north_korean_hacking_groups
North Korean hacking groups (nation-state–linked) are described as dominant actors in cryptocurrency theft in 2025, with Chainalysis attributing $2.02B stolen in 2025 (51% YoY increase) and $6.75B total all-time. Their targeting focus is reported as AI and blockchain companies as well as a growing set of individual crypto wallet holders (158,000 theft incidents in 2025; unique victims at least 80,000), with notable victim concentration on Solana (≈26,500 wallet-compromise victims) and high incident volumes on Ethereum and Tron. Tactics have evolved from placing North Korean IT workers inside companies using fake identities to more sophisticated social engineering: posing as recruiters or investors, running fake hiring processes that compromise targets during technical interviews, and approaching executives as fake investors/buyers to collect information on infrastructure and security. Post-compromise objectives include theft of credentials, source code, and access to corporate systems, followed by cryptocurrency theft. Laundering tradecraft includes use of DeFi protocols, mixing services, and exchanges with limited KYC, as well as cross-chain bridges, no-KYC exchanges, guarantee services, instant exchanges, and Chinese-language payment processors. The content also links North Korean threat actors to malware activity: Sysdig researchers assess the EtherRAT malware (observed Dec 2025) as North Korea–linked, citing overlap with the North Korea–associated BeaverTail malware (similar file-encryption method) and the ‘Contagious Interview’ toolkit. EtherRAT exploits CVE-2025-55182 (React2Shell) for unauthenticated RCE against React Server Components/Next.js, uses Ethereum smart contracts for resilient C2 resolution (consensus across nine public Ethereum connection points), and deploys multiple Linux persistence mechanisms. Additionally, the content notes that a prior 2019 Upbit exchange hack (342,000 ETH stolen) was later attributed to North Korean hacking groups; a separate 2025 Upbit breach is described but not attributed in the provided material.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
North Korean hacking groups are conducting large-scale cryptocurrency thefts, increasingly targeting major services to maximize financial gain from single breaches.
North Korean hacking groups are conducting large-scale cryptocurrency thefts, increasingly targeting major services and platforms in the crypto and blockchain sectors. They use social engineering, IT worker infiltration, and sophisticated laundering techniques to steal and move large sums of cryptocurrency.
North Korean hacking groups are exploiting the CVE-2025-55182 React2Shell vulnerability to deploy advanced malware, EtherRAT, which uses Ethereum smart contracts for resilient command-and-control and persistent access.
Previously attributed with a major 2019 breach of Upbit, stealing 342,000 Ethereum tokens. The current 2025 breach is not explicitly attributed to them, but the anniversary and context are noted.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.