North Korea-Linked Hackers Steal $2.02 Billion in 2025, Leading Global Crypto Theft

North Korean threat actors have orchestrated the largest cryptocurrency theft in history, stealing $2.02 billion in 2025—a 51% increase from 2024—and accounting for more than half of the $3.4 billion stolen globally through early December, according to a Chainalysis report.

The record-breaking heist, spearheaded by the notorious Lazarus Group, represents the most severe year on record for North Korean crypto theft. A single attack on cryptocurrency exchange Bybit in February accounted for $1.5 billion of the stolen funds, pushing North Korea's cumulative cryptocurrency theft to an estimated $6.75 billion over time.

This massive security breach highlights the critical importance of implementing comprehensive data theft prevention strategies for organizations handling digital assets.

Sophisticated attack strategies evolving

The Lazarus Group, affiliated with Pyongyang's Reconnaissance General Bureau (RGB), has refined multiple approaches to breach cryptocurrency platforms and generate illicit revenue for the regime.

"Part of this record year likely reflects an expanded reliance on IT worker infiltration at exchanges, custodians, and Web3 firms, which can accelerate initial access and lateral movement ahead of large-scale theft," Chainalysis noted in their report shared with The Hacker News.

One primary strategy involves the long-running "Operation Dream Job" campaign, where hackers approach professionals in defense, manufacturing, chemical, aerospace, and technology sectors through LinkedIn or WhatsApp. These victims are offered lucrative job opportunities designed to trick them into downloading malware such as BURNBOOK, MISTPEN, and BADCALL.

A second approach, dubbed "Wagemole," involves embedding North Korean IT workers inside companies worldwide under false identities. These operatives gain privileged access to cryptocurrency services, enabling high-impact compromises. This tactic has proven increasingly effective, with North Korean actors establishing front companies like DredSoftLabs and Metamint Studio to facilitate infiltration.

Last month, this group was also believed to be behind the theft of $36 million from Upbit, South Korea's largest cryptocurrency exchange, demonstrating their continued targeting of valuable digital assets.

Structured money laundering operations

Following successful heists, North Korean hackers employ a sophisticated, multi-wave laundering strategy that unfolds over approximately 45 days:

• Wave 1: Immediate Layering (Days 0-5) – Rapidly moving funds away from the theft source using decentralized finance protocols and mixing services

• Wave 2: Initial Integration (Days 6-10) – Shifting assets to cryptocurrency exchanges, secondary mixing services, and cross-chain bridges like XMRt

• Wave 3: Final Integration (Days 20-45) – Utilizing services that convert cryptocurrency to fiat currency or other assets

The stolen funds are primarily routed through Chinese-language money movement services, cross-chain bridges, mixers, and specialized marketplaces like Huione to obscure their origin.

"Their heavy use of professional Chinese-language money laundering services and over-the-counter (OTC) traders suggests that DPRK threat actors are tightly integrated with illicit actors across the Asia-Pacific region, and is consistent with Pyongyang's historical use of China-based networks to gain access to the international financial system," Chainalysis reported.

These sophisticated laundering techniques demonstrate why robust blockchain cybersecurity measures must address multistage threats that exploit vulnerabilities across the cryptocurrency ecosystem.

Human collaborators facing consequences

The IT worker scheme recently made headlines when Minh Phuong Ngoc Vong, a 40-year-old Maryland resident, was sentenced to 15 months in prison for his role in allowing North Korean nationals based in Shenyang, China, to use his identity to secure employment at several U.S. government agencies.

Between 2021 and 2024, Vong obtained positions with at least 13 different U.S. companies, including a contract with the Federal Aviation Administration (FAA). He received over $970,000 in salary for work actually performed by his overseas collaborators.

According to the U.S. Department of Justice, "Vong conspired with others, including John Doe, aka William James, a foreign national living in Shenyang, China, to defraud U.S. companies into hiring Vong as a remote software developer." After securing these positions through false statements about his qualifications, Vong allowed his co-conspirators to use his credentials to perform the work and receive payment.

Security researchers have observed these IT worker recruitment tactics evolving. North Korean actors now frequently act as recruiters themselves, approaching potential collaborators on platforms like Upwork and Freelancer with scripted pitches requesting help with project bids and deliveries.

"In many cases, victims ultimately surrender full access to their freelance accounts or install remote-access tools such as AnyDesk or Chrome Remote Desktop," Security Alliance reported last month. "This enables the threat actor to operate under the victim's verified identity and IP address, allowing them to bypass platform verification controls and conduct illicit activity undetected."

How to protect your cryptocurrency assets

The escalation of North Korean cryptocurrency theft highlights the need for heightened security measures for individuals and organizations holding digital assets:

1. Implement robust multi-factor authentication on all cryptocurrency exchange accounts and wallets, preferably using hardware security keys rather than SMS-based verification.

2. Conduct thorough background checks when hiring IT professionals, especially for remote positions with access to sensitive systems or cryptocurrency infrastructure.

3. Monitor for unusual account activity and unauthorized access attempts, setting up alerts for large transfers or suspicious login locations.

4. Store significant holdings offline in hardware wallets that are disconnected from internet-connected devices to prevent remote access exploits.

5. Diversify storage solutions to avoid concentrating assets in a single vulnerable location, utilizing secure digital currency wallet options with advanced protection features.

According to cybersecurity experts at Mandiant, organizations should also implement regular security training that specifically addresses social engineering tactics employed by North Korean actors, as human vulnerability remains a primary attack vector.

These North Korean operations represent a critical cybersecurity challenge that blends traditional hacking with sophisticated social engineering and infiltration tactics. As these threat actors continue refining their approaches, the cryptocurrency industry and individual investors must remain vigilant against increasingly sophisticated attacks orchestrated by state-sponsored hackers seeking to circumvent international sanctions.