North Korean State-Sponsored Cryptocurrency Theft Surpasses $2 Billion
North Korean hackers have stolen over $2 billion in cryptocurrency assets in 2025, marking the largest annual total ever attributed to the regime’s cyber operations. The majority of this record-breaking sum was taken in a single attack on the cryptocurrency exchange Bybit in February, where $1.46 billion was stolen. In addition to this major breach, blockchain analytics firm Elliptic has linked North Korean actors to more than thirty other cryptocurrency heists throughout the year. These attacks have targeted both exchanges and high-net-worth individuals, reflecting a shift in tactics by North Korean threat groups. The hackers have increasingly focused on wealthy crypto holders and employees of companies with significant digital asset holdings, exploiting the fact that individuals often have weaker security defenses than organizations. Social engineering has become a primary method, with attackers impersonating recruiters or investors to gain the trust of their targets. One common technique involves setting up fake video calls, during which the victim is tricked into running malicious command-line code, resulting in malware installation and subsequent theft of funds. The hackers have also been observed building elaborate fake profiles and leveraging compromised social media accounts to approach their targets. Notable additional breaches attributed to North Korean groups in 2025 include attacks on LND.fi, WOO X, Seedify, and the Taiwanese exchange BitoPro, with the latter resulting in an $11 million loss. The total amount stolen by North Korean hackers in 2025 is nearly triple the amount reported in 2024 and far exceeds the previous record of $1.35 billion set in 2022. These cyber-enabled thefts are believed to directly fund North Korea’s nuclear weapons program, according to the United Nations and various government agencies. Experts caution that the actual amount stolen may be even higher, as many incidents go unreported or lack sufficient evidence for definitive attribution. Discrepancies in reporting between blockchain analytics firms, such as Elliptic and Chainalysis, further complicate the assessment of the true scale of losses. The trend of targeting individuals, especially those with professional connections to major crypto firms, has made detection and prevention more challenging for standard cybersecurity tools. The sophistication and persistence of North Korean cyber operations underscore the regime’s growing reliance on cryptocurrency theft as a means of circumventing international sanctions and funding state objectives. The ongoing rise in cryptocurrency prices, particularly Bitcoin reaching all-time highs, has made the sector an even more attractive target for these state-sponsored actors. Security experts recommend heightened vigilance and advanced security measures for both organizations and individuals involved in the cryptocurrency ecosystem. The evolving tactics and increasing scale of North Korean cyber thefts highlight the urgent need for improved threat intelligence sharing and coordinated international response.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
SBI Crypto loses $21 million in suspected North Korean-style heist
Investigators said a $21 million theft from SBI Crypto showed hallmarks of a North Korean-linked cyberattack. Reporting also noted the use of Tornado Cash in laundering connected to this and other incidents.
Abracadabra loses $1.8 million to smart contract flaw
Abracadabra was hit by a $1.8 million theft caused by a smart contract vulnerability. The flaw was subsequently patched, and the company said no user funds were impacted.
Shibarium bridge exploit leads to key rotation and reimbursement plan
Shibarium suffered a $4 million bridge exploit, after which the team rotated validator keys, migrated contracts, and announced plans to reimburse affected users. The incident was part of a broader wave of recent crypto attacks.
Bybit hack tied to North Korean actors for $1.46 billion
One of the major 2025 cryptocurrency thefts attributed to North Korean-linked actors was the $1.46 billion hack of Bybit. The incident was cited as a key contributor to the year's record total.
North Korean-linked groups conduct about 30 crypto heists in 2025
Blockchain analytics firm Elliptic attributed roughly 30 cryptocurrency thefts in 2025 to North Korean threat actors. Across the year, the activity was assessed to have stolen about $2 billion, nearly triple the 2024 total.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Cryptohack Roundup: $21M SBI Crypto Heist
govinfosecurity.com
Open sourceNorth Korean hackers stole over $2 billion in cryptocurrency this year
helpnetsecurity.com
Open sourceNorth Korean hackers stole over $2 billion in crypto this year
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean-Linked Large-Scale Cryptocurrency Thefts in 2025
North Korean hackers were responsible for stealing over $2 billion in cryptocurrency in 2025, marking a 51% increase from the previous year and pushing their all-time total to $6.75 billion. The attacks were characterized by fewer but significantly larger breaches, with the compromise of Bybit alone resulting in the theft of approximately $1.5 billion. Attackers increasingly relied on embedding IT workers within crypto services and using sophisticated impersonation tactics to target executives, while also showing a preference for Chinese-language money laundering services and rapid laundering cycles. Chainalysis data revealed that more than $3.4 billion in cryptocurrency was stolen industry-wide in 2025, with the majority of losses concentrated in a handful of high-impact incidents. The top three hacks, all attributed to North Korean actors, accounted for 69% of confirmed breaches. While individual wallet compromises surged in number, the total value stolen from these incidents decreased, suggesting improved security practices in some areas. However, the scale and sophistication of nation-state attacks on centralized services remain a critical threat to the cryptocurrency ecosystem.
Mar 21, 2026
North Korea Turns Cryptocurrency Theft Into a State Revenue Stream
Recorded Future’s Insikt Group reported that North Korea has made cryptocurrency theft a major state-backed source of income, stealing an estimated **$3 billion since 2017**. The report says Pyongyang shifted from **SWIFT-related financial theft** to targeting cryptocurrency during the 2017 crypto boom, initially focusing on South Korea before expanding operations globally. In **2022 alone**, North Korean threat actors were accused of stealing **$1.7 billion**, accounting for **44% of all cryptocurrency stolen worldwide** that year. The stolen funds are reportedly laundered with techniques similar to those used by conventional cybercriminals, including the use of **stolen identities** and **altered photos** to evade anti-money-laundering controls. Recorded Future said the proceeds help the regime blunt the impact of international sanctions and support military and weapons programs, while warning that **cryptocurrency exchanges, individual holders, venture capital firms, and other crypto-related organizations** remain exposed unless cybersecurity, regulation, and investment improve.
May 25, 2026
North Korean State-Sponsored Cyber Operations and Cryptocurrency Theft
North Korean state-backed hacking groups, including Lazarus, Andariel, and Kimsuky, have been identified as leading actors in global nation-state cyberattacks, accounting for 18.2% of all such activity between April and September. These groups have adopted increasingly sophisticated tactics, such as "malware-free" intrusions, covert infiltration schemes, and the use of legitimate system tools like PowerShell and Command Prompt to evade detection. Telecommunications, technology, and transportation sectors have been the primary targets, with Turkey and the U.S. among the most frequently attacked nations. Security experts recommend layered defenses and zero-trust principles to counter these evolving threats. A recent report by the Multilateral Sanctions and Measures Team (MSMT), with contributions from Chainalysis, reveals that North Korea has stolen an estimated $2.8 billion in cryptocurrency from January 2024 to September 2025, including a $1.5 billion heist from the Bybit exchange. The report highlights the expansion of North Korea's laundering networks, which now involve sophisticated mixing services, OTC brokers across multiple jurisdictions, and collaboration with Russian and Cambodian money laundering networks. The use of UnionPay cards and Hong Kong-based intermediaries further complicates efforts to trace and recover stolen assets, underscoring the growing scale and complexity of North Korean cyber operations.
Apr 18, 2026