North Korean-linked threat actors stole at least $2.02 billion in cryptocurrency during 2025, representing 76% of all service compromises and marking the most severe year on record for DPRK crypto theft.
Hackers with ties to North Korea drove a surge in global cryptocurrency theft throughout 2025, stealing at least $2.02 billion out of more than $3.4 billion taken from January through early December. This is a 51% increase from 2024, when the same threat actors stole $1.3 billion. The Bybit cryptocurrency exchange compromise in February alone accounts for $1.5 billion of the total stolen by North Korea. These thefts bring the total estimate for cryptocurrency funds stolen by North Korea to $6.75 billion. The hackers also allegedly stole $36 million worth of cryptocurrency from South Korea's largest cryptocurrency exchange, Upbit, in November.
The cryptocurrency thefts are part of a series of attacks conducted by the North Korea-backed Lazarus Group over the past decade. The group is affiliated with Pyongyang's Reconnaissance General Bureau and has siphoned at least $200 million from over 25 cryptocurrency heists between 2020 and 2023. Lazarus Group operates Operation Dream Job, a long-running campaign targeting employees in defense, manufacturing, chemical, aerospace, and technology sectors. The group approaches prospective employees via LinkedIn or WhatsApp with lucrative job opportunities to trick them into downloading malware such as BURNBOOK, MISTPEN, and BADCALL.
A March 2024 U.N. Security Council sanctions committee report revealed that malicious cyberactivities generate approximately 50 percent of North Korea's foreign currency income and fund 40 percent of its weapons of mass destruction programs. According to The Korea Times, the U.N. panel investigated 58 suspected cyberattacks by North Korea on crypto-related firms from 2017-2023, valued at roughly $3 billion. The report noted that one cybersecurity company branded North Korea as the world's most prolific cyber-thief.
North Korean threat actors use multiple infiltration methods:
Chainalysis stated in their Crypto Crime Report that "this marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises."
The U.S. Department of Justice stated that "Vong conspired with others, including John Doe, aka William James, a foreign nation living in Shenyang, China, to defraud U.S. companies into hiring Vong as a remote software developer." The DoJ added, "After securing these jobs through materially false statements about his education, training, and experience, Vong allowed Doe and others to use his computer access credentials to perform the remote software development work and receive payment for that work."
Nation-state threat actors are hacking groups sponsored or affiliated with governments to conduct cyber operations that advance national interests. North Korea's Lazarus Group, affiliated with Pyongyang's Reconnaissance General Bureau, operates as one of the most prolific nation-state adversaries. These groups often target critical infrastructure, financial systems, and sensitive data to generate revenue, especially when countries face international sanctions. Cryptocurrency has become a target because transactions can be difficult to trace and the decentralized nature of blockchain technology creates opportunities for exploitation.
The 76% compromise rate reveals that North Korean hackers have developed systematic methods to infiltrate cryptocurrency services, moving beyond opportunistic attacks to strategic, large-scale operations. The IT worker infiltration scheme poses a direct threat to organizations across all sectors, as these embedded actors can operate undetected for years while maintaining privileged access to sensitive systems. Healthcare organizations that contract remote workers or use cryptocurrency for payments face exposure to this threat, especially given North Korea's track record of targeting diverse industries. The sophisticated, 45-day laundering pathway shows these actors have established professional networks across the Asia-Pacific region, making stolen funds difficult to recover.
Organizations must implement identity verification and continuous monitoring for remote workers and contractors to defend against IT worker infiltration schemes. Minh Phuong Ngoc Vong's 15-month prison sentence shows that U.S. authorities are pursuing criminal charges against individuals who facilitate these operations. Companies should verify the identities of remote workers through multiple channels, monitor for unusual access patterns, and restrict privileged access to critical systems. As North Korean actors expand their recruitment operations on freelance platforms, organizations need enhanced due diligence processes for all remote hires.
Cryptocurrency theft provides a scalable, low-risk way for Pyongyang to generate hard currency while bypassing international sanctions.
Unlike profit-driven criminal gangs, North Korean hackers operate as state assets with strategic, long-term financial and intelligence goals.
Workers can maintain legitimate access for extended periods, allowing attackers to steal funds, manipulate systems, and avoid detection.
Once funds move through mixers, cross-chain bridges, and OTC services, recovery becomes unlikely.
Freelance platforms offer onboarding, global reach, and weaker identity verification, making them ideal.