrency this year
North Korean hackers have stolen more than $2 billion in cryptocurrency in 2025, according to blockchain analytics firm Elliptic, and the year isn’t over yet.
Though this year’s record losses are driven largely by the February attack on cryptocurrency exchange Bybit ($1.46 billion stolen), the company has also linked more than thirty additional hacks to North Korea this year.
“The actual figure may be even higher,” the company says. “We are aware of many other thefts that share some of the hallmarks of North Korea-linked activity but lack sufficient evidence to be definitively attributed. Other thefts are likely unreported and remain unknown.”
The hackers are also targeting wealthy crypto holders
North Korean hackers are not just breaking into exchanges, Elliptic noted. There is also a growing number of attacks on high-net-worth individuals.
With cryptocurrency prices generally rising and the price of Bitcoin hitting an all-time record high, these individuals are increasingly attractive targets, and their security defenses are not as extensive and layered as those deployed by businesses.
Some of the victims have been targeted because of their professional connections. Hackers have impersonated recruiters or investors to approach people who work for companies with significant crypto holdings. Once those individuals are compromised, the attackers try to pivot into company systems and steal organizational funds.
North Korean hackers have been building fake profiles to approach these individuals, and the emphasis on personal interaction makes it harder for standard cybersecurity tools to detect the threat early.
One often used tactic involves setting up fake video calls. Hackers pose as venture capital investors or project collaborators, sometimes using real but compromised social media accounts. Once the target joins the call, a supposed “error” occurs, prompting them to run command-line code. That code installs malware, allowing hackers to steal funds or compromise protocols that the target has administrative access to.
Another common ploy for targeting developers is to send convincing job offers that require the developer to complete a “skills test” that involves cloning a code repository that contains hidden malware.
Most of the 2025 hacks have relied on social engineering, which presents a shift from earlier years when attackers often exploited bugs or flaws in blockchain code and smart contracts, Elliptic noted. “This shift highlights that the weak point in cryptocurrency security is increasingly human, rather than technical.”
Pyongyang’s hidden workforce
The stolen crypto assets represents a major cash flow into North Korea’s isolated economy and are believed to be helping fund its nuclear weapons and missile programs.
These heists and ransomware/extortion attacks aside, North Korea also continues to pursue the “clandestine IT worker” angle, to maintain a steady flow of funds into the country.
Recent Okta research has revealed that these IT workers have expended their pool of targets beyond technology and crypto firms, and beyond the U.S.
They are now also trying to get hired by AI-focused organizations, financial institutions and FinTech companies, healthcare-related organizations, and even government and public administration organizations in the US, Middle East, and Australia.
Not only are these clandestine IT workers getting a steady paycheck (at least for a while), but they may get access to sensitive systems and networks. This allows them to access and exfiltrate data and hold it for ransom once their employment ends.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!