North Korean state-linked hackers have stolen over $2 billion in cryptocurrency in 2025, a record-breaking sum that underscores a severe and escalating threat to the digital asset ecosystem. This criminal campaign, which fuels the regime’s weapons programs, is evolving in both its technical execution and its boldness.
A deepening Reliance on Cyber-Theft
The scale of theft in 2025 is unprecedented, with the $2 billion haul nearly tripling the previous year’s total. This brings the cumulative known value of crypto assets stolen by the regime since around 2017 to over $6 billion. The scale of this activity is staggering, with the UN estimating it accounts for about 13% of the country’s GDP.
A single event dominates this year’s tally: the $1.46 billion hack of the crypto exchange Bybit in February 2025. This one incident alone exceeded the total value of all North Korean crypto thefts in 2023. The FBI has officially attributed this attack to a North Korean subgroup it calls “TraderTraitor”, which is part of the regime’s Reconnaissance General Bureau.
The Bybit Heist: A case Study in Sophistication
The Bybit attack illustrates a move beyond simple code exploitation to highly sophisticated social engineering. The hackers did not directly breach Bybit’s systems. Instead, they compromised a developer at Safe{Wallet}, a third-party service Bybit uses for multi-signature transactions. By manipulating the user interface that only Bybit employees would see, the hackers secretly rerouted a routine fund transfer to wallets they controlled. This meant that when Bybit staff approved what looked like a legitimate transaction, they were unknowingly sending a vast fortune to the attackers.
Obfuscating the Trail: The Laundering Arms Race
Stealing the funds is only the first step. The subsequent laundering process is a complex, multi-stage effort to break the transaction trail on the blockchain. North Korean operatives have become adept at using a suite of obfuscation tools .
They engage in “chain hopping”, moving stolen assets between different blockchains (e.g., from Ethereum to Bitcoin) using cross-chain bridges to complicate tracking. They heavily rely on coin mixers or tumblers, services that pool and jumble funds from many users to make the origin of stolen coins nearly impossible to trace. Furthermore, Elliptic notes the use of obscure protocols and even self-issued tokens to further disguise the movement of funds.
A Call for Collective Defense
This evolving threat demands an equally sophisticated response. The strategic shift noted by Elliptic—from targeting exchange infrastructure to targeting individuals through deception—means that human vulnerability is now a critical security flaw. For the crypto industry, this underscores the non-negotiable need for robust cybersecurity hygiene, including measures like transaction simulation before signing and withdrawal delays for large amounts.
Ultimately, mitigating this risk requires formalized, international cooperation between industry actors, governments, and law enforcement. The window to freeze or recover stolen funds is small, and harmonizing regulations and response frameworks across jurisdictions is pivotal to disrupting the funding of a global security threat.