North Korean State-Backed Crypto Theft and Infrastructure Operations
North Korean state-sponsored threat actors, including the Lazarus Group and Kimsuky, have been responsible for a dramatic surge in global cryptocurrency theft in 2025, stealing at least $2.02 billion—over half of the total $3.4 billion stolen worldwide. The February compromise of the Bybit cryptocurrency exchange accounted for $1.5 billion of these losses, with the attack attributed to the TraderTraitor cluster, and further links established through malware infrastructure analysis. Lazarus Group, affiliated with North Korea's Reconnaissance General Bureau, has also been implicated in the theft of $36 million from Upbit and is estimated to have stolen over $6.75 billion cumulatively through a series of high-profile heists and campaigns.
Recent collaborative research by Hunt.io and the Acronis Threat Research Unit has uncovered new operational infrastructure used by both Lazarus and Kimsuky across global campaigns. The investigation revealed active tool-staging servers, credential theft environments, and tunneling nodes, highlighting the interconnected nature of DPRK cyber operations. Despite evolving malware and tactics, these groups consistently reuse infrastructure, making their activities traceable across campaigns. The findings provide defenders with actionable intelligence on the infrastructure patterns and operational habits of North Korean threat actors, supporting efforts to detect and disrupt ongoing and future attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Chainalysis details DPRK laundering and intrusion tradecraft evolution
Chainalysis and follow-on reporting said North Korean operators increasingly relied on IT worker infiltration, recruiter and investor impersonation, and executive-targeted social engineering to gain access. The reports also described laundering through Chinese-language services, mixers, bridges, DeFi protocols, and weak-KYC exchanges, often completing fund movement within about 45 days.
Chainalysis documents surge in personal wallet compromises
The same 2025 Chainalysis assessment said attacks on individual wallets rose sharply to about 158,000 incidents affecting roughly 80,000 victims. It also described a tactical shift toward fewer but larger compromises of centralized services alongside broad wallet targeting.
Chainalysis reports DPRK stole $2.02 billion in crypto during 2025
On December 18, 2025, Chainalysis reported that North Korean threat actors stole at least $2.02 billion in cryptocurrency in 2025, a 51% increase from the prior year. The report said DPRK-linked actors were responsible for 76% of all crypto service compromises by value and brought their cumulative theft total to $6.75 billion.
FRP hash pivot reveals eight likely DPRK tunneling nodes
Using an FRP binary hash, researchers found eight internet-facing hosts serving an identical FRP binary on port 9999. The matching deployments were assessed as consistent with scripted provisioning of tunneling infrastructure used in DPRK operations.
New Linux BADCALL variant found on Lazarus-linked open directory
The Hunt.io and Acronis investigation identified a new Linux variant of the Lazarus-associated BADCALL backdoor hosted on an exposed open-directory server. Researchers noted a functional update in the malware that adds logging to /tmp/sslvpn.log.
Researchers uncover new Lazarus and Kimsuky infrastructure patterns
A joint Hunt.io and Acronis Threat Research Unit investigation published in December 2025 mapped ongoing DPRK-linked infrastructure by pivoting across IPs, open directories, certificates, and file hashes. The research identified recurring patterns including exposed tool-staging directories, repeated credential-theft toolkits, uniform FRP tunneling deployments, and certificate reuse linking separate clusters.
Venus Protocol incident is contained with limited losses
Chainalysis highlighted a September 2025 Venus Protocol incident in which rapid detection and response prevented major losses and even caused losses for the attacker. The case was cited as evidence that faster defensive action can blunt large-scale crypto theft attempts.
Bybit loses $1.5 billion in major crypto hack
In February 2025, attackers linked to North Korea stole about $1.5 billion from the Dubai-based Bybit exchange. Multiple sources describe it as the largest single cryptocurrency theft of the year and the dominant contributor to DPRK-attributed losses in 2025.
Lazarus-linked certificate reuse observed across RDP-exposed hosts
Hunt.io and Acronis said a pivot from the Lazarus-linked domain secondshop[.]store to a reused TLS certificate common name uncovered 12 RDP-exposed IPs active since January 2025. Ten of those hosts were correlated with Lazarus malware on port 443, while two also overlapped with Bluenoroff/APT38 tracking.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Why North Korea hacks crypto instead of evading sanctions like Russia and Iran
coindesk.com
Open sourceNorth Korean hackers stole record $2 billion in crypto in 2025, including single heist worth $1.5 billion, report claims — rogue state accounts for 60% of all reported crypto thefts this year, $6.75 billion total since records began
tomshardware.com
Open sourceA Good Year for North Korean Cybercriminals
darkreading.com
Open sourceKim's crypto thieving reached a record $2B in 2025
go.theregister.com
Open sourceOver $3.4 billion in crypto stolen throughout 2025, with North Korea again the top culprit
therecord.media
Open sourceCrypto theft in 2025: North Korean hackers continue to dominate
helpnetsecurity.com
Open sourceNorth Korea-Linked Hackers Steal $2.02 Billion in 2025, Leading Global Crypto Theft
thehackernews.com
Open source北朝鮮による暗号資産窃取、年間で過去最高の20億ドルに
chainalysis.com
Open sourceInside DPRK Operations: New Lazarus and Kimsuky Infrastructure Uncovered Across Global Campaigns
hunt.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean State-Sponsored Infrastructure and Cryptocurrency Theft Operations
Researchers from Hunt.io and the Acronis Threat Research Unit have uncovered a sophisticated network of North Korean state-sponsored infrastructure, revealing operational links between the Lazarus and Kimsuky groups. The investigation identified active tool-staging servers, credential-theft environments, FRP tunneling nodes, and a new Linux variant of the Badcall backdoor, which features enhanced logging for attacker monitoring. The infrastructure analysis exposed consistent patterns, such as the reuse of certificates and open directories for rapid deployment of credential theft kits, enabling persistent access and coordination across global campaigns. In parallel, North Korean threat actors have been attributed to a record surge in cryptocurrency theft, with at least $2.02 billion stolen in 2025, accounting for a significant portion of the over $3.4 billion lost globally. These operations leverage the advanced infrastructure and malware capabilities detailed in the research, highlighting the ongoing evolution and impact of DPRK cybercrime. The findings underscore the persistent threat posed by North Korean groups, both in terms of technical sophistication and financial motivation, as they continue to target global organizations and cryptocurrency platforms.
Mar 21, 2026
North Korean State-Sponsored Cyber Operations and Cryptocurrency Theft
North Korean state-backed hacking groups, including Lazarus, Andariel, and Kimsuky, have been identified as leading actors in global nation-state cyberattacks, accounting for 18.2% of all such activity between April and September. These groups have adopted increasingly sophisticated tactics, such as "malware-free" intrusions, covert infiltration schemes, and the use of legitimate system tools like PowerShell and Command Prompt to evade detection. Telecommunications, technology, and transportation sectors have been the primary targets, with Turkey and the U.S. among the most frequently attacked nations. Security experts recommend layered defenses and zero-trust principles to counter these evolving threats. A recent report by the Multilateral Sanctions and Measures Team (MSMT), with contributions from Chainalysis, reveals that North Korea has stolen an estimated $2.8 billion in cryptocurrency from January 2024 to September 2025, including a $1.5 billion heist from the Bybit exchange. The report highlights the expansion of North Korea's laundering networks, which now involve sophisticated mixing services, OTC brokers across multiple jurisdictions, and collaboration with Russian and Cambodian money laundering networks. The use of UnionPay cards and Hong Kong-based intermediaries further complicates efforts to trace and recover stolen assets, underscoring the growing scale and complexity of North Korean cyber operations.
Apr 18, 2026
North Korean State-Sponsored Cryptocurrency Theft Surpasses $2 Billion
North Korean hackers have stolen over $2 billion in cryptocurrency assets in 2025, marking the largest annual total ever attributed to the regime’s cyber operations. The majority of this record-breaking sum was taken in a single attack on the cryptocurrency exchange Bybit in February, where $1.46 billion was stolen. In addition to this major breach, blockchain analytics firm Elliptic has linked North Korean actors to more than thirty other cryptocurrency heists throughout the year. These attacks have targeted both exchanges and high-net-worth individuals, reflecting a shift in tactics by North Korean threat groups. The hackers have increasingly focused on wealthy crypto holders and employees of companies with significant digital asset holdings, exploiting the fact that individuals often have weaker security defenses than organizations. Social engineering has become a primary method, with attackers impersonating recruiters or investors to gain the trust of their targets. One common technique involves setting up fake video calls, during which the victim is tricked into running malicious command-line code, resulting in malware installation and subsequent theft of funds. The hackers have also been observed building elaborate fake profiles and leveraging compromised social media accounts to approach their targets. Notable additional breaches attributed to North Korean groups in 2025 include attacks on LND.fi, WOO X, Seedify, and the Taiwanese exchange BitoPro, with the latter resulting in an $11 million loss. The total amount stolen by North Korean hackers in 2025 is nearly triple the amount reported in 2024 and far exceeds the previous record of $1.35 billion set in 2022. These cyber-enabled thefts are believed to directly fund North Korea’s nuclear weapons program, according to the United Nations and various government agencies. Experts caution that the actual amount stolen may be even higher, as many incidents go unreported or lack sufficient evidence for definitive attribution. Discrepancies in reporting between blockchain analytics firms, such as Elliptic and Chainalysis, further complicate the assessment of the true scale of losses. The trend of targeting individuals, especially those with professional connections to major crypto firms, has made detection and prevention more challenging for standard cybersecurity tools. The sophistication and persistence of North Korean cyber operations underscore the regime’s growing reliance on cryptocurrency theft as a means of circumventing international sanctions and funding state objectives. The ongoing rise in cryptocurrency prices, particularly Bitcoin reaching all-time highs, has made the sector an even more attractive target for these state-sponsored actors. Security experts recommend heightened vigilance and advanced security measures for both organizations and individuals involved in the cryptocurrency ecosystem. The evolving tactics and increasing scale of North Korean cyber thefts highlight the urgent need for improved threat intelligence sharing and coordinated international response.
Mar 21, 2026