North Korean state-sponsored hackers have stolen an estimated $2 billion in cryptocurrency so far this year, the highest annual total ever attributed to the regime.
The new figure, confirmed by blockchain researchers, pushes the total attributed to North Korean-linked groups past $6 billion. According to the United Nations and multiple government agencies, this stolen crypto is funnelled into the country’s weapons development program. The UN notes that proceeds from hacking now account for 13% of North Korea’s GDP, underscoring how this type of activity is becoming a pillar of their economy.
Analysts at Elliptic report that this year’s total is nearly three times greater than 2024, eclipsing the previous record of $1.35 billion set in 2022, when attacks on the Ronin Network and Harmony Bridge made headlines.
“The 2025 total already dwarfs previous years and is almost triple last year’s tally, underscoring the growing scale of North Korea’s dependence on cyber-enabled theft to fund its regime,” comments Elliptic.
A Year Of Major Heists
The most significant single theft in 2025 was in February, where attackers stole approximately $1.5 billion in assets. The criminals, known as Lazarus Group, swiped the huge haul of digital tokens in a hack on crypto exchange ByBit.
In total, Elliptic attributed 30 separate crypto heists this year to North Korean groups, based on insights they gained from blockchain tracing, observing laundering patterns, and reviewing intelligence data. Other confirmed targets included LND.fi, WOO X, Seedify, and Taiwan-based BitoPro, from which the Lazarus group siphoned around $11.5 million.
In 2025 there has been an unprecedented surge in cryptocurrency thefts, with over $2.17 billion stolen from cryptocurrency services by mid-year. The ByBit attack alone accounts for a large portion of that loss due to the size of that single theft.
Shifting Tactics
Elliptic have highlighted the apparent pivot toward social engineering attacks in 2025, a move away from earlier attacks methods which aimed to exploit flaws in crypto infrastructure. Instead of only targeting platforms, attackers are increasingly going after individuals with large crypto holdings and even exchange employees, tricking them into granting access.
The laundering techniques used by these groups have also evolved. To evade detection, threat actors now deploy a mix of advanced tactics including cross-chain transfers, multiple mixing services, obscure blockchains, purchasing utility tokens, exploiting refund addresses, and issuing custom tokens within laundering networks.
Even with complex laundering methods, blockchain is transparent and records every transaction permanently, making it impossible to change or erase past activity. This allows investigators to trace stolen funds and follow criminals’ actions.
The Bigger Picture
With the scale of theft continuing to rise, the concern is not just financial but geopolitical. Stolen cryptocurrency represents a critical funding stream for North Korea’s weapons programs, fuelling broader global security risks.
The 2025 surge in thefts highlights the need for tighter security across exchanges, stronger monitoring of laundering networks, and greater international cooperation to disrupt these operations before stolen assets can be weaponized.
