North Korean hackers broke their own record this year. They’ve stolen over $2 billion in cryptocurrency, according to blockchain forensics firm Elliptic. That’s nearly triple what they grabbed last year.
But here’s the scary part. We still have three months left in 2025. The total could climb even higher before year’s end.
This isn’t just about money vanishing from exchanges. The United Nations and intelligence agencies confirm these stolen funds bankroll North Korea’s nuclear and ballistic missile programs. Every successful hack brings Pyongyang closer to more dangerous weapons.
One Massive Heist Drove the Numbers
February’s Bybit exchange hack accounts for most of the damage. North Korean hackers walked away with $1.46 billion in that single breach. It ranks among the largest crypto thefts ever recorded.
But Bybit wasn’t their only target. Elliptic tracked attacks on LND.fi, WOO X, and Seedify this year. Plus, they identified over 30 additional incidents hitting smaller exchanges and DeFi platforms.
That brings North Korea’s total crypto theft since 2017 to more than $6 billion. The scale keeps growing year after year.
This year’s $2 billion haul nearly triples 2024’s total. It also beats the previous record of $1.35 billion from 2022. Back then, North Korean groups compromised Ronin Network and Harmony Bridge.
Hackers Changed Their Tactics
Centralized exchanges remain prime targets. However, Elliptic noticed a strategic shift this year. North Korean hackers increasingly attack individuals instead of platforms.
Why the change? Crypto prices bounced back strong in 2025. That made high-net-worth holders and company executives lucrative targets. Plus, individuals rarely have the robust security infrastructure that major platforms deploy.
“The weak point in cryptocurrency security is now human, not technological,” Elliptic explained in their report.
So instead of exploiting code vulnerabilities, hackers rely on deception. They use phishing emails, fake job offers, and compromised social media accounts. These tactics help them access private wallets and steal private keys directly from victims.
Think about that for a second. Your technical security might be bulletproof. But one convincing fake LinkedIn message could compromise everything.
Laundering Gets More Sophisticated
Law enforcement and blockchain analytics have gotten better at tracking stolen crypto. North Korea responded by making their laundering operations more complex.
After the Bybit breach, investigators traced multiple rounds of cross-chain swaps. Hackers moved funds between Bitcoin, Ethereum, BTTC, and Tron. They used obscure protocols and even created self-issued tokens to disguise the money’s origins.
New laundering methods include multiple mixing rounds. Hackers route funds through rarely-used blockchains. They create new tokens issued directly by their laundering networks.
Each layer of complexity makes tracking harder. But it also shows how seriously North Korea takes avoiding detection. They’re not just stealing crypto. They’re building sophisticated infrastructure to clean and spend it.
The Stakes Keep Rising
Every dollar North Korea steals through crypto heists funds weapons development. Those programs threaten global security. Yet the regime shows no signs of slowing down their cyber operations.
In fact, they’re getting better at it. More sophisticated tactics. Bigger targets. More complex laundering. The trend points in one troubling direction.
Blockchain analytics firms like Elliptic can track these operations. Intelligence agencies know what’s happening. But knowing isn’t enough. The crypto industry needs stronger defenses against social engineering attacks.
That means better education for high-value targets. Stronger verification processes for fund transfers. More cooperation between exchanges, law enforcement, and security researchers.
Because right now, North Korea’s hacking groups operate with near impunity. They strike, steal billions, and use those funds to build more dangerous weapons. The cycle continues year after year.
Breaking that cycle requires more than just better technology. It demands a coordinated international response that makes these attacks harder and riskier for North Korea. Until that happens, expect the theft totals to keep climbing.